Advertisement
In this Business Profile, Brian DiPietro, Managing Director, Commercial Bank Technology, JPMorgan Chase & Co., discusses the importance of evaluating your cybersecurity protocols to help prevent malicious data breaches.

Brian DiPietroTell us a little about your organization.

J.P. Morgan has provided dedicated Healthcare financial solutions for more than 30 years. As one of the oldest financial institutions in the United States, we're a leading global financial services firm operating in more than 60 countries. We provide a multitude of services, including investment banking, personal financial services, commercial banking, financial transaction processing, and asset management. Our company has more than 240,000 employees that serve millions of consumers and small businesses, along with top hospitals and health systems, as well as many of the world's most prominent corporate, institutional and government clients.

What are some of the biggest challenges you see affecting healthcare organizations?

While hospitals, health systems, and physician practices currently face a variety of challenges, one significant issue is cybersecurity-the concept of keeping electronic data safe from individuals or groups who seek to exploit weaknesses in technology and steal information or disrupt systems.

Although every industry confronts data security threats, healthcare organizations are especially vulnerable because they electronically store large amounts of diverse data about their patients, which, if breached, can be utilized by a cybercriminal to impersonate the healthcare organization or the individual patient.

Any device that stores data and directly or indirectly connects to the Internet, including mobile devices, tablets, personal computers, and networks, is susceptible to a cyberattack. And the risk for infiltration goes up exponentially as health care becomes more technology-driven, with organizations using tablets at the bedside, relying on mobile devices for communication, and storing sensitive patient information electronically.

Without a strong plan for mitigating potential threats, an organization can open itself up to an attack, which can not only lead to HIPAA breaches, but also result in substantial financial ramifications.

Why are cyberattackers interested in stealing medical data?

Hackers are interested in healthcare data because of its personal nature. Cybercriminals can use the information to create a detailed picture of an individual, allowing them to commit fraud more easily than they might be able to without that data.

For example, if a hacker gains access to a patient's demographics, contact data, physician information, and/or most recent test results, the perpetrator could potentially send an email to the patient and pretend to be the healthcare organization. Imagine if that email were to ask the patient to click on a link for further information about testing-if the patient follows the request and the link introduces malicious software to his or her personal computer, the hacker could then steal additional information, including credit card data or social security numbers and introduce a key logger to track all keystroke activity. And the more data the hacker retrieves, the more realistic future communications will seem-in fact, the attacker may then attempt to pose as the patient and solicit information from the healthcare organization, gaining access to its sensitive financial data.

In addition to healthcare data's susceptibility, wire transfers may also be the target of nefarious individuals or groups. A hacker could pose as a hospital's CEO, or someone else with authority, and request a wire transfer. Assuming the communication appears to be real, the staff receiving the request might interpret it as legitimate. And without sufficient checks and balances, the organization could proceed with the transfer and ultimately be unable to recoup the money.

How can organizations be more diligent regarding their processes and protocols?

To reduce cyberattack impacts, healthcare organizations should consider first identifying their points of presence-meaning where, when and how do their specific devices and programs connect to the Internet. Next, it's helpful to examine the data coming in and moving through those points, in order to fully appreciate the information at risk. Developing strategic guidelines and processes to ensure connectivity points are minimized from a risk perspective, while functional from an efficiency perspective is the key to developing a proactive and ongoing risk analysis approach.

Once organizations map out what information goes where and who can see what, they can put controls in place to quarantine sensitive information. Controls may include employing standard preventive measures, such as firewalls, environmental scanning, and/or penetration testing. Other protections may involve establishing a system of checks and balances for at-risk activities. For example, if your organization makes wire transfers, consider setting up a process in which you have "four eyes on glass"-meaning, you have an initial person who sets up the wire transfer and another individual who approves it before execution. These safeguards can help to support security and prevent fraud or theft.

In addition to being proactive, organizations can also benefit from monitoring and logging all data flow to see who is interacting with what information and for what purposes. Ongoing monitoring allows a organization to spot potential threats quickly and address them before they escalate.

To make sure everyone is fully committed to keeping data safe, it's essential for organizations to educate their staff on cybersecurity risks and how to avoid them. Start by explaining why checks and balances are so important, and teach staff to recognize malicious emails or other suspect situations. Your employees are your first line of defense, and they have to be empowered to recognize and flag suspicious communications that could lead to a breach.

Organizations may also want to periodically test their cybersecurity processes and procedures to make sure they work as expected. It can truly be an effective strategy to engage in mock scenario testing, in which the health system brings key stakeholders together to talk about what they would do in the event of an attempted or actual breach. Issues to address may include identifying: the authorities that need to be notified; the staff that should be informed; ways the organization may lock down internal and/or third-party systems; controls to put in place and how these controls could fail; and the measures the organization could take in the future to prevent similar events from occurring. By walking through several possible scenarios, leaders can see how the organization's policy executes in a real-world situation, highlighting potential flaws that could warrant addressing.

What role should hospital leaders play in ensuring effective cybersecurity protocol?

Ultimately, cybersecurity should be a top priority for healthcare organizations, especially as the industry continues to embrace technology and goes mobile. Preserving security must be more than just a CIO issue. CFOs and CIOs should continue to identify this as a key area of focus and funding with the board and c-suite leadership to ensure the security of patient information, financial information, and any other critical healthcare data.

For readers to learn more about cybersecurity, are there any resources you would like to recommend?

You can visit J.P. Morgan's Healthcare Insights site for more information about the best practices for healthcare organizations. You can also learn more about emerging trends in cybersecurity and find out how you can protect your organization from fraud.


HFMA is the nation’s leading membership organization for more than 40,000 healthcare financial management professionals. Business Profiles are funded through advertising with leading solution providers. Learn more.

JP MorganContent for this Business Profile is supplied by J.P. Morgan. This published piece is provided for advertisement purposes. HFMA does not endorse the published material or warrant or guarantee its accuracy. The statements and opinions of those profiled are those of the individual and not those of HFMA. References to commercial manufacturers, vendors, products, or services that appear do not constitute endorsement by HFMA.

Publication Date: Tuesday, September 01, 2015