Treating Health InfoSec as 'Essential'Why Healthcare Leaders Need an Attitude Change
One of the most important lessons emerging from the recent string of major cyberattacks in the healthcare sector is the need for executives to treat information security as an essential component of business operations, says security and privacy attorney Ron Raether.
Healthcare is becoming a bigger target for hackers because hospitals, health insurers and others are rich sources of data, Raether says in an interview with Information Security Media Group.
In recent months, hackers have launched major attacks on a number of healthcare entities. Those include UCLA Health, which on July 17 reported a hacker attack that affected 4.5 million individuals; Anthem Inc., which was hit by a hacker breach affecting nearly 80 million individuals; as well as Premera Blue Cross and CareFirst Blue Cross Blue Shield.
Healthcare organization are being targeted because "they have not only treatment information, but you have high levels of personally identifiable information - not just Social Security numbers, but other information that can be used [by bad actors] to answer security questions and better pretend to be the victim/consumer," he says.
Another reason hackers are targeting healthcare, Raether says, is that most organizations in the sector have less mature security programs than those in other sectors, such as financial services, he notes.
Too Narrow a View
One of the biggest mistakes that healthcare organizations are making is taking too narrow a view of information security, seeing it as only an infrastructure issue, Raether says. "The reality in this evolving electronic information economy is that information technology and information security have become a fundamental component of the day-to-day business," he says. "Because of this misunderstanding of information technology and information security, the right mentality and resources are not being applied.
"So the change that needs to occur is seeing information security as an essential part of the business operations. And healthcare ... will begin to see that patients will demand better information security, and regulators will begin to punish those institutions that haven't done a good job."
Ultimately, the attorney says, senior executives must develop a better understanding of the importance of information security. "Once that happens, then you can start delving into some of the details of what a sound information security program requires, and healthcare can start making some of the fundamental changes we've been seeing in other markets."
In the interview, Raether also discusses:
- Improvements healthcare entities should consider in their information security governance programs, including segregating and mapping their sensitive patient data;
- Steps healthcare entities can take to help prevent and detect fraud in the wake of large breaches occurring in the sector;
- Why class-action lawsuits are getting filed so quickly after data breaches are revealed (see UCLA Health Faces Lawsuit - Already).
Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patents; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.