Contributed by Lee Kim, Esq.
Yesterday, I attended the Western Pennsylvania 2012 Cybersecurity Conference. It was a unique opportunity to learn about cyber-threats, including cyber-attacks and cyber-crime. As a healthcare technology attorney, I asked the panelists about their thoughts on these issues as they pertain to the healthcare industry. In response, I was told that any "pools of data" are rich targets for a breach and that the data may be targeted for the cash value in the aggregate or because it contains certain information on individuals of interest.
However, it was also made clear that if information security is taken seriously and if our information systems are more difficult to compromise, then a cybercriminal might move on to an easier target (which is less secure). All the more reason why every organization should have up-to-date security policies and procedures in place which manage the risks at hand (whatever they may be). Plus, with an increasingly mobile workforce, the security should not just extend to the office; rather it should extend to personal computers, laptops, and smartphones which may be used for remote access. There also needs to be education and training so that workforce members know what good security practices are (and so that they are not tempted, for example, to click on suspicious links or open suspicious attachments which may result in the downloading of malware which can compromise and perhaps even "take over" a system).
The policies and procedures that are drafted should be done with a real understanding of both the technical and legal reality of the organization. They should be updated once there is a change in either on the technical or legal front. They should also be updated when there is a new risk or threat. The healthcare industry needs to take security seriously in a proactive sense (and hopefully before there is a financial, technical, or reputational disaster).