Constant vigilance and staying on the cutting edge are two ways those in charge of cyber security at Indiana Regional Medical Center ensure valuable personal information of patients and employees is not at risk of being stolen by hackers.
Mark Volovic, chief information officer at IRMC, says protecting sensitive data is a 24/7 job that is constantly evolving.
“Everyone,” Volovic says, “is a target.
“(In) cyber security, you have to protect your borders. You have to do things because there are bad actors, as we call them, who are willing to do harm for the sake of being able to do it, some type of retribution, or for fun or for financial reasons.”
Cyber security tries to protect the information stored in the IRMC computer network, he says.
“You prevent through keeping your equipment and software up-to-date,” he says. “You monitor and you measure what happens at the firewall. You educate your staff, employees, anyone on site on the campus.”
Most attacks “start with an innocent problem,” meaning someone may open an email that ushered in an attack unbeknownst to them.
The crew works with a vendor to ensure a higher level of compliance training. Included will be controlled phishing attempts, he says.
“We may phish our own organization to see what our risk points are,” he says. “That’s how you become more aware.”
IRMC is contracting with companies for anti-virus protection at every PC and server in the medical center.
“If we’re getting attacked, there are procedures to go in and shut down a particular firewall port, for example,” Volovic says. “We made a significant investment (this year) to replace all our firewalls, all our email spam, all of our risky website protections. We invested with Cisco and contracted with Encryption Mail and Protection Services through Cisco, so that’s being installed. These are all part of the steps we’ve taken.”
Phone scams, emails, websites, web crawlers and “time bombs” that sit dormant for weeks or months before they attack are all on the watch list.
Firewalls are the first line of defense, he says. So plenty of attention is given to make sure they are working properly.
The task can be overwhelming,
“There’s an expression that says there are those who’ve been hacked and those who don’t know they’ve been hacked,” he says. “Another is if you haven’t been hacked, you will be.”
So far, the cyber security team has kept hackers away from medical records. Those records, of course, are loaded with information, and obtaining them would be a potential informational gold mine.
“There are things you can do inside a network,” Volovic says. “You can separate parts of the network. You do local encryption of hard drives. There are so many different layers of protection.”
Newly installed screen savers at IRMC remind people to keep passwords to themselves, and be smart about what they click on.
Consultant Greg Snyder, who works with 20 rural hospitals, says that most organizations have automated tools to mitigate some of the risk. But there’s still risk.
“That goes on every day,” Snyder says of hacking attempts. “It’s not getting better. It’s only getting worse.”
IRMC network administrator Paul Novak says it’s hard to find a balance.
“We want to make it secure so we’re protected, but we also want to make (the network) easy enough for people to use because it’s about their getting things done,” Novak says.
“It’s an ever-vigilant thing to keep doing,” he adds. And it’s a job the IRMC cyber security team takes very seriously.
“It’s our absolute duty to protect the individuals, patients and employees who come to our facility,” Volovic says. “We make sure we have the right tools, right processes, right people and the right external companies who are experts in this field to put in place the proper procedures to do our best to honor that commitment.”