Peace, order, and good cyber-governance

Changing cybersecurity culture in healthcare

Tuesday, November 27, 2018 – Marc Aiello

“I want to inspire change in terms of action. If nothing comes of it, then what’s the point?” said Kenrick Bagnall, Detective Constable of Computer Cybercrime for the Toronto Police Service.
 

At the Cyber Security Governance in Health Care conference, hosted by Spark Conferences, Det. Constable Bagnall stood at the podium speaking firmly about cyberattacks in the Canadian healthcare landscape. You may remember him speaking about the same topic at HIROC’s annual conference in April 2017.

With today’s technology, tools commonly used in healthcare facilities across the country are being specifically targeted by criminals to gain access to precious data. Computers, email servers and even medical devices are all vulnerable to attack by being connected online.

Det. Constable Bagnall told a story about being undercover during an appointment at a local clinic, where his primary goal was checking the security in a doctor’s office. He was initially pleased to find a locked computer in the first office he visited, but was upset to discover a computer workstation in another office unlocked with patient records displayed across the screen.

“This is troubling,” said Det. Constable Bagnall. “The insider threat is very prevalent today.”

A cultural shift is needed to start fostering better awareness amongst healthcare industry staff. For starters organizations should collaborate with law enforcement even before a threat or attack takes place. Law enforcement can encourage vigilance regarding cybersecurity by providing insight into how to protect sensitive information against threats like malware, ransomware and phishing scams.

Companies should take time to identify and adequately secure their crown jewels by looking at their most significant assets, suggests Det. Constable Bagnall. "It's guaranteed criminals know what they are."


What are the crown jewels of your organization?

Crown jewels can be assets like research, patient data and proprietary methods – elements fundamental to your company and its daily operations. Organizations need to think about how susceptible their systems are to attack, what good cybersecurity looks like and what to do if there’s an incident. “Get into that thinking space and then start to look at cyber insurance," said Det. Constable Bagnall.
 
Kate Dewhirst, health lawyer and founder of Kate Dewhirst Health Law in Toronto, speaks about how for many organizations, there is an assumption that IT departments will handle cybersecurity vulnerabilities; staff become too comfortable online as a result.

“We need to reinforce a culture through storytelling, instructions and artifacts,” said Dewhirst, who suggests that implementing a combination of those three components in your organization will improve mindfulness amongst staff.


Storytelling

Dewhirst recommends telling stories that hit close to home with your teams. By using examples of actual events in your communities or departments, you can begin to manifest real cybersecurity plans. You could start by talking about the worldwide Wanna Cry ransomware cyberattack and then bring the focus locally by discussing events that have happened in our own healthcare community.

Instructions

“Stories get lost unless you give instructions,” said Dewhirst. “Be clear on what you want [employees] to do and not do.”

Carefully balancing urgency and seriousness can be a difficult task when you're trying not to inundate and overwhelm your staff with information. Dewhirst suggests not causing information overload on employees by avoiding long, hard to read documents and laying out a clear and concise plan to prevent cyberattacks.

Artifacts

Information can be carried through objects displayed around the office as daily reminders to remain vigilant. Some examples include newsletters, posters, signs, email reminders and phishing audits. Being persistent with testing and avoiding staff apathy is imperative in preventing cybersecurity attacks.


Staying hygienic

As an educational supporter of this conference, HIROC’s own James Penafiel, Underwriting Supervisor, and Stephen Park, Claims Examiner, put on a deeply informative presentation showcasing HIROC’s guide on Cyber Risk Management. With the result of the cyber landscape being multifaceted, we should keep in mind that the market is constantly evolving as a response.

“Healthcare organizations should not hesitate to call their insurer with questions about cyber events and their coverage,” said Park.

The concept of cyber hygiene – which refers to using best practices to keep data secure in your organization – was highlighted by a number of the speakers. Park and Penafiel used the example of cyberattacks which can occur as the result of not correctly encrypting USB keys. In one case, a healthcare facility employee who was working remotely didn’t take enough care to secure their USB containing data of around 80,000 people.

“It’s important to keep in mind that cyber insurance is only one piece of the puzzle,” said Penafiel. “It doesn’t replace appropriate cyber hygiene.” 

We know that stories and case examples like these are important to look at, but as Dewhirst said – stories need to be followed with instructions and daily reminders. It’s through a multifaceted approach like this that we can ensure the safety of our crown jewels.

By Marc Aiello, Communications & Marketing Coordinator, HIROC