The Journal of the Arkansas Medical Society Issue 1 Vol 115 - Page 22

EDUCATIONAL SESSION by Casey L. Penn Cyber Investigations and Training W illiam “Trey” Whatley, is a Awareness, Responsibility, Tested Backups Federal Bureau of Investigation After touching on the importance of patients’ information, Whatley offered tips on protecting medical information from man-in-the-middle attacks, insider risk, and lack of preparedness. Physicians and clinic managers need to 1) be aware of where their data is and how it’s being protected; 2) take responsibility and take the steps you hope you’ll never have needed to take; and 3) have secure, tested, hack-free backups in place. special agent and Cyber Action Team member who responds to large-scale cyber crimes and conducts national security investigations. Formerly a computer forensic examiner for the FBI, Whatley has extensive experience with data storage acquisition and recovery. At the Society’s request, Whatley shared educational information with those in attendance at the 142 nd Annual Session of the AMS. “I’m passionate about cyber security,” he said, “I want you to understand how hostile the environment is for medical information.” To offer perspective about current threats, Whatley shared a comparison attendees may relate to – that of stolen payment card information or other Personally Identifiable Information, or PII. “I doubt there are many people here who have not lost or had stolen a credit card at some time, or your Social Security number, or something like that. I certainly have had that happen,” he said of the commonality of this type of theft. As bad as it is, credit card companies have gotten better at responding – notifying cardholders of shady card usage, reversing bogus charges, etc. In comparison, what about medical information? “I would submit to you that health care is completely different, right? A credit card can be replaced, but health information is simply private or public,” said Whatley. “You can’t just change your medical history – your diagnosis, your prescriptions, your blood type, DNA; anything like that is intimately associated with you. When that loss happens, it’s a serious matter. The more that can be put into securing that information, the better that is. I feel like I have the best family physician one could have. But at the end of the day, if that information gets lost, who do you think the patient is going to be most annoyed with at that instance? The physician. Even though he would say, ‘I put the information in,’ that trust you have with your physician is affected.” Touching on potentially preventable risks, Whatley warned physicians about open or unsecured Wi-Fi, vulnerable network connections, unvetted employees, and lightweight devices and technology that is easily tampered with. “In your clinics, technology is all around. If there’s a laptop in a room that is accessible by patients or other people – can it be physically removed? Is it encrypted? Is the data encrypted in place?” You may not be a technology-adept person, but you can still make sure the conversation’s being had with the leadership of your clinic, hospital, or whatever it is so that there’s an understanding of the importance of protecting that information. Are you doing what you can to protect patient data? Further defenses to investigate include: SOMEONE SAID … CYBERSECURITY QUO