Healthcare is increasingly complex and interconnected, and the push to exchange more digital patient information among providers adds to the risk of busy staff falling victim to phishing and other schemes that can ultimately jeopardize data and IT systems, said Krista Arndt, CISO of United Musculoskeletal Partners.
“Attackers are always three steps ahead of us no matter how mature your program is,” she said. In the meantime, “more and more onus is being put on the end users.”
The complexity of healthcare and the interconnectivity of entities working with other medical organizations and providers are compounding the risk, according to Arndt.
“You could get an email from a partner provider that you never received patient records for,” and the clinicians or administrative staff might open or respond to the message without realizing it is a phishing scam. “With everything else going on, such as the HITECH Act’s push for digitized records and trying to get off paper processes, it syphons the vector onto email,” she said.
“We need to shift our resources again with security awareness and training and ingrain that into the everyday life cycle,” she said.
In this interview with Information Security Media Group (see audio link below photo) at HealthSec Summit USA in Boston, Arndt also discussed:
- Steps to combat phishing and related threats;
- Top issues involving third-party vendor security risk and how to address those challenges;
- Promising AI security technologies.
Arndt is responsible for the safety and security of all UMP and its practices’ patients and employees. In previous roles, she assisted with developing and leading security programs in crypto, finance and the Department of Defense. She is an active member of the Health Sector Coordinating Council’s 405(d) and Underserved Provider Advisory Groups, ISACA and Infragard’s Philadelphia Chapter, and she serves on Neumann University’s Business Advisory Council and is Marketing Committee chair for Women in Cybersecurity-Delaware Valley Affiliate. Arndt is a member of the CyberEdBoard.