The Journal of the Arkansas Medical Society Issue 1 Vol 115 | Page 22

EDUCATIONAL SESSION
by Casey L. Penn
Cyber Investigations
and Training
W
illiam “Trey” Whatley, is a Awareness, Responsibility, Tested Backups
Federal Bureau of Investigation After touching on the importance of patients’
information, Whatley offered tips on protecting
medical information from man-in-the-middle
attacks, insider risk, and lack of preparedness.
Physicians and clinic managers need to 1) be
aware of where their data is and how it’s being
protected; 2) take responsibility and take the steps
you hope you’ll never have needed to take; and 3)
have secure, tested, hack-free backups in place.
special agent and Cyber
Action Team member who
responds to large-scale cyber crimes and
conducts national security investigations.
Formerly a computer forensic examiner for the
FBI, Whatley has extensive experience with data
storage acquisition and recovery.
At the Society’s request, Whatley shared
educational information with those in attendance
at the 142 nd Annual Session of the AMS. “I’m
passionate about cyber security,” he said, “I want
you to understand how hostile the environment is
for medical information.”
To offer perspective about current threats,
Whatley shared a comparison attendees may
relate to – that of stolen payment card information
or other Personally Identifiable Information, or PII.
“I doubt there are many people here who have
not lost or had stolen a credit card at some time,
or your Social Security number, or something like
that. I certainly have had that happen,” he said of
the commonality of this type of theft. As bad as
it is, credit card companies have gotten better at
responding – notifying cardholders of shady card
usage, reversing bogus charges, etc.
In comparison, what about medical
information? “I would submit to you that health
care is completely different, right? A credit card
can be replaced, but health information is simply
private or public,” said Whatley. “You can’t just
change your medical history – your diagnosis, your
prescriptions, your blood type, DNA; anything like
that is intimately associated with you. When that
loss happens, it’s a serious matter. The more that
can be put into securing that information, the better
that is. I feel like I have the best family physician
one could have. But at the end of the day, if that
information gets lost, who do you think the patient
is going to be most annoyed with at that instance?
The physician. Even though he would say, ‘I put
the information in,’ that trust you have with your
physician is affected.”
Touching on potentially preventable risks,
Whatley warned physicians about open or
unsecured Wi-Fi, vulnerable network connections,
unvetted employees, and lightweight devices
and technology that is easily tampered with. “In
your clinics, technology is all around. If there’s a
laptop in a room that is accessible by patients or
other people – can it be physically removed? Is it
encrypted? Is the data encrypted in place?”
You may not be a technology-adept person,
but you can still make sure the conversation’s
being had with the leadership of your clinic,
hospital, or whatever it is so that there’s an
understanding of the importance of protecting
that information. Are you doing what you can
to protect patient data? Further defenses to
investigate include:
SOMEONE SAID …
CYBERSECURITY QUO