Solving Healthcare's InfoSec ProblemsHIMSS Forum Highlights Shared Misery and Signs of Hope
Healthcare organizations are still struggling to make sense of all the emerging cyberthreats they face and figure out how best to share the latest intelligence and stretch limited security resources.
See Also: Creating a Culture of Security
Remarks by many of the speakers and attendees at the recent Healthcare Information and Management Systems Society privacy and security forum in Boston made it clear that the health sector is facing growing pains. Data security and privacy programs have largely been focused on HIPAA compliance, and it's time for them to be updated to catch up with new, real-world threats - including hacker attacks - that are surfacing every day.
There have been fundamental shifts in the threat landscape.
"I think we're going to have to step up and become more sophisticated in how we approach protecting our data," Mac McMillian, CEO of security consulting firm CynergisTek, told me during an interview at the conference. "It's not about compliance; it needs to be about security - securing the systems, securing the data and protecting the safety of the patient."
But for some healthcare organizations, especially smaller entities that jumped onto the electronic health records bandwagon fairly recently, the focus is still mainly on trying to translate paper-world HIPAA concerns into securing the privacy of digitized data.
Many larger healthcare entities with bigger infosec budgets also face challenges in stretching resources and implementing strategies to help prevent cybercriminals and insiders alike from gaining inappropriate or unlawful access to sensitive data.
John Halamka, CIO and acting CISO at Beth Israel Deaconess Medical Center in Boston, told HIMSS forum attendees that, after a recent third-party security audit, the medical center is adding 14 more full-time information security pros. The medical center is also making a number of other moves to bolster security, ranging from biometric authentication to "buffed up" asset management.
Overall, cyberthreat information sharing in the healthcare sector is generally weak. But some interesting efforts are emerging at the local level.
In the Boston area, for example, health infosec leaders from Beth Israel Deaconess, Boston Children's Hospital, Partners HealthCare and other provider organizations meet monthly to discuss the threat landscape and other concerns, Halamka told me. If some new vulnerability or threat is discovered in-between those meetings, the leaders collaborate sooner.
Such was the case when Boston Children's Hospital was hit with a hacktivist distributed-denial-of-service attack in April. Leaders from area hospitals worked together with law enforcement and regulators during the investigation and subsequent mitigation effort, he says.
Jim Routh, CISO of Aetna, told HIMSS forum attendees that when he joined the health insurer a year-and-a-half ago, the organization's information security and privacy effort was largely compliance driven. He's been trying to change that to a risk-driven approach that enables the organization to be more proactive in keeping up with ever-changing threat landscape.
"Privacy should be compliance-based, aligned with a regulatory framework. But info-security programs need to be risk-based, taking into account internal and external [threats]...and consuming cyber intelligence," Routh says. "There have been fundamental shifts in the threat landscape."
At Aetna, Routh says he takes some risks in order to reduce risks. For instance, he likes to buy promising information security technologies from innovative young vendors. It's a bet that's paying off for Aetna with technologies that include an analytic tool that has helped to identify all the cloud services that are being used at the company, including those without formal authorization. The tool discovered that more than 500 cloud services were being tapped, when Routh thought there were only about a dozen.
Buying early into promising security technologies - especially in areas such as social media, mobile and cloud, where controls are less mature - can pay off in better protections at lower costs, Routh says.
He admits however, that the approach comes with risks. "When you buy early, you will make mistakes. So choose multiple products in case one doesn't work out."
Let's Work Together
While nearly all healthcare organizations are struggling to get a better grip on cyberthreats and other infosec challenges, some organizations are taking bold moves to help address key issues.
If the leaders at more healthcare organizations were willing to share their security lessons learned - as well as any alarming discoveries that warrant mitigation sooner rather than later - perhaps there would be far fewer data breaches.