Paubox at the HIMSS Annual CXO Forum

The CISOs panel from left to right, David Finn (Symantec), Tom August (John Muir Health), and Auston Davis (Stanford Children's Health).

Last week, Paubox attended the HIMSS Annual CXO Forum. The event took place at the beautiful headquarters of Symantec. This year's topic for the forum revolved around the theme of cybersecurity. How is cybersecurity defined? What kind of threats are out there? And is healthcare prepared for these threats? These are all the questions that the speakers of the forum were helping to answered. Paubox learned many things from the forum and have our top 4 takeaways.

The top four takeaways for the Annual CXO Forum are:

1. Cybersecurity in healthcare is still lacking- despite all the news coverage over the past year regarding hacks in healthcare, the entire system is still playing catch up. During the forum, there was consensus that the healthcare industry is not spending enough on security. In fact, healthcare on average spends less than 3% of their IT budget on security, compared to the financial industry, which typically spends about 12%.
   
   
2. Vulnerabilities are plenty in healthcare- almost unanimously all the cybersecurity experts at the forum concluded that there are far too many vulnerabilities in healthcare. The vulnerabilities come from a variety of sources, phishing, malware, theft, and even medical devices.  The theme seems to be that organizations must prioritize the threats that they can be successful at for the time being.
   
   
3. Vital devices responsible for vital organs are a threat- medical devices such as pacemakers and insulin infusion pumps are very much at risk for cyberattacks. In recent years there have been proven cases of such medical devices being hacked, the Hospira infusion pump hack is a great example. What makes these threats even more unbelievable is the lack or regulation. The FDA has deemed that all Medical Device Data Systems (MDDS) and EHR are low risk and users are in charge of assessing their own safety. This means that healthcare organizations must be proactive and take it upon themselves to determine the risk of these devices for their patients.
   
   
4. Security is not about technology, but about people- cybersecurity as much as it is about technology, still comes down to people. The consensus amongst the CISOs (Chief Information Security Officers) was that the most important and most challenging aspect of cybersecurity for a healthcare organization is staff training.  It comes down to being able to communicate clearly with your staff about the risks and threats, building their awareness. Making the training personal and relevant is a very effective way to educate and increase adherence for staff members.
   
   

  Michael Garvin of Symantec demonstrating a simulation of a hack into a hospital's network.

The forum was incredibly well put together, due largely to the wonderful staff at the Northern California Chapter of HIMSS . Every seminar was filled great material and learning opportunities. Overall, the event demonstrated to Paubox that we are on the right path. Healthcare as a whole industry has a lot of vulnerabilities when it comes to cybersecurity, but it is working hard to fix these problems. As a provider for HIPAA compliant email, we are glad to be along for the ride and look forward to making a significant contribution towards improving the status of healthcare cybersecurity.