To protect against cyber attacks, an organization should have an enterprise risk management program that has three layers of defense: information security, internal audit and risk management. These layers complement one another.
- The information security group has a large swath of IT related issues to cover.
- The internal audit group will help the information security group find the gaps they may be missing.
- The risk management group focuses on disaster recovery and cybersecurity related events that could happen within a disaster recovery event.
The “pillars” of defense within information risk include:
- Governance: providing metrics, charters, three- and five-year plans
- Application security team: testing applications for security holes
- Engineering team: designing protections in monitoring equipment across the network
- Security operation center: monitoring the security posture on a 24/7 basis
- Compliance: determining your security hygiene
Some Key Vulnerabilities
Hospitals have several areas of vulnerability when it comes to information risk. Two areas noted here are medical records and patient safety.
Cyber thieves want to gain access to medical records for a variety of reasons; for example, blackmailing patients who don’t want the personal information in their medical records made public. Also, the thieves can post the medical information on the Internet and put it up for sale, thus gaining financially.
Data breaches can affect patient safety through medical devices that patients rely on for their care. In some instances, these devices did not take security into account when they were developed. Or, if you have a data breach within your facility, there is a good probability that the machines connected to that network could also be compromised. There would have to be malicious users who would look to do this, but they could take control of any number of machines and adversely affect a patient’s health; for example, having the injections go up or down, or affecting wireless pacemakers.
In fact, any device that you put on a network is going to be vulnerable to some sort of cyber attack. If you have your hospital devices on the same network as some computers that have Internet access, such as email or web surfing, you have a high degree of risk of having one of those devices compromised.
Devices running electrical grids typically were designed with security as an afterthought. If a cyber thief can hack into those devices, it could potentially elicit various types of conditions where an injection system may inject more or less medication than prescribed. Those devices could also be turned off completely.
These risks will always be out there as long as those medical devices are not isolated on their own networks; i.e., not connected to the Internet.
(Excerpt from Martin Liutermoza’s interview for iProtean, now part of Veralon’s upcoming course, Two Strategic Risks for Boards.)
Check your library for the advanced Finance Course, Financial Risks & Strategic Implications of APMs, featuring Marian Jennings and Seth Edwards. In this course, Marian and Seth discuss the financial risks of ACOs and bundled payments, the strategic risks of not participating in an alternative payment model, clear trends and the characteristics of organizations that have successfully implemented one or more alternative payment models.
For a complete list of iProtean, now part of Veralon courses, click here. www.veralon.com/index.php/iprotean/onlineCourses/Available_courses
For more information about iProtean, now part of Veralon, click here. www.veralon.com/index.php/iprotean/demo