US health CIOs catch on to phishing threat
- 13 April 2015
Cybersecurity has forced itself onto the agenda of US health chief information officers and become a hot button issue for the healthcare IT industry at HIMSS15.
This year’s show in Chicago features multiple strands on cybersecurity, with strident titles such as ‘Cybersecurity Command Centre’.
The past year has provided a wake-up call, with US health insurer Anthem becoming the victim of a state-sponsored data attack, in which up to 70 million member and employee records were hacked.
Patricia Skarulis, senior vice president and CIO at Memorial Sloan Kettering Cancer Centre, is a member of the Healthcare Sector Coordinating Council, which advises the departments of Homeland Security and Health and Human Services on matters relating to healthcare critical infrastructure.
Speaking at the Health CIO Forum on Sunday, she told the audience the move towards electronic records has made cybersecurity a real issue and the nature of threats has changed dramatically.
“Today hackers are state sponsored actors, they are not a kid in a basement any more.” She said about 20% of her time is spent on security and it is the priority area for recruiting in the IT team.
The biggest daily security issue at the cancer centre is its own staff. “In my organisation almost all breaches go back to well-meaning staff doing something they didn’t recognise the danger of,” Skarulis said,
MSK’s approach has been to educate staff to counter increasingly sophisticated phishing attacks. These involve staff being duped into providing details about themselves or their patients by fake or spoofed emails from hackers who then use the data or credentials harvested to maliciously hack their email or other systems.
To help assess the scale of the problem and educate staff Sloane Kettering started conducting its own spearphishing campaigns.
“We were very interested to find out how many people clicked on links, gave their names, passwords and details – we now have one, two and three times offenders.”
Offenders do an education programme on security. “We were hesitant about coming in with too many penalties. But now we’re thinking about making an offender and their boss come in and do an in-person class. We think that might get some attention,” Skarulis said.
MSK monitors all email traffic to help monitor threats. “We read all communications coming out of the organisation and if we get more than ten matches – on patient names, patient health information of social security ID – we notify their boss.”
Skarulis urged health CIOs to put in place two-factor authentications for outside email access. “If you don’t you are courting disaster,” she said.