The Whole is Weaker Than the Sum of the Parts

Before addressing the special attractions and vulnerabilities of healthcare data and software, a little background on cybersecurity of complex systems may be helpful: The single most important lesson from our experiences with conventional networked systems is that all of them can be hacked, and all will eventually be hacked. There's a simple equation for hackers: their investments are related to the value of the data. Alas, because electronic health records (EHRs) have a relatively high value to criminals, we should expect hackers to make significant efforts to penetrate EHRs. (More on this later.) Our experience also teaches us that erecting protections to mitigate hacking is never by itself an adequate defense. Instead, it is always necessary for health IT leaders to make significant efforts monitoring the EHR system for unanticipated behavior. Equally critical, it's always necessary to plan how to respond to detected attacks.