Information security a top priority: 3/1

return to The Catalyst home page

Information security a top priority

When it comes to cyberattacks using phishing, malicious malware and other online threats, MUSC has been working to make computer security a top priority.

As clinicians, researchers, students and employees become more interconnected through the Internet and users are able to use mobile devices, hackers can use more gateways to launch their attacks and disrupt infrastructure networks.

For an academic medical center like MUSC, breaches in university and hospital networks can potentially threaten the security of sensitive data and personal information that can severely impact daily operations and patient care.

MUSC Chief Information Officer Frank Clark, Ph.D., vice president for information technology, supports minimizing the risk of cyberattacks and protecting personal information of MUSC's patients, students and employees. He and his team are committed to reducing these threats by strengthening information technology (IT) security procedures, policies and protocols, and closing security gaps. His team works with the institution's Information Security and IT Compliance Committee (ISICC) and MUSC leadership to find ways to balance costs, intrusion and inconvenience due to risk.

"Cybersecurity is a shared responsibility. Each of us must do his part to keep our data safe and create a safe cyber environment. When we all take simple steps to be safer online, it makes using the Internet a more secure experience for everyone," said Clark.

Last August, hackers broke into the S.C. Department of Revenue and stole financial data belonging to 6.4 million consumers and businesses. This breach served as an eye-opener for IT staff within organizations and other state agencies for real threats to managing and storing sensitive information. It also is as a reminder that threats can occur at any level.

To expand on the institution's security strategies and promote awareness, MUSC adopted a proactive approach to managing exposures and handling vulnerabilities. MUSC also supports the Department of Homeland Security's "Stop. Think. Connect." program. The campaign will help the community understand cyberthreats and empower employees, faculty and students to follow more online safety practices.

MUSC's security policies are approved by executive leadership and issued by the Office of the President.
Hospital staff follow security and confidentiality guidelines that protect patient's health information as guided by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and security rule. The Compliance Office is responsible for training clinical staff about HIPAA rules and standards related to phishing, privacy audits, and use of detection software, social media and other communication resources.

The Joint Commission also has requirements regarding privacy, and, while they are less prescriptive than HIPAA, they also strive to protect patient privacy.

As academic centers like MUSC strive to maintain a collaborative work environment of openness and academic freedom, problems in protecting sensitive data like health records, personal information and financial data become a priority.

According to Clark, such situations attract hackers and intruders who want to penetrate MUSC's data security defenses. Increases in computer hacking, digital information stealing or public postings of sensitive data are especially challenging for medical centers and universities. The struggle to balance costs, technology needs and manpower to combat these emerging threats is also a concern.

According to OCIO's Richard Gadsden, MUSC's information security officer cybercrime is big business and the sophistication of cyber criminals continues to grow. "These people are adept at tricking others into doing things that allow them to steal information. It's incumbent that we protect our data."

The OCIO works closely with the ISICC and other governance groups to provide technical assistance, risk assessment, technology-tool identification and protective equipment that safeguards MUSC's sensitive data.

"People will need to adjust. These are important controls that we must have in place," said Gadsden.

What you can do
Employees and students can follow steps to keep themselves, their personal assets and private information safe online. Here are some tips that all Internet users can do to practice cyber security:
--Set strong passwords, change them regularly and don't share them with anyone.
--Keep your operating system, browser and other critical software optimized by installing updates.
--Use privacy settings and limit the amount of personal information you post online.
--Be cautious about offers online. If it sounds too good to be true, it probably is.

Threats to information security
--Phishing: An attempt by an attacker to steal sensitive information such as a user name, passwords, credit card numbers, etc. by masquerading as a trustworthy person. Most phishing attacks occur via email.
--Malware: Malicious software such as viruses, worms or "bots" designed to disrupt operations or steal sensitive information.
--Data breeches: Occur when sensitive data is exposed to unauthorized access. Breaches can occur due to phishing, malware, hacking, physical loss or theft of computers or portable storage devices, inappropriate posting of data on websites, misdirected emails, etc.

Friday, March 1, 2013

The Catalyst Online is published weekly by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. The Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to The Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Island Publications at 849-1778, ext. 201.