Safeguarding Customer Data

In a video interview with Pharma Commerce, Jeffrey Bernstein, director of cybersecurity and data privacy for Kaufman Rossin’s risk advisory services, outlined the top mistakes healthcare organizations make in software development and maintenance from a security standpoint, including a lack of incident response plan; inadequate data encryption; absence of multi-factor authentication; neglecting security development lifecycle (SDL) practices; infrequent security updates and patching; and ignoring regulatory compliance. Bernstein emphasized that proactive security measures and regulatory compliance are essential for healthcare software management. He also dove into some of the most common cyber threats companies are facing, and how he envisions those threats changing over the next decade.

A transcript of Bernstein’s conversation with PC can be found below.

PC: What are some of the most common cyber threats companies are facing, and how can they best protect their customers’ data?

Bernstein: No matter what authority you're talking to—whether it's a practitioner, somebody that's inside of an organization, performing security, even law enforcement and other authorities—everybody says that 90% of the successful data security compromises involve some type of human error. Somebody clicks on a link, they open an attachment that has a malicious payload, they go to a watering hole site, they're tricked into giving up their username and password, and they say that 90% of these attacks happen because of some type of human error. The first thing that's really important is providing education to your staff, and it should be everybody from the person at the front door, all the way up to the CEO. Everybody needs security education. Everybody has to understand that security is a matter of strategic importance for the organization, and that security will always enable the organization's success. People also need to understand the importance of not being promiscuous with their devices, and treating their communications especially like they would treat their home.

You wouldn't go away during the weekend and leave your front door open or your windows open. You want to have it secure. If your doorbell rang at four in the morning, you wouldn't just open it up without verifying who’s at the door, so these attacks typically come through communication channels, such as email, text messaging, and other communication channels. For that reason, everybody needs to be vigilant about it, and you're only as secure as your weakest link. Any one mistake can create chaos within an organization. That's the first thing. If you look at some of the attacks that we see over and over, they're the same type of attacks, especially on healthcare. If you look at healthcare, there's a lot of attack surface, a lot of different devices, disparate devices, people connecting from everywhere. Everything's running over IP. There's a lot of data. There's a lot of money involved and a lot of money changing hands. There are a lot of participants. There's a lot of communications in which these attackers insert themselves into.

The other thing in healthcare is that there are lives at stake. Attackers know this, and for that reason, they're delivering these ransomware attacks often, and it's really plaguing the whole industry right now. The reason is that the attackers know that the healthcare organizations will pay the ransom. That’s another very dominant attack that we see. The second one especially in healthcare, is that there are a lot of transactions. There's a lot of money involved and a lot of participants, which opens up opportunities for these attackers to insert themselves into these communications.

The second most dominant type of attack is business email compromises and wire fraud. The FBI says that about 50% of all monies that are stolen by cyber criminals are the result of wire fraud and business email compromises. It's very important to have good controls in place, to have good processes and procedures in place when money's changing hands, and to have great partners too. That's probably the next thing on the list: knowing who you're doing business with. You're only as secure as your weakest partner that has access to your data, so you can have all the security controls in the world, all of the greatest talent on your team, and the best budgets, but if you're sharing data with third parties and they're not doing the same in terms of securing that data, then you could end up in a lot of trouble.