As part of Healthcare Informatics’ Cybersecurity Special Report in its First Quarter 2018 print issue, in one of the report’s four pieces, healthcare IT security experts emphasized a few key strategies that forward-thinking organizations are deploying to improve their data security defense—namely, monitoring users’ behaviors, in which organizations monitor their users at a high level; and leveraging identity and access management (IAM) protocols to avoid unauthorized access or disclosure of information.
One of those interviewed experts was Bryan Kissinger, Ph.D., vice president and CISO (chief information security officer) at Phoenix, Ariz.-based Banner Health, one of the largest health systems in the U.S. Kissinger, who has been in his role at Banner for less than a year, said in the story that in some ways his organization is ahead of the curve in terms of leveraging these strategies to improve Banner’s cybersecurity defense; but in other ways, there is a lot of work to be done. Below is the full interview with Kissinger, edited for length and formatting purposes.
How are you taking to your new role at Banner Health?
I came here as part of an initiative to enhance the maturity of our information security program. My job was to come in, look at the people, processes and technology that we had, and rapidly mature the program. We’re making a big investment in IAM, and we’re also looking a lot at behavioral monitoring. We have a number of big projects that we are in-flight on.
Bryan Kissinger, Ph.D.
What are some of the specific projects you are working on right now?
On the identity side, we’re really looking at it from an efficiency and customer service perspective, so getting to day-one birthright access for all workforce members, and doing that in an automated way. Like most organizations, [Banner] has historically had an in-house developed system [for IAM] or they have done it manually, but now we are using a technology to help us give automated day-one access to all workforce members. And that access is tracked and governed within the platform such that on a quarterly basis we’re re-certifying that access with the workforce member’s manager.
For privileged access we are using a tool to vault privileged passwords and system, and privileged accounts in a safe vaulting technology such that database administrators and other privileged users need to go into the vault and check out an encrypted password to be able to escalade privileges from a normal user to an escalated user.
And lastly on the identity management front, we are getting ready to implement a single sign-on tool that allows clinicians to be able to tap their badges on a badge reader—say in an exam room or the ED, or wherever they need to access health record technology—which then single signs them in to all of the applications they need for their job. It probably saves each clinician five to six hours a week that he or she would normally need to do to manually type in log-ins and passwords to different systems throughout the day. So it’s a security feature but an efficiency one, too.
I am keenly aware of the concept that every click and keystroke that you add for security [to a doctor’s workflow] is not welcomed. I am doing as many things as I can that are either back-office, or doesn’t impact the end user, or if it will have to touch the end user, I am hoping it makes him or her more efficient.
How sophisticated are behavioral monitoring strategies at Banner?
We have one area that we’re mature in and another where we’re at the beginning. On the mature front, we have a technology in place that evaluates a number of inputs such as: the clinician’s job; where he or she physically is doing work; and which patients he or she is looking at, and it makes sure that clinicians are only accessing patient records they should be accessing.
But when it comes to malicious activity traversing the network or systems behaving the way they shouldn’t be, we’re only at the beginning. We are looking at baselining what normal behavior is for most of our systems. We have implemented some database anomaly monitoring technology to be able to look for normal behavior on our most critical databases, and then alert and take action when that behavior is not considered normal. And that all feeds into our SIM [security information management product].
How key is it to deploy these strategies in a proactive way rather than be reactive following an incident?
We would all prefer to be on the proactive and preventative side, so we are trying to do everything we can do to prevent an incident from happening. On the defensive/reactive side, we’re trying to shorten that window of reaction latency. Whereas a bot could be operating in your environment for months, we’re trying to make sure that as we see anomalous behavior happening, we can address it quickly. And we’re putting in drawbridge technology in some cases. If something is looking a little strange, the time to get that resolved could be hours or days. If there is an attempt to extract millions of medical records out through our network, you want that reaction time to be seconds or minutes—not hours or days. So it depends what part of the network you are talking about and what data you are talking about. The more on the preventative side, the faster the reaction time, and the more expensive that is. You can only spend so much money.