Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

HIMSS News

HIMSS Conference Highlights Data Security

By Lee DeOrio

In the wake of recent newsworthy data breaches—in particular the California ransomware case—security was a significant topic at the recently concluded HIMSS conference in Las Vegas. One of the more interesting takes on the topic was presented by Sadik Al-Abdulla, director of security solutions at CDW, who suggested that data breaches were inevitable. As a result, he said the objective of health care organizations should be to “make it less bad when the bad guys get in.”

Al-Abdulla compared the situation to the automobile industry’s approach. There’s no way to eliminate car accidents, thus making it imperative to limit the damage when a mishap does occur. For example, the introduction of seat belts and airbags resulted in huge decreases in the percentage of fatalities.

By adopting a similar approach, health care organizations, Al-Abdulla said, would contain breaches to a limited area. This makes the situation more manageable and narrows prospective damages.

Other takeaways from Al-Abdulla’s presentation include the following:

• When it comes to exposing protected health information, people and processes are the main culprits. Take passwords, for instance. Al-Abdulla said those looking to gain illegal entry often start their attempts at cracking a password with the area’s most popular sports team, college or pro. Think how many Denver-area health care professionals feature “gobroncos!” as their password. As for what’s an effective deterrent, Al-Abdulla said phrases such as “maryhadalittlelamb” are actually more effective than random numbers, letters, and punctuation marks.

• There’s a difference between security and compliance. Al-Abdullah noted that restrictive security policies cause user frustrations that lead to risky workarounds.

• To limit the havoc wreaked by a breach, Al-Abdullah suggested that health care organizations measure the time it takes to detect a breach as well as how long it takes to respond.

— Lee DeOrio is editor of For The Record.