Mohammad Jalali, MIT Sloan Research Scientist
From MIT Sloan Management Review.
Cybersecurity is becoming top of mind for customers and organizations, as highly publicized data breaches and cyberattacks at large corporations have revealed just how much damage a hacker can do by accessing or manipulating an organization’s systems. In addition to the immediate financial and operational consequences, a breached business often faces class-action lawsuits, regulatory fines, damage to its reputation, and a string of other ramifications.
Consider Yahoo. In April 2018, the company agreed to pay a $35 million fine for failing to report a 2014 data breach in which hackers stole personal information from hundreds of millions of user accounts. A month prior, a judge had ruled that the victims of the data breach had the right to sue Yahoo for negligence and breach of contract for not disclosing its systems’ security weaknesses.
Yahoo is not alone; a startling number of companies have faced public relations disasters surrounding security breaches in the past few years. On the one hand, the trend makes sense; cyberattacks are becoming more common than ever as hackers become more adept at penetrating systems. On the other hand, it doesn’t make sense, because while those carrying out cyberattacks are gaining more tools, so are the specialists who defend against them. Cybersecurity practices can — and need to — be better.
Mohammad Jalali, MIT Sloan Research Scientist
From The Conversation
Like any large company, a modern hospital has hundreds – even thousands – of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.
A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.
Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.
I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts. Read More
MIT Sloan Lecturer Lou Shipley
From Huffington Post
The data breach at the law firm of Mossack Fonseca in Panama sent shock waves around the world recently with the prime minister of Iceland stepping aside, Swiss authorities raiding the headquarters of the Union of European Football Associations, and relatives of the president of China linked to offshore companies. The size of the breach was also shocking with 2.6 terabytes of data leaked. That’s 30 times bigger than the WikiLeaks release or the Edward Snowden materials. However, the most shocking part of the “Panama Papers” story is that the breach and exploit of the popular open source project Drupal was totally preventable.
Everyone knows that law firms manage large amounts of highly sensitive information. Whether the data involves an individual’s estate plan, a startup’s patent application, or a high-profile merger and acquisition, clients expect their information to be secure. Indeed, lawyers are required to keep this information both confidential and secure. Yet, despite the very high level of security owed this information, many firms lack an IT staff and outsource the creation and maintenance of their data management and security services. Once outsourced, there is an assumption that someone else will effectively manage the data and ensure its security.
This is many firms’ first mistake. Even if they aren’t managing their own IT, law firms still have an obligation to make sure that data is properly secured. This means asking frequent questions about security and ensuring that the vendor is implementing reasonable security measures.