VC Notes Archive Office of the Vice Chancellor
Friday, April 14, 2023

Be Digitally Aware

Good morning.

I will speak on the topic of information security today, but before I do that, I want to mention a few upcoming events. 

Dr. Jonathan Wilson, chief administrative officer, will present “UMMC 101: Emergency Response on Monday, April 24 at noon in R153. He and a panel of experts will share information about and stories from emergency events – like the recent tornado in Rolling Fork – where UMMC provided medical response. This role is one of our most impactful responsibilities, and over the years UMMC has provided vital, life-saving support in all areas of the state.

Another UMMC 101 series event is scheduled for May. Stacy Baldwin, chief integrity officer, and Rachel Gressett, executive director of contracts administration, will present “UMMC 101: Contracts” on Thursday, May 24 at noon in SOM 124. This event should particularly be of interest to all business-related staff and should help to make our contracts/agreements process more understandable and manageable.

Now, on to today’s topic.

It’s been reported that 24 health systems were victims of a ransomware attack last year, and in one instance, data of 623,000 patients were compromised. We have no way of knowing if any of these institutions paid a ransom or the financial cost to each because they will typically not disclose that information, but if any money was paid, I’m sure it reaches into the millions. If expanded beyond ransomware incidents to include all types of cyberattacks and data breaches, the numbers would be mind-boggling and very concerning for all health care institutions.

Emails like this one look real but are actually phishing attempts to get you to click a link for the sender to gain access to the UMMC network.

According to an IBM study, the average cost of a health care-related data breach in the United States is $10.1 million. That amount has risen 42% since 2020.

Our industry, including the information of our patients, employees and students (where academic medical centers are involved), is under attack, and the perpetrators are doing anything in their power to enter our systems or gain access to our information databases for their own personal gain. In turn, we must do all that we can to prevent these illicit attacks. And I really mean the collective we – all of us must do our part. 

A couple of weeks ago, you received notifications that UMMC was facing cyberattacks emanating out of California. We have been able to fend off these intrusions without any compromise to our systems or data, but the attackers didn’t make it easy, moving the location of the attacks to other states. They are smart, so we must be smarter.

So, today, I call on each of us to play a role in defending our systems and data. While most of us don’t participate in fighting off attacks, we can all help safeguard against opportunities attackers have against us.

The first, and one of the easiest, things we can do is to not fall prey to e-mail phishing. This is when you receive an email that looks official and appears to be from a trusted sender, but is really an attempt to get you to click on a link or open a file that will open a door for a cybercriminal to gain access. These attackers are very adept at creating communications that emulate emails we get and interact with all the time.

Often times there are a few subtle things that can tip you off to a phishing attempt, and these tells are covered in the optional information security training that was offered to you from the Office of Information Security and Privacy. If you need to look back in your inbox to find it, search for emails from privacy@umc.edu. This training is short but very informative, and it could be the difference between falling victim to a phishing attack or spotting something that you report that could be addressed globally across our entire email system. I encourage you to follow through with this training opportunity.

Another easy way to help keep us protected is to follow the requirements of the UMMC Acceptable Use Policy. One part of this required policy is to not use your @umc.edu email address for personal use. It should only be used for work-related purposes. Using your @umc.edu address to sign up for things that aren’t UMMC related can provide an opportunity for hackers to find it on a list they can use for mass cyberattacks.

Cyber and ransomware attacks against health care institutions are on the rise, and systems across the country are asking personnel to remain on alert to help spot them and beefing up their security measures to keep doors closed to unauthorized entry. While we may not all understand the technicalities of cybersecurity, we can and should do anything in our power to thwart attacks and protect the digital systems with which we operate. We must be diligent in safeguarding the important, private information of our patients, employees and students. Breaches can erode community trust in us, be financially costly and put up roadblocks in our path to A Healthier Mississippi.

Signed, Lou Ann Woodward, M.D.

Follow me on Twitter

Ask Dr. Woodward a question or make a comment and she may respond in her weekly column.  Your name is not required, but you may include it if you wish.