National Cybersecurity Awareness Month kicked off this October with an emphasis on taking personal accountability for cybersecurity and practicing safe habits as we use technology. To unpack this concept, we sat down with UHealth’s chief information security officer, Cory Hall.
Hall, a veteran of the information technology field and champion of cybersecurity awareness, also gives insight into the UHealth IT Cybersecurity team’s efforts to protect the health system against threats and shares one step he wishes everyone will take this month to be cyber smart.
Q. The concept of cybersecurity may seem overwhelming for those outside of the industry. Can you break it down for us?
Cybersecurity is everything we do to keep our electronic data safe. The cybersecurity industry uses the CIA Triad: Confidentiality, Integrity, and Availability.
Confidentiality is restricting access to information to only those who have an authorized need. It is probably the most visible because it’s in the news all the time. People have had their personal and financial information stolen from companies like Facebook, Equifax, Target, Anthem Healthcare, and others.
Integrity is making sure only authorized changes are made to information. A hacker accessing our payroll system and changing the direct deposit of employees to another account is an example. Corrupted medical records can result in misdiagnosis, medical errors, bad outcomes, or worse. A bad outcome could be as simple as modifying a known allergy in a patient record.
Availability is making sure that information is readily accessible to authorized individuals. A ransomware attack is an example that restricts the availability of information. Flooding our systems with benign transactions, called a denial of service attack, is another way of restricting availability of information.
Q How important is cybersecurity within a health care environment, especially at UHealth where we rely on technology solutions in almost every aspect of our work — from routine administrative tasks to delivering cutting-edge patient care?
Health care is one of the biggest challenges in cybersecurity because health care related records and processes are more diverse, dynamic and regulated than most other industries.
I strongly believe we have both a regulatory and ethical responsibility to protect the information we hold in trust for our patients. To use email as an example, our team monitors over a million emails a day looking for malicious activity while doing our best to ensure timely and secure delivery.
UHealth uses approximately 600 software applications to facilitate patient care. And, since we can’t protect what we don’t know about, we’re currently focused on visibility and control. We’re mapping out a comprehensive view of our cybersecurity risks and status and introducing a series of processes intended to control high-risk activity.
Q. What can we do to better understand our individual role in the health system’s fight against cybersecurity threats?
Be vigilant and have patience, please.
Be vigilant by keeping an eye out for cybersecurity issues such as email phishing. Many cybersecurity issues start as phishing emails designed to compromise user IDs and passwords.
Have patience with new processes that come with an increased cybersecurity posture. It took years for the nation to get accustomed to using seat belts, but most people today use them without thinking; it’s a reflex. So, buckle up every time you log onto a UM electronic system and drive defensively.
Q. This year’s theme for National Cybersecurity Awareness Month is Own IT. Secure IT. Protect IT. What does this mean for our providers, faculty, staff, and patients?
To me, the theme is all about personal responsibility and action. The chain of cybersecurity is only as strong as the weakest link. Own IT, by recognizing the impact of your actions online; Secure IT, by logging off of workstations before leaving; Protect IT, by reporting cybersecurity issues you see.
Q. If you could magically get every member of the health system community to do one thing to improve cybersecurity on campus, what would it be? And why?
Become cybersecurity aware. Take advantage of an excellent series of 13 online courses on LinkedIn Learning designed to improve your cybersecurity awareness. Search “Cybersecurity Awareness” in ULearn or LinkedIn Learning. The first course, “Security Overview,” is about 30 minutes. All courses on LinkedIn Learning are free for faculty and staff.
Here are some more practical tips you can put into practice to be cyber safe.