Earlier today, Good Harbor Chairman and former White House advisor on cyber security Richard Clarke addressed the HIMSS (Healthcare Information Management Systems Society) Security and Privacy Forum in Boston, MA.
You can read the Healthcare IT News coverage here.
Or, read our recap of risks and recommendations below.
Clarke identified eight cyber security risks, beyond the usual theft of Protected Health Information (PHI) and Personal Identifiable Information (PII), that should worry healthcare sector CEOs and executives:
1. Ransomware
2. DDOS (Distributed Denial of Service) attacks
3. Wiper malware
4. Theft of Intellectual Property
5. Theft of money
6. Manipulation of data
7. Cyber-physical attacks that destroy or disrupt devices
So, what to do? Clarke gave eight recommendations:
Recommendation 1. The industry as a whole should work with government to come up wtih voluntary standards akin to those used by High Reliability Organizations (HROs)
Recommendation 2. Once standards are set, the U.S. government should hire someone to do third party audits of organizations against these standards on an annual basis, like the Bank of England has done in the U.K. financial sector. Clarke mentioned companies like BitSight that provide security ratings for companies.
Recommendation 3. All data, both at rest and in motion, should be encyrpted, and encryption should be linked to multi-factor authentication.
Recommendation 4. The industry and government should develop new standards requiring inherently secure design for medical devices, and existing devices should be retired over time with an agreed upon schedule. Clarke mentioned Draper’s work on Inherently Secure Processing.
Recommendation 5. The industry should develop standards for supply chain vendors of hardware and software, and it should use a “shared assessments” approcah like the financial sector to oversee the supply chain. Clarke mentioned Veracode’s application security tools and how they can be applied for supply chain security:
Recommendation 6. U.S. law, over and above regular penalties for hacking, should codify specific penalties for hacking hospitals.
Recommendation 7. The international Law of War against attacking hospitals should be modified to include explicit prohibition of hacking hospitals. Check out Good Harbor’s paper on Securing Cyberspace through International Norms.
Recommendation 8. Industry should launch a concerted program to teach CEOs and Boards about cyber security. Check out Richard Clarke’s Director’s Note on The Board’s Role in Cybersecurity
Want to talk about these ideas? Contact us @ghsrm or via contact[at]goodharbor.net.