May 1, 2017
Healthcare Security Roundtable: An Interview With CloudWave and Fortified Health Security Experts
Dennis Peasley (DP), Director of Security & Compliance, CloudWave
Dan Dodson (DD), President Fortified Health Security
Ryan Patrick (RP), Vice President Fortified Health Security
Security is top of mind for healthcare organizations today. In fact, a recent survey of CHIME members revealed that security tops the list of IT investments that CIOs are planning in the coming year. CloudWave and Fortified Health Security partner to deliver security services to healthcare organizations. Recently, members of each team participated in a roundtable discussion to contribute their individual perspectives on the security environment in healthcare today, and how hospitals can meet the challenges of protecting patient data and achieving compliance.
How have security needs changed over the past 5 years?
RP: Honestly, I don’t think the needs have necessarily changed. What has changed is the environment in which security decision-makers find themselves in. It really has been a perfect storm of tangible and intangible multi-faceted factors that have brought security to the forefront. First off, unlike 5 years ago, the OCR has become much more active in investigating and subsequently fining CEs as well as BAs. In turn, HIPAA/HITECH finally has teeth and the authority to hold organizations accountable for their negligence. Secondly, a few very public healthcare breaches have shown industry professionals that it CAN happen to them and that there are those that look to breach the healthcare industry. Lastly, malicious actors have recognized that healthcare records are much more comprehensive than any other type of PII record. In concert with that recognition, they have also found how easy it is to exploit a healthcare environment.
DD: From a macro perspective, the whole digitization of healthcare after the HITECH act and the drive to implement these integrated systems has enabled a larger volume of healthcare data available for bad actors to go after. The regulatory requirements haven’t changed; they have been in place since HIPAA became law under the Clinton administration. Regulations and enforcement drive behavior, which is why folks are paying more attention to security, in addition to the malicious activity and the value of the healthcare record over the credit card record.
DP: I agree. With the technology that we use, proactive fixes are basically the same, but the motivation for the actors has changed. Credit card theft is no longer of much value because it lacks persistence. The credit card industry became responsible for its own losses. As a result, credit cards are replaced very quickly and stolen credit cards don’t have much value unless they are used right away. And because healthcare information is much more persistent, it can’t change. It’s a persistent record. It has become a de facto commodity that can be quickly changed from bits and bytes into dollars. The ability to extract money from healthcare organizations has proven to be a big business. The hospitals need their information on a minute-by-minute basis, so once their data is gone, they can’t wait days to get it back, and they need to react immediately to regain access to their data. Also, the publicity about ransomware and security breaches in the news is scaring executives, so that when an event occurs, they react quickly.
What do you think the most important security concern is for hospitals today?
DD: Certainly, ransomware is a hot topic in healthcare today. But the opinion I would offer is that your people are your biggest challenge in terms of cyber risks today. Your people provide access to more than technical deficiencies. I think it’s important for organizations to focus on the education of their people and the placement of technical safeguards around securing their infrastructure and applications in the event that human error allows a bad actor to penetrate their environment. Without the focus on people, I think organizations are going to find themselves in a world of hurt.
RP: I don’t think it has a lot to do with expertise or technology. The biggest concern from my perspective is complacency: lack of focus from a resource perspective and not recognizing that security is not an IT problem but an organizational problem and it takes a village for the organization to improve and solidify the effectiveness of their security program.
DP: Awareness. Although it won’t prevent breaches completely, it will help. Risk awareness isn’t intuitive. Most decision-makers in hospitals have a medical background, and there can be a disconnect to IT. In a recent HIMSS survey, 80% of IT executives attending HIMSS thought they had DDOS under control. It’s complex, expensive, and illustrates they may not understand the scope of the risk. Because of that, we end up with understaffed, underfunded IT departments, which is why hospitals are now working with outside partners. Partners need to have credibility and be able to communicate with the executives. The marketplace in most places is driven by the latest gimmick or technology. They don’t even know who’s on their network, who the third parties are, or what access they have. It’s difficult, it’s complex, and unless you have a mutual understanding with the medical executives, it’s hard for them to comprehend how big the risk is.
DD: We talk to healthcare executives all the time about understanding both sides of the equation as it pertains to technical security solutions that they might deploy in their environment. These technologies can be very sophisticated. Unless you allocate the appropriate budget or use a service like OpSus Defend to manage and implement a solution for you, your perceived value, and the actual value of the technology can differ significantly. Plugging in technologies when they are not implemented, configured, or operated correctly, can actually decrease your security posture when you think you are taking steps to improve it.
What are the biggest challenges when addressing these concerns?
DD: There are a lot of competing priorities in healthcare right now. Regulatory, financial, political, value-based care, population health…while security is one of the many important challenges a health system is trying to tackle, there are a lot of very important competing initiatives. Working with a trusted partner to chart a roadmap to make sure you are taking the right steps, can be valuable.
RP: Helping organizations get out of their own way. We need to help healthcare understand the associated risks based on the decisions they are making. It’s tough for security leaders to push that agenda forward with folks that are not security- or IT -minded but hold the decision-making power. It’s finding a way to communicate with all parties within an organization in order to improve the program.
DP: Blocking and tackling are a lot more important than sexy new gizmos. Documentation, know what’s on your network, finding out what’s normal, and preparing for when a security breach occurs, these are the things that need to be done first. It’s no longer an “if”; it’s a “when”.
Describe the ideal security posture for healthcare as you see it.
RP: When the entire organization embraces its role in the continuous focus and improvement of security program.
DP: The one thing that every hospital needs is someone with credibility that can help them understand where their security risks are. Prevention and the proactive and reactive parts of security need to be thought through.
DD: A vision that starts at the top and drives engagement throughout the organization, and builds a defense-in-depth strategy across the enterprise. This first starts with an evaluation of the current security posture of the health system and over time builds a comprehensive plan that takes into consideration people, processes, and technology to move the security posture from where it is today and increases it over time through the tactical execution of that vision. To me, the organizations that are doing this are the ones that are positioning themselves better than their peers and lower their overall risk.
I’m sure you’ve seen hospitals that are doing security “right”. What common traits do they have?
DD: Taking a comprehensive approach, with an engaged board with an executive team that partners with the CISO or CIO and allows them to actively participate in the discussion, as well as recognizing when and where to bring in experts. One of the things that is difficult is finding and retaining talent. Should you be engaging with a partner to help you run your program, or should you spend time and energy recruiting talent?
RP: The organizations that realize they must take a multi-layered approach to security are usually the most successful. They need to look at it from three perspectives. A strategic perspective, like having senior management buy-in, and a champion on the executive team to push the objectives and initiatives which solidifies the foundation of your program. If security is not in line with business objectives, then and there are conflicts. In that scenario, security is going to lose. Looking at it from an operational approach that the organization needs to ensure that every staff member understands their role in security. And ultimately, technology. Technologies need to be implemented, and tools need to be in place. Organizations that understand that it takes a lot of different perspectives to manage security are the ones who are successful.
DP: Organizations are outsourcing things differently nowadays. Core functions should be handled internally, and organizations should also consider looking to partners for credible resources because it’s difficult to find skilled individuals. The hospitals that are doing it right have credible resources, either external or internal, and they work with that person or group to determine how to spend the resources they have. They also block and tackle, implement change controls, and build a strong core foundation. Most hospitals don’t have the staff to do this, and that’s where partners can help.
What do you see as common security weaknesses when working with hospitals?
RP: The blocking and tackling of security best practices: poor patch management, limited risk stratification, lack of senior management involvement/support. Doing the things that we all know that we should be doing, but don’t always do, are the root of some of the biggest gaps we find.
DP: Senior leadership will always want to be secure. They say it, they need it, they think about it when they go home at night, but they don’t really know what it means. I don’t like the word “secure”, because it implies that it’s black and white. It comes down to how much risk you are willing to accept.
If you could pick 3 things that a hospital IT team could do today that would have an immediate impact to improve their security stance, what would they be?
RP: Find a champion within senior management, understand that it “takes a village” and invest in DLP.
DD: 1. Make sure the entire organization is engaged. 2. Do some sort of phishing exercise, with consequences – this is a key high-impact, low-cost activity. 3.Implement a comprehensive program that you are committed to following.
DP: Document what you have in your environment and who has access to the network. Make a senior leader responsible and have an external review done by someone with technical horsepower who takes a detailed look at the system – server patching, IP addresses, etc.
It’s important for healthcare organizations to think about security for the long term as well. Can you name 3 things that healthcare organizations should put on their security roadmap?
RP: Data Loss Prevention is a very powerful tool that provides actionable intelligence. Establish long term strategic and tactical partnerships. Invest in a partner that can help you along your journey. Establish a Security/Privacy Consortium which includes members of the executive committee and reports to the board.
DD: The three things that I would say are to put a risk management program in place, number one. Organizations are used to managing financial risk, clinical risk, reputational risk, now start managing cyber risk in the same manner. Second Establish an appropriate cadence of technical solutions. What I mean by that, is don’t’ cobble together a bunch of point solutions only to rip it out years later to replace it with a unified system. We have the opportunity now to take a step back and put together a comprehensive program. Third, I would start making sure that medical devices are on your roadmap. These represent the single biggest threat to healthcare as it pertains to patient outcomes. Those who don’t have a strategy for monitoring these devices could potentially find themselves in a high-risk situation.
DP: For the long term, hospitals need a baseline to work with. Make sure things are being done the way they are supposed to be done – document, do a gap analysis and remediate where needed. Second, I believe that the lowest risk comes from a well-run operation. Security needs to be integrated into the environment and into everyone’s responsibilities. Third, implementing standards like ITIL is the next level of blocking and tackling. Doing this can lower risk dramatically.