Healthcare leaders can learn a lot from the recent cybersecurity attack on the U.S. Office of Personnel Management.
For instance, organizations must have multi-layered security to protect data and defend against attacks, and that's something the OPM lacked, Parham Eftekhari, co-founder of the Institute for Critical Infrastructure Technology told HealthITSecurity.com in an interview.
According to a report examining the agency's security systems conducted by the institute on behalf of Congress, OPM did not have proper data governance, Eftekhari said. To that end, he said, organizations should make sure they have policies in place that include changing passwords, managing accounts and disabling accounts when an employee leaves the organization.
The attack on OPM put information of about 4 million federal employees at risk, and is being linked to similar incidents at health payers Anthem and Premera.
Encryption also is a very important part of any cybersecurity strategy, Eftekhari added. That can include split-key encryption, where the vendor has half the key and the healthcare organization has the other half. There also is field-level encryption, which denies administrators access to the keys.
In the wake of the attack, OPM is trying to beef up its cybersecurity efforts. However, a federal inspector recently reported that OPM's Chief Information Office has "interfered with, and thus hindered" oversight of the remediation of cybersecurity problems, according to the Wall Street Journal.
Inspector General Patrick McFarland said CIO Donna Seymour "created an environment of mistrust by providing my office with incorrect and/or misleading information," according to the WSJ article. "It is imperative that these concerns be addressed if OPM is to overcome the unprecedented challenges facing it today," he added.
Seymour is facing a lawsuit because of the attack. Such action is a sign that CIOs may soon need to prepare to get a lawyer because they could end up in the courtroom after a data breach.
"We are absolutely going to see more CIOs taking the fall and ultimately being named in lawsuits," Matthew Karlyn, a partner at Foley & Lardner LLP, recently told WSJ.
To learn more:
- read the HealthITSecurity.com article
- here's the WSJ report