This week, I am torn between attending RSA 2016 in San Francisco or HIMSS (Healthcare Information Management Systems Society), a very large healthcare conference in Las Vegas that annually attracts over 44,000 healthcare & IT professionals. Well, there's good news. I am going to both. Why? Cyber security is a major focus at HIMSS. In fact, there is an entire track of sessions, workshops, and exhibits dedicated to security. Many of the conference's sessions note that healthcare breaches are on the rise, and research indicates that the healthcare industry is not prepared. Just recently, The State of Cybersecurity in Healthcare Organizations in 2016 (February 2016) provided some further context (and some disturbing news) on the healthcare industry's current security posture:
- The healthcare industry experiences (at least) one cyber attack a month.
- So basically, organizations are under constant attack.
- Patient data has been lost or compromised at half of all healthcare organizations in the past 12 months.
- That’s a lot of data. IDC's research predicts that a third of all healthcare records will be compromised this year.
- Only 50 percent of healthcare entities have a incident response plan in place.
- If so, I wonder how many attacks have gone unnoticed. (By the way, IR is mandated by HIPAA.)
- More than three quarters (78 percent) of organizations suffered a security incident resulting from a known vulnerability that was at least three months old.
- Clearly, prioritizing known vulnerabilities is a must for organizations looking to prevent a security incident. (As an aside, I know that legacy systems are an Achilles heal for healthcare.)
- 63 percent of organizations experienced downtime as a result of an advanced persistent attack (APT).
- This is frightening as a healthcare consumer, as it can mean life or death if patient treatment systems become unavailable.
This research might make it seem like all doom and gloom for the state of security in healthcare, but fortunately, there is a proactive effort at HIMSS to educate healthcare IT personnel about cyber security. Towards that end, many of this week's HIMSS session’s presentations are and will be available online just in case you cannot make it to Las Vegas. Here are just a few of the sessions and presentations that you can view:
- Protecting Your Organization from Cyber Attacks - This session explores the current threat landscape for the healthcare industry and discusses how organizations can build a program that leverages the NIST Cyber Security Framework favored by many.
- Cybersecurity and the Law - Experts offer a legal point of view on how healthcare organizations can weigh the risks associated with cyber security. Among other things, they invoke the importance of considering your legal obligations, such as the cost of breaches, compliance standards, emerging laws, and the preparedness of your executive board.
- Cyber Insurance in an Evolving Liability Landscape: Informed, Strategic Expectations - Presenters discuss cyber liabilities and how organizations can evaluate their cyber insurance options.
There is so much more! If you are at HIMSS, come visit Tripwire at the Command Cyber Security Center on the ground level at Booth #9908. And if you are at RSA, come see us at Booth #3301 and/or read our takeaways of the conference thus far. Title image courtesy of ShutterStock