At the Boston CHIME LEAD forum, held on Wednesday, June 22 at the Aloft Boston Seaport Hotel, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella), expert health IT security panelists discussed the key components of an effective healthcare cybersecurity strategy.
Throughout the day, program attendees listened to multiple engaging sessions about a myriad of cybersecurity issues, from essential factors on how patient care organizations can be better prepared, to strategies for defense, response, and recovery. A plethora of IT security leaders—many from the healthcare space, but some with years of experience in other sectors—hammered home several core points, including: 1) the healthcare industry has now clearly become an intentional target for hackers; 2) traditional defense strategies such as firewalls and defending the perimeter are outdated and inefficient; 3) some sort of human-related issue contributes to the overwhelming majority of attacks; and 4) establishing a culture in which end users are educated and trained, and IT security is a proactive priority rather than a reactive one, is a must.
So where does the industry stand today in terms of its level of preparedness and sophisticated defense strategies? To start, the security experts in Boston pointed out that despite a recent uptick in making cyber defense a priority, it will be a while before healthcare gets to a place that other industries, such as financial services, have gotten to. Indeed, multiple panelists throughout the day attested that they were either on a solo mission at his/her organization regarding IT security, or had to start a team upon being hired.
Heather Roszkowksi, CISO at University of Vermont Medical Center, for instance, said the organization's security department was essentially non-existent before she arrived four years ago. "The focus has been on building a program, a suite of tools, and changing the culture," she said. For the first couple years, Roszkowksi was a "solo show" and didn't have an IT security team. "So we started out with an email encryption tool and an endpoint tool. But we have worked our way up from there," she said, noting the incorporation of data analytics and assessment approaches such as testing users with phishing emails, that are present today.
But, the CISO said the biggest thing has been changing the culture. She told an anecdote of a physician at the medical center who called her and said that "time-out" functions that require a user to log back on after a period of inactivity were taking up too much time, and the physician couldn't pay as much attention to patients as a result. "So we went down to the hospital that the physician was in, saw the issue in person, and [fixed] it," Roszkowksi said. Indeed, the system that was requiring log-ins and log-outs was always in site of the physician, making it less necessary to devote contstant attention to it, she said. "Customers see that we're listening to them and helping. And, we're getting what we want too, which is a more secure environment."
Several panelists also noted how cyber defense strategies from yesterday, such as firewalls and anti-virus programs, are no longer efficient enough once 2015 came and represented the "year of the data breach," in which major data breaches spanning across the year resulted in the exposure of more than 100 million patient records. David Ting, founder and CTO at Lexington, Mass.-based Imprivata, said that the continuum of cybersecurity strategies has gone from defensive measures at the perimeter to technology solutions that monitor how people enter the network. "Some sort of human-related issue contributes to almost all attacks," said Ting, a 10-year healthcare veteran at Imprivata. "For the past 10 years here, it's been about how we neutralize that element of the human factor in which we introduce [a component that makes you] physically steal something rather than just take it from online," he said. Ting mentions two-factor authentication, which employs methods such as smart cards, one-time password tokens and biometric devices to ensure users are who they say they are, as an example of this.
Chris Williams, chief cybersecurity architect at Westfield, Ind.-based Leidos Health, agreed with Ting about monitoring how people enter the network. Williams, who is the security lead on the massive U.S. Department of Defense Healthcare Management Systems Modernization (DHMSM) electronic health record (EHR) contract that Leidos was awarded last year, along with Cerner, Accenture, and others, said that he cares more about knowing an attack took place rather than thwarting an attack. "If you know you are getting hit, you can measure that and adjust responses appropriately," said Williams.
He compared the situation to that of banking: "Knowing how many people were in my bank lobby at 2 a.m. is actionable information; how many people drove by and gave the bank a dirty look is not," he said. “So look at the metrics that measure real-world and actionable activity. The vault isn't the most important room in the bank; the lobby is. If I know someone is in my bank lobby before they should be, I can design my IT environment to get them when in the lobby. The same can be true in healthcare; what's the lobby of your organization? Is it a user's laptop? Figure that out and design your environment around it," Williams advised.