Star Wars may be a light-hearted adventure film series at its core, but that hasn’t stopped professionals and academics from extracting some real-world lessons from the series. A couple of prominent examples include a thesis on the economic impact of building the Death Star and NPR’s political science analysis of the inner workings of the galactic senate.
With the latest Star Wars film, Rogue One, it’s the healthcare IT industry’s turn to take a crack at the known universe’s most popular space saga. Be forewarned: the following analysis includes spoilers from the new film.
A key component the plot is that the Empire suffers a series of data breaches that have a catastrophic impact on the organization. The connection to the healthcare industry should already be clear. Even with improving safeguards, over 11 million individuals were affected by healthcare data breaches perpetrated by cyber-attacks in 2016. We can learn from the Empire’s mistakes by looking at the film’s three most prominently featured security measures, and how a real-world organization can do better than Darth Vader when it comes to protecting sensitive information.
Incident response. Early in the film, it is revealed that a traitor has released protected data. Intentional wrongdoing from within a healthcare organization is rare, but we do know that most real-world data breaches also come from an internal source—employee error. The Empire’s approach to this initial breach is actually worth mirroring. They interview the employee and his immediate staff about the nature of the breach and then take steps to audit all of his communications. Here on earth, healthcare organizations should have a written, formalized incident response policies that would likely include some similar steps. Risk level: Low.
Identity and access management. The Empire’s most sensitive data is managed from a single terminal that even a top hacker has trouble cracking. Top marks for Darth Vader so far. One area that could use some attention, however, is that Rebel spies are able to use biometric login credentials from a former (deceased) employee to authenticate access. Both EHR user IDs and workstation accounts should be reviewed on a regular basis, and permissions need to up updated as soon as employees leave or change roles. It’s not at all unusual for smaller healthcare organizations to discover that a former administrator’s account holds some essential permissions. In the Empire’s defense, the employee in question had been terminated very, very recently, but there are no excuses in a galaxy that moves at the speed of light. In our solar system, these access updates should be made within one business day. Risk level: Medium.
Physical security. The Empire may have had a literal army protecting their servers, but they still made some basic physical security errors that healthcare organizations would be wise not to repeat. Rebel troops manage to venture deep into a protected facility by simply dressing like they belong there. In an actual healthcare organization, it is important to make strict use of visitor sign in protocols and locked doors. In larger organizations, photo ID badges may be needed. Requiring a known vendor to sign in at every visit may feel like an unnecessary formality, but it is essential to log who had access to areas where PHI may be in plain view. Risk level: High.
Is your organizational security tighter than the Death Star? If you haven’t done a security risk analysis recently, now may be the time to find out. For Meaningful Use, eligible professionals must conduct or review a security risk analysis for each EHR reporting period. May the force be with you.
Matt Seager is a Health Information Technology specialist for the Michigan Public Health Institute