Heather Roszkowski, chief information security officer for the University of Vermont Health Network, gives us advice on how to protect our information online and what hospitals do to keep patients’ information safe, amidst all of the cybersecurity news.
Listen to the interview at the link below or read the transcript that follows.
UVM Medical Center: When it comes to security in our everyday lives, we know the basics. Lock the door, lock the car, pay attention to your surroundings. But when it comes to staying safe online, the basics seem less straightforward. We shop, bank, plan and transmit sensitive data online often without much thought, and hackers are getting better at stealing that information. It’s an issue that impacts people all over the world every day, but there are a few things that you can do to protect your information better.
Today Dr. Heather Roszkowski, chief information security officer for the University of Vermont Health Network, is here to give us some advice on how to keep our personal information safe. Thanks for being with us today, Heather.
Heather Roszkowski: It’s great to be here.
UVM Medical Center: Let’s start with the basics. Everyone uses passwords for their email, online banking, and even to protect their health information through My Health Online, but are all passwords created equal? What does a good password look like?
Heather Roszkowski: That’s a great question. Ideally, the best password is longer and more complex. But even better than a password alone, the best protection you can put on any account is multi-factor authentication. What that is, is much like your ATM card when you go to the bank. You have to use a card and you have a PIN, so you have two factors that you need to use in order to get access to your money.
The same thing you can do on any online account, or most online accounts I should say, is you can implement a technology where you use your password and another factor. It could be a random PIN or text message that comes to your phone, but turning on multi-factor is the best security for any of your accounts.
UVM Medical Center: Can you generally do that through say your bank’s website, or is it an app that you can download?
Heather Roszkowski: Absolutely and the majority of companies will offer multi-factor, and if you can’t find a link on their website or you can’t use “multi-factor” or “two-factor” as a search criteria, you can always call the organization and find out if they offer it. A lot of companies and a lot of email accounts, it’s at Gmail and banks are now offering if not requiring multi-factor authentication so generally it’s easy to find, but you can also reach out to the company.
UVM Medical Center: So you said a good password for either factor is longer, should it include a mix of numbers, letters, or your kid’s name?
Heather Roszkowski: You know there’s some mixed reviews on the complexity aspect of passwords and whether or not they truly provide more security. I could tell you right now what not to do is to use your dog’s name or your date of birth or your kids’ names. They’re easy to remember. Generally you use them for the same password for every account. The reason that’s bad is because if one account were to get hacked, it can easily be tied to many other accounts.
So if you think of your personal email account, think of the data that’s in there. If your password was hacked or stolen how many other accounts would use that same password? How many retail shops have you signed up using that email account? Have you banked with it? Have you done mortgage payments? Just, I mean it’s amazing when people think of what’s in their email.
A lot of email companies offer unlimited storage so we never delete and there’s a lot of information that can be tied back in our accounts.
UVM Medical Center: So our passwords should be long and complicated and not our kids’ names and different from each other. How often should we change them?
Heather Roszkowski: The better, I mean obviously if you change them every day, you won’t ever remember them so that’s kind of unrealistic, but I would say as often as you can within reason. And to make it easier there are many apps that you can download that will store passwords and potentially even reset them each time you use them. If you’re a tech-savvy person, consider looking into those applications that you can use on your phone to store your passwords that are protected by either a central password are great.
It’s much better than storing them on a spreadsheet, and no; it is not safe by storing them in the notes app on your phone. You need to make sure that the app that you’re downloading is a valid app that is being used. A quick Google search of the app will give feedback, but if you choose a reputable one, yeah – it’s more secure.
UVM Medical Center: Can you explain some different ways that hackers could steal my information?
Heather Roszkowski: Absolutely. I think the biggest one right now is something called phishing and I’m not talking about being out on Lake Champlain in the middle of the winter. I’m talking about the online version where someone essentially casts a line. They send you an email and they’re trying to trick you to get a hold of that hook and give them information.
Generally that looks like either a package delivery notification; it could be a password reset email. It could be any number of things. But the one trend that I see most in phishing, is that they’re trying to get the individual to make a decision quickly by playing off of their emotion. “You need to do this now or else – something bad will happen. Your account will get locked. You’ll lose your money. We’ll take away your access.” Whatever it might be, they’re trying to get you to make a rash decision before you think about it. So that’s one of the biggest ways that hackers can steal information.
But you have to remember, if you think about all those accounts with all those businesses you have, or even accounts you have for such things as the electric company, internet, cell phone, right? When was the last time that you sat down and called that company and asked them how they’re protecting your information? So I would always advise folks: Once a year, get out a sheet of paper and start calling your companies and say, “What are you doing to protect my information? If I had to reset my password, what are you going to ask me?”
You might find some very interesting things. I did that about a year and a half ago and I found out that my cell phone company was using just the last four digits of my Social Security number to protect my cell phone account. The last time I checked, that’s not a secure number. As a matter of fact, I wore that number on the side of my helmet during my deployment to Iraq. So it’s amazing what you find when you ask folks what they’re doing to protect your information.
For those that don’t know that a lot of this information is actually sold on the dark web. There is a dark web and there is a marketplace much like we would see Amazon or EBay that sells a lot of things, among them a lot of illegal items you can think about but also information. They create what’s called “fulls,” which means they have people that will go and do that kind of data mining across the public internet and they’ll collect information off of people. Then they package it and they sell it as a group so that these other organizations that have more capability can use that information to activate accounts, have phones shipped, sell those phones. It’s generally all financially motivated, but people need to understand that it does happen.
UVM Medical Center: Our guest today on Health Source is Dr. Heather Roszkowski, chief information security officer for the University of Vermont Health Network. We’re talking about cyber security. You mentioned wearing your social on the side of your helmet, have you worked in health information security for your whole career? What’s your background?
Heather Roszkowski: I’ve worked in health information security for the past, give or take, six years – and I joined the University of Vermont Medical Center straight off of 12 years of active duty in the army. While I was in the army I was a signal officer which generally deals with IT, radios, tactical radios, equipment, communication, stuff like that.
Part of my role there got into information security, and back I think it was like 2005 during my first deployment, was really when I started taking an interest in it and ended up doing my Master’s during my second deployment to Iraq in information assurance and I really just fell in love with it. To me it’s amazing when you can tie what you do every day and in that case it was protecting the information for where our soldiers were on the battlefield, what they were doing, what equipment they had with them – you knew that what you were doing every day was potentially saving soldiers’ lives. So when I chose to get out of the service, I really was looking for a career that had that same meaning to it. And what better industry to get into than health care, where our patients come to us during their most vulnerable times, and the last thing that they need is to worry about what’s happening with their information while they’re here. We just want them to get well and to go home and to not be concerned with anything else. So it’s great to be part of a dedicated team that is looking out for our patients kind of with them not even thinking about that.
UVM Medical Center: Could you talk about what’s going on in the industry today and some of the challenges that maybe the UVM Health Network faces as an organization?
Heather Roszkowski: I’m trying to find the right word. It’s an amazing time right now and not really in a good way in the cyber security industry. Unfortunately over the past couple of years we have seen a major increase in the amount of attempted attacks against the health care industry. In 2016 alone there were over 25 hospitals that were impacted by ransomware. Ransomware is a type of malware that will get into your environment and encrypt your information, and whether it’s on your servers or on your workstations, basically it encrypts it and sends the key out to the hacker and you no longer have access to it until you pay a ransom.
Hollywood Presbyterian in California was hit. They were down for between ten days and two weeks. That creates a huge impact on hospitals. Just for this last malware that came out a couple weeks ago, “NotPetya,” which was designed to look like a ransomware attack, but it was actually what’s called a wiper virus. It had no intent to encrypt the data. It had every intent to wipe it and so the way it encrypted the machines at the very base level, there was no way to un-encrypt it.
There was a West Virginia-based hospital that is buying over 1200 new computers because they couldn’t recover those computers. This is a time right now where the health care industry has to be very vigilant about new attacks that are coming out, and you have to react quickly and we’re seeing the same thing. We’re seeing these same malware instances that come through email and we’re doing our best to strip them out and I’ll tell you it’s a very, very challenging time.
UVM Medical Center: It seems like every day there’s something new.
Heather Roszkowski: Absolutely, absolutely there is. You know it’s interesting because if you look back four or five years, it was really the financial industry that was the prime target. Some experts think that it was the transition to chip and pin in the banking industry that really transitioned a lot of the attack to the health care industry.
UVM Medical Center: What kind of things do we try to do to protect the UVM Health Network systems?
Heather Roszkowski: First we have a fantastic dedicated team of cyber security professionals who take what they do very seriously and are very passionate about what they do and I think really that’s where it starts because you have to have a team that understands what they do is important and that they can have a lasting positive impact on our organization and most importantly our patients.
Secondly we have a whole suite of tools. I won’t name them but we use them in the industry best tools to really take three different approaches. One is to protect our environment. Two is to detect anything that potentially could get into our environment and that’s helpful because if new threats come out, the vendors don’t necessarily offer the latest protections for them until they can identify it and create it so you have to have a plan to be able to detect things if it happens.
Then the last thing is to respond so that if we do have any type of cyber incident that we have a quick response plan. We have a team that is trained and understands what they need to do and we have processes to follow. We really work hard to keep our environment safe.
UVM Medical Center: So unfortunately sometimes even if I am personally careful with my information, I can become a victim of a Malware attack or a fishing email. What happens if I do get hacked? Is there anything I can do?
Heather Roszkowski: I would say that the best thing that you can do is right now, before you get hacked. I think one is understanding where your information is. Is it on your PC? Do you have it on an external hard drive? Is it on a Cloud provider? Then secondly as I mentioned earlier, understand the protections that are around it. Call your companies and find out how they’re protecting it and if you’re happy with that level of protection.
Then third if you’re not, then you need to identify how you want to store that data. Do you want to put it on an external hard drive that’s not necessarily connected all the time to your computer? Do you want to have it in a place that is accessible and I think that’s important to really kind of take a step back and say what do I want to do to protect my information? It’s really an individual choice. It takes effort. It takes time and you know, might take a little bit of research to figure out how you want to do it, but at the end of day is what you’re trying to do is prevent yourself from becoming a victim. I think if you do that and you repeat that process every once in awhile, that puts you in a better position than trying to come up with how you’d respond once it happens.
It doesn’t mean it’s going to keep it from happening, but it just lessens the possibility. If it does happen, one of the first things you need to do is if you’re a victim of identity theft, you have to report it to the authorities. It gives them the ability to potentially track how many people it happens to, and they might be able to tie it to another case and who knows, they might actually find the person responsible.
Second is I always tell folks that if they’re a victim of any type of identity theft is to immediately call the credit agencies and they can put kind of a block on their credit for either a year or up to seven years in some cases, that would make it a lot harder for someone to take out a credit card or take out a line of credit in your name.
UVM Medical Center: What about companies that offer to help protect your information?
Heather Roszkowski: That’s really a personal choice. Something to note that I don’t think a lot of people realize when they see those commercials online is that in order to protect your information, you have to give them that information so you’re handing that company your banking account numbers, your credit card numbers, all your personal information that you want them looking for and trying to protect against, you are giving them. So I think that’s important to know before you sign up because as with any decision you want to kind of make that decision with as much information as you can.
A lot of them can be good and again, I would do a quick search online to see if there’s any complaints about the company, to see if anybody’s had any issues with them and make that decision with that information in mind.
UVM Medical Center: Any thoughts on where the future of cyber security is going?
Heather Roszkowski: You know cyber attacks can be any number of types of attacks. It can be, Hey, we’re going to attack this company because they have a trade secret we want to steal. There are cyber attacks that are politically motivated. There’s many different types of attacks that can occur and one of the things I think we’re seeing most recently is attacks potentially against critical infrastructure. Those are things such as electric grids, water treatment facilities, so I think unfortunately that’s a potential for future attacks as well.
UVM Medical Center: Our guest today on Health Source is Heather Roszkowski, chief information security officer for the University of Vermont Health Network. Thanks very much for joining us.
Heather Roszkowski: Thank you for having me.