Not If, But When You Will Be Hacked

At a recent HIT conference, a few hospital chief information security officers talked the about the present state of HIT cybersecurity and offered some observations. 

Here are the headlines:

1. You will be hacked. It is just a question of when and how you mitigate the damage.

2. Firewalls don't work

3. HIT is 10 years behind other industries, like financial services, but hopefully we can learn from the mistakes others made so it won't take 10 years to catch up.

4. You need a security operations center 

5. Most CISO's don't have specialized training in cybersecurity and there needs to be higher standards

6. Having a state of art cybersecurity capability requires money, leadership support and the right processes

7. BIG MEDICINE cybersecurity solutions are not applicable to small medical practices. However, most small practices can protect themselves with  basic interventions and outsourcing.

8. Behavior analytics can help detect chronic offenders

9. HIT cyberattacks often go unnoticed for many months. By that time, a lot of damage has been done.

10. Don't negotiate with cybercriminals

11. You need an in house team to respond to incidents but can outsource monitoring

12. HIT is being hit because that's where the money is and the pickings are easier since financial services got better.

13. You need a crisis management plan in the event of a cyberattack

14. We are not training enough people in HIT cybersecurity

15. Independent practices affiliated with large hospital systems represent a challenge, particularly when using different systems

16. As the I o T gets bigger and interoperability becomes more of a reality, there is more to attack 

17. Share but protect is becoming harder

18. Most cyberattacks happen because doctors and other staff members open phishing mail with viruses, malware and ransomware. They need continuous monitoring and education.

19. Cybersecurity has moved from the basement to the boardroom

20. Most security information officers get paid to say no

Whether you are a small, independent practitioner, independent but affiliated with a large system or an employed physician in a large system, cyber security has become as important as washing your hands. Passing on a virus in either situation can have catastrophic consequences.

Arlen Meyers, MD, MBA is the President and CEO of the Society of Physician Entrepreneurs at