Cyber Security Discussed at PMIH Lunch-N-Learn

    Cyber Security Discussed at PMIH Lunch-N-Learn

    By Thomas Goebel, Volunteer Content Writer

    Jeffrey Vinson, Sr. is the Chief Information Security Officer at Harris Health System.  Mr. Vinson was the featured speaker at a Houston Chapter March 7th Lunch-N-Learn at the Texas Medical Center, where he led his audience of project managers on a guided tour of today’s cybersecurity minefield.

    One of the biggest cyber threats to the health industry is ransomware.  Ransomware, which is typically used to invade an IT system via a “Trojan Horse”, is a malware or virus that prevents access to a system’s contents (files, software, etc.) until a ransom is paid.  Once the ransom is paid, a “de-encryption key” is provided to the victim to unlock the system and regain access.  Hospitals are particularly vulnerable to this type of attack, for a variety of reasons; chiefly, urgent need for access to patient records and the nature of critical care.  Indeed, some care facilities have paid ransoms (one hospital paid $17,000 to retrieve its files!).  Mr. Vinson said that ransomware attacks increased by 19% from 2015 to 2016.

    The most frequent vehicle for a ransomware attack is email.  With privacy becoming scarcer, resourceful criminals can access a great deal of information about individual users.  One preferred method is to launch phishing email attacks against lower-level managers, since C-level executives tend to be more aware about the potential for invasions.

    Biomedical devices present another area susceptible to cyber attack.  An increasing number of these devices are connected remotely through local networks and the Internet, making them especially vulnerable.  Many have their own IP address.  The Food and Drug Administration is now ordering hospitals and care facilities to tighten their cybersecurity in response to these threats.  Project managers are putting a great deal of thought into how to set up connectivity for future projects with security in mind.  In addition, they are acutely aware that it is essential to comply with HIPAA (Health Insurance Portability and Accountability Act) regulations governing electronic protected health information (ePHI) for patients.

    The role of the information security expert is to assess the need for greater security in an environment.  Perhaps the best way to identify a vulnerable target is by the use of a penetration test (“pen test”).  A pen test is a program that simulates an attack to expose gaps and weaknesses in a system.  This feature makes it a critical part of a full security audit.  Upon gap identification, security experts can employ fixes like increased user behavior monitoring, plugging software holes, and more robust authentication practices to protect patients and assure compliance with HIPAA.

    While this Lunch-N-Learn focused on cyber threats to the health industry, the reality for project managers is that information security is a growing concern for all industries.  The threat is not likely to abate soon.