BOSTON – The time has come to move beyond the security mantra "don't click on email links or open attachments and we'll all be safer", cybersecurity experts claim.
"We've been saying that for 15 years and the strategy doesn't work," former White House CIO and CEO of Fortalice Solutions Theresa Payton said on Monday at the HIMSS Healthcare Security Forum in the US.
Instead, Payton said she is still seeing business email compromises on the rise in healthcare.
"From a social engineering standpoint, it has never been easier to trick employees.
"Business email compromise is one of the largest unreported crimes after ransomware."
What's more, there's a 25 per cent probability that any given healthcare organisation will be hacked in the next 2.5 years, said Salwa Rafee, worldwide security leader for healthcare and life sciences at IBM.
There will always be human error, such as recycled passwords or someone clicking on a malicious link, but the technology will fail as well.
"Humans are not the weakest link," said Payton. "Technology is open to be hacked and data can never be 100 per cent secure. We have to design for the human."
That applies to all employees, administration, clinicians – and even patients, according to Chad Wilson, chief of security and IT director at Children's National Health System.
Hospitals will also have to protect patients and their data outside the EHR, beyond their four walls and into consumers’ homes and daily lives, added Anahi Santiago, CISO of Christiana Care Health System.
"Information security is a patient safety issue," Santiago said.
"Segment, segment, segment," said Sonia Arista, national healthcare practice director at Fortinet.
Payton recommended network segmentation and two-factor authentication as a minimum type of safety net to isolate attacks – so when they do happen, hospitals can stop them from spreading to other departments, devices, facilities or software systems.
Though segmentation is not a guarantee, it can minimise damage and maximise resilience, Payton said.
"We've been so focused on data and network and hardware that we've kind of forgotten about the human cyber and social footprint. The next thing is putting a safety net around the user."
Originally published on the US edition of Healthcare IT News.
HIMSS is the parent company of HITNA.