For the last decade October has been designated as National Cyber Security Awareness Month, but given the recent high-profile ransomware case at Los Angeles-based Hollywood Presbyterian Medical Center, I am moving up my personal, unofficial health IT security awareness month to March.
My colleague Mark Hagland wrote a great blog asking a lot of pertinent questions about the Hollywood Presbyterian situation:
• What forms of cybersecurity and data security were in place at the hospital at the time of the attack?
• Was the patient data in the electronic health record (EHR—reportedly from the Alpharetta, Ga.-based McKesson Corporation) encrypted at rest?
• Is the hospital regularly performing behavioral auditing?
• What kinds of phishing training has taken place for EHR and other clinical IS end-users?
• Does the hospital have a CISO (chief information security officer), and what kinds of human and other resources does the CISO, if there is one, have?
• How and when was the ransomware message communicated?
• Did the hospital have any kind of data replication in place?
• How have the operations of the hospital’s data center been affected?
• Did the hospital have a comprehensive disaster recovery and business continuity plan?
I am interested in the answers to these questions, but my personal IT security awareness month also will include a broader discussion of what other organizations are going to do in response to this event. Coincidentally, I had already blocked out time to attend two industry events related to privacy and security, and now I am even more eager than I was to attend and interview CISOs and other health IT officials. Here are the venues I will be reporting from in March and some agenda items that sound intriguing:
The 2016 PHI Protection Network Conference, March 17-18
At this conference, being held in Philadelphia, attendees will hear from state and federal agencies and practicing security and privacy professionals about the latest threats and what organizations can do. Session topics include:
• Does Cyber Insurance Adequately Cover Cyber Attacks?
• How to Respond To a Cyber Attack from a Nation State or Sophisticated Crime Ring
• How to Manage Regulatory Issues When a Cyber Attack Hits
• Stolen Healthcare Records: Report from the "Dark Web"
Ben Goodman, CRISC, President, 4A Security & Compliance, New York, NY
• Healthcare Chief Privacy Officer Best Practices Roundtable
• Andrea Leeb, Esq. Chief Privacy Officer, Cal INDEX; Former Chief Privacy Officer, Public and Senior Markets Group, United Health Group, Los Angeles,
• Molly McCoy, Esq. Privacy Counsel/Chief Privacy Officer, Blue Shield of California, San Francisco, CA
• Jacki Monson, JD, CHC, CHPC, Chief Privacy Officer, Sutter Health; Former Chief Privacy Officer, Mayo Clinic, Sacramento, CA
• Morgan Vanderburg, JD, Compliance/Privacy Officer, Mayo Clinic, Rochester, MN
• Anna C. Watterson, JD, CIPP/US, CIPM, Associate, Davis Wright Tremaine; Former Policy Analyst, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Moderator)
Recovering from a Breach: Strategies for Reporting and Responding to OCR
David Holtzman, JD, CIPP, Vice President, Compliance, CynergisTek, Inc.; Former Senior Adviser for HIT and the HIPAA Security Rule, Office for Civil Rights, HHS, Austin, TX
Business Associate Breaches -- What You Don't Know May Cost You!
Cliff Baker, Managing Partner, Meditology, Atlanta, GA, and Janelle Burns, Esq. Corporate Privacy and Security Officer, Baptist Memorial Healthcare Corporation, Memphis, TN
Watch this space for reporting from these events, and industry response to the Hollywood Presbyterian event
