It is very important to break down the elements and steps involved in creating a robust and effective data security strategy in any patient care organization. That was the message that Cris V. Ewell, Ph.D., the chief information security officer at UW Medicine IT Services, in Seattle, told attendees Tuesday morning at the Health IT Summit in Seattle, sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella).
Dr. Ewell’s presentation, entitled “Healthcare Information Security Practices: Why are we failing?” was the opening keynote address at iHT2-Seattle, and challenged attendees, who are gathered at the Marriott Seattle Waterfront in downtown Seattle, to consider, and perhaps reconsider, how they are allocating resources and strategizing around assets, as they pursue healthcare IT and data security strategies in the current, unsettled operational environment in U.S. healthcare.
Ewell encouraged his audience to think carefully about assets, data, and intelligence, and to focus their efforts thoughtfully and strategically, when it comes to IT and data security in the present environment. Among the key points he stressed, under the question, “What are some things I can do?” were the following:
> Adopt a repeatable and transparent risk management framework and methodology
> Identify and prioritize assets and related risk-mitigation efforts
> Implement an intelligence program
> Develop aggressive risk transfer strategies
> Minimize the electronic attack surface in one’s organization
> Advance processes around incident response and management
> Ensure that the CISO in the organization has defined accountability and responsibility
“There is no shortcut” to developing a truly robust overall strategy for enterprise-wide IT and data security, Ewell told his audience. What’s more, the bigger and more complex the patient care organization, the more challenging it becomes to create and execute a truly comprehensive strategy, across the layers and dimensions of one’s organization, and across the complexities of people and processes.
One of the absolutely key elements in all this is developing a comprehensive risk management program for IT assets, Ewell told his audience. Among the key points he referenced in a slide in his presentation was around the core elements in a successful risk management program, which he said include the following:
> Concentrate protection efforts across the entire organization
> Be nimble enough to adapt to new threats
> Be risk-based and not compliance-driven
> Involve executive management and the board in your risk management program
And none of this is easy. “At the University of Washington, which is a complex organization, it is hard to get to an enterprise-level risk assessment, given that we have 14 entities, and many other departments, that are involved in ePHI [electronic protected health information],” Ewell said. Meanwhile, on the one hand, he supports the idea of bringing in outside consultants to help with processes around enterprise-level risk assessment—but he immediately adds that, “When you bring in an outside firm to do a risk assessment for you, what they will provide you is a technical risk assessment, not a true enterprise-wide risk assessment. They will tell you about your ‘things,’ not your processes,” he emphasized. “Only you and your team internally can really assess your processes.”
In addition, Ewell noted, “Our adversaries are changing. They know what’s going on” in the industry, and are closely following trends and developments in healthcare IT. They are also becoming increasingly sophisticated, as they seek ways to infiltrate and compromise organization’s network infrastructures. For example, he said, cybercriminals are closely monitoring the social media activity of individuals, especially those who are on the staffs of patient care organizations. “They’re watching your LinkedIn profile to see what’s in it,” he stated. And the more information they can find in end-users’ professional and personal accounts, the more readily they can tailor attacks and intrusions.
Of course, in all this, Ewell emphasized, a core perpetual threat remains the fact that end-users working in patient organizations continue to click on phishing e-mails, opening e-mails and attachments that lead to malware, including ransomware, attacks. To some extent, he said, there is an inevitable level of vulnerability in this area, given the human factors involved. In fact, he said, “People who work in healthcare want to help other people; and the cybercriminals know that and use that to their advantage.” It’s the social engineering aspect of humans, particularly humans working in patient care organizations, that will always be a point of vulnerability with regard to data and IT security, he said.
“Not a once-a-year thing”
One element in all this that is clear, Ewell said, is the need to change thinking and culture around data and IT security. “You cannot do this in a vacuum. And you need to get executive management and board support” in order to get not only the funding, but also the organizational support, to make IT security strategy work across any patient care organization. “There is risk, and what you need to do is to bring this up to your organization’s board, and ask the board members directly how much risk they’re willing to accept.”