Before addressing the special attractions and vulnerabilities of healthcare data and software, a little background on cybersecurity of complex systems may be helpful: The single most important lesson from our experiences with conventional networked systems is that all of them can be hacked, and all will eventually be hacked. There’s a simple equation for hackers: their investments are related to the value of the data. Alas, because electronic health records (EHRs) have a relatively high value to criminals, we should expect hackers to make significant efforts to penetrate EHRs. (More on this later.) Our experience also teaches us that erecting protections to mitigate hacking is never by itself an adequate defense. Instead, it is always necessary for health IT leaders to make significant efforts monitoring the EHR system for unanticipated behavior. Equally critical, it’s always necessary to plan how to respond to detected attacks.
Two mistakes: One of the biggest mistakes organizations make is failing to understand the threat; organizations typically are uninformed about the sophistication and resources of attackers, on one hand, and so underestimate their opponents, while on the other, they assume their systems are much less vulnerable than they actually are.