Children's Hospitals Today - Winter 2023 - 15

CYBERSECURITY / FEATURE
1 | Educate staff
Johnson has seen it all during her nearly two decades working
in information systems. What she sees now is a rapidly evolving
complexity in the schemes hackers are using to break
into networks. " Back in the day, you'd get this email
with poor grammar and shoddy graphics-it
just didn't read well, " Johnson says. " Now, it's
really hard to tell the difference between
something real and something fake. "
The hackers have not only become
more sophisticated but also more persistent.
HIPAA-compliant email provider
Paubox reports that malicious emails
targeting health care institutions have
risen 600% since the pandemic began.
As a result, phishing schemes account
for 16% of data breaches, second only to
stolen or compromised credentials, according
to the IBM/Ponemon report.
While the massive increase in phishing attempts
suggest a wide net of polished emails sent at
governance in place and understanding contingency plans,
Kopetsky adds it's vital to have a contractual understanding
around all aspects of your data before entering an agreement.
" You need to start talking upfront: what are they going to do
with the data, and how are they going to use it? " Kopetsky
says. " And especially important, when are they going
to delete it? "
" It's like we
have this 10,000lane
highway and
everybody has a lane-
and I've got concrete
barriers in between
the right ones. "
3 | Segment devices
and networks
There's a litany of pumps, sensors, workstations
and other devices in most hospital
rooms. Kopetsky says the patient
rooms at Stanford Medicine Children's
Health each average about 18 connected
devices. But there is-and should be-
flexibility in how those machines are
allowed to interact.
Segmenting the organization's network
both reduces access points and lessens
the impact of a breach. Segmentation may look like
scale, there's also a movement toward more targeted attempts.
" We have someone now who's been texting our executives,
pretending to be our CEO, " Johnson says. " They're saying, 'Hey,
it's your CEO, call me-I need you to do something for me.' "
The deluge of emails-and texts-isn't likely to subside.
The most effective means to combat them is education and
awareness. " Embedding some of the user security education
into your culture is one of the most powerful tools available, "
says Edward Kopetsky, senior vice president and chief
information officer at Stanford Medicine Children's Health
in Palo Alto, California. " We're a team of 15-we can't be
everywhere-so we count on our people being able to recognize
and report phishing emails. "
2 | Vet vendors
Facilitating faster and better patient care today requires a
dizzying array of machines and systems communicating
with each other. Patient EMRs are connected to laboratory
and radiology systems, insurance networks, durable equipment
systems, artificial intelligence modelers and more.
These interactions benefit the patient's outcome but can also
pose a security risk-they're often managed by third-party
vendors and require patient data to make the systems work.
" That's something we take very seriously, and, like most organizations,
we conduct a very detailed security assessment
when we're looking to partner with new vendors, " Nelson
says. " Accountability has to be on both sides, and those thirdparty
vendors must have security standards in writing, including
how they'll handle their clients if they have a breach. "
Beyond ensuring potential vendors have strong security
separating the guest Wi-Fi network from the Wi-Fi network
connected to medical devices, or allowing pumps to interact
with the EMR but not have access to the internet. " We do a lot
of strategic architecture within our networks, " Johnson says.
" It's like we have this 10,000-lane highway and everybody has a
lane-and I've got concrete barriers in between the right ones. "
4 | Require multi-factor authentication
Use of stolen or compromised credentials remains the most
common cause of a data breach-accounting for about one of
every five incidents, according to the IBM/Ponemon report.
Multi-factor authentication (MFA) is a relatively simple solution
hospitals can employ to ward off unauthorized logins.
Microsoft says 99.9% of the compromised accounts they track
every month don't use MFA.
" Multi-factor authentication is key-it's one of those easy
deterrents, like locking your door at night. " Johnson says.
It's important to devise an MFA solution that doesn't significantly
impede workflow efficiency, according to Johnson. At
Children's Wisconsin, that means a badge tap plus password
for clinical providers and a password plus random-code-generating
token for non-clinical employees.
5 | Build relationships
When Boston Children's Hospital thwarted a recently attempted
cyberattack, it received an assist from an outside
source: the FBI. " We have a very good relationship with the
local FBI agents here in Boston and nationally, and they were
the ones who notified us that there was a breach within our
HVAC system, " Nelson says.
CHILDREN'S HOSPITALS TODAY Winter 2023
15
Children's Hospitals Today - Winter 2023

Table of Contents for the Digital Edition of Children's Hospitals Today - Winter 2023
