BSidesPR cybersecurity conference to focus on health care, biotech
With the goal of providing Puerto Rico the means to counter cyberthreats, the nonprofit Obsidis Consortia Inc. is organizing the BSidesPR event titled “Healthcare and Biotechnology Resilience 2024 Conference,” slated to be held April 12-13 at the Puerto Rico Convention Center.
The conference will feature keynote speakers who are cybersecurity experts. Attendees will have the opportunity to participate in workshops and panels that will provide practical advice on how to protect themselves against cyberthreats.
In an interview with News is my Business, Obsidis Consortia President José Arroyo, said that this year’s conference is going to delve into recent cybersecurity breaches in the health care sector, “because of all the hospitals that have been hacked,” he said, referring to incidents over the past few years with the electronic record management systems at Hospital el Maestro, Hospital Auxilio Mutuo, Hospital Menonita and the Hospital Pavia’s.
“The main problem these hospitals have with their information systems is that they don’t have a cybersecurity department,” Arroyo noted. “Most hospitals don’t have a cybersecurity department. They just have a couple of subcontracted guys. So that just becomes a problem when you don’t have someone on board that actually understands what is going on. When you have people who don’t actually understand what is going on, they make poor decisions, and that becomes a problem.”
Jeffrey Quiñones, a member of the Obsidis Consortia board, observed that companies frequently view security as an expense rather than an investment.
“So why do they do that? Because the majority of the companies, when [they] invest in security services, [they] have to do a risk assessment. So you have to check your vulnerability. … As a business, you see security as a cost and you continue having problems, and these are going to magnify as time progresses because the cyber landscape is not forgiving, it is going to get you,” Quiñones said.
Arroyo emphasized that the “sad thing about this is that it’s not a technical” issue.
“And the reason I say this is because the technology is ready to help and it’s there to provide security. The thing is that a hospital board of directors is composed of doctors, so there is no subject expert on cybersecurity. So if the board is making a decision [on whether] to invest in an MRI machine [or] investing in firewalls, they will invest in the MRI machine.
That is not [the case] just for hospitals, this is for the whole medical field. Electronic record management has been mandated by HIPAA [Health Insurance Portability and Accountability Act of 1996 restricting the release of medical information] since about 2017, and in Puerto Rico you go to a doctor and they tell you to send me the prescription via email, and they are still using paper records.”
He explained that medical insurance identification is “really valuable on the dark web because it’s so expensive to have health insurance in the states that medical identification fraud is becoming very lucrative.”
One of the primary reasons most credit card companies require clients to add a PIN number is to implement a control mechanism. For instance, if the bank identifies a fraudulent transaction, it “will block it right there and the transaction won’t be completed,” Arroyo said.
“But medical insurers don’t have any of that. I can literally print a health insurance card with someone else’s contract with a printing machine purchased on eBay,” he said.
Arroyo believes hospitals should distinguish between daily operations and cybersecurity, which requires dedicated attention. He suggests that hospitals “hire staff that knows what they are doing” in terms of cybersecurity.
“Maybe hospitals need to get a chief technology officer on the board of directors. And this person cannot be dependent on someone else. A lot of companies are transferring the risk to another company. There is something called a managed security service provider. So they could hire another company that already has the experts to manage their security. That’s an alternative. But the organization has to be willing to improve their security posture.”