Across industries, 78 percent of websites had vulnerabilities. Haley says "One in eight [sites] had a very critical vulnerability that would make it trivial for a criminal to get on there and host malware." The overall industry response to Heartbleed was "great," he adds, but "website owners need to step it up to make sure their sites are safe."
To that end, the preliminary findings of the CyberRX exercise, led by the Health Information Trust Alliance and overseen by Booz Allen Hamilton, give healthcare organizations six recommendations for preventing cyberattacks. First and foremost: Participating in a cyberexercise will enhance preparation, no mature an entity's level of technical maturity.
Identify Data That's Most Critical and Guard It With Your Life
Along with the various security measures outlined above, healthcare organizations need to identify the data that's most critical to them and make sure their security and privacy policies place a priority on protecting that, Haley says.
Encryption, as noted, is a great place to start. As Haley sees it, a large number of breaches caused by lost and stolen devices could be prevented if laptops, mobile phones and thumb drives are encrypted. (Under the HIPAA Breach Notification Rule, encryption is one of several ways to render protected health information "unusable, unreadable, or indecipherable." The loss of such data does not constitute a data breach.)
Of course, device encryption would be less of a priority if those darn users wouldn't lose their stuff. However, as the Verizon DBIR report puts it, "If there's anything we know to be true about human nature, it's that losing things and stealing things seem to be inherent predispositions."
Plus, as Haley points out, users can serve as another line of defense against data breaches - provided that they undergo extensive security training and aren't simply handed "a bunch of rules they need to follow."
As Widup puts is: "We'd love to see change. We'd love to see this get better."
Sign up for Computerworld eNewsletters.