When you talk about smaller practices, how can they combat attackers without the resources that larger organizations have?
There is no better way to understand the risks than training. The physicians really need to understand what the risks are, and sometimes you need a consultant to help identify that. There have been a few times when we have gone to a physician office and the practice has one server where it keeps all of the sensitive data, and that data is being backed up externally to a different drive. But that’s it.
We understand that they can’t spend thousands of dollars to have the server outside of the office somewhere, but how about we at least lock that server so it can’t be stolen? If we are backing up to another source, are we making sure that information is at least being encrypted? These questions can be asked by someone who has the right expertise and who can give them the [best] advice. So I think going that route, hiring someone who understands security to help them, is the best solution. I will often see physicians spending money on XYZ firewall because their IT guy recommended it, but most of the time you don’t need that—you need to encrypt your backups instead.
In the wake of WannaCry, what impact could a global cyber attack of this nature have on U.S. healthcare organizations?
One of the biggest issues we see in healthcare is that we have old legacy systems from a Windows perspective. We still see medical devices using Windows XP. WannaCry is exploiting old configurations of old servers with old Windows software.
You hear all the time that cybersecurity will get worse before it gets better in healthcare. Do you agree with this?
We have not seen the biggest attack yet, even though we have seen a few really big ones in the last year. I think eventually we will see the Enron of data breaches in which you will see a systemic catastrophic impact on not just an industry, but an entire nation. And at that moment a different approach to cybersecurity will develop. We see oversight right now with people getting fined, and it’s a whole legal battle with consultants and lawyers, but we have not seen something that has created a systemic issue across a nation.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.