In an Ever-Intensifying Threat Environment, Healthcare CISOs Become Part of the Bigger Picture | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

In an Ever-Intensifying Threat Environment, Healthcare CISOs Become Part of the Bigger Picture

April 19, 2017
by Rajiv Leventhal
| Reprints
Establishing a culture of security is critically important in healthcare organizations. As such, the CISO is now becoming a senior executive-level position

One of the most significant points of discussion currently taking place in the healthcare sector is how patient care organization leaders are responding and reacting to the growing cybersecurity threat throughout the industry. Indeed, one quick look at the monthly Protenus “Breach Barometer” report— a snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net—reveals that the trend of cyber attacks in healthcare is certainly not slowing down; in March, the number of breached records was 2.5 times the number of records breached in January and February combined.

The level of sophistication at which healthcare organizations are responding to this problem varies across the U.S., but there does seem to still be a gap in funds allocated to data security. For instance, a HIMSS Analytics and Symantec study released in February found that even though cybersecurity budgets are increasing, 65 percent of surveyed healthcare organizations are still spending less than 6 percent of funds on security. What’s more, those survey findings indicate that the majority of healthcare organizations still have five or fewer employees allocated to IT security, although two-thirds of participating organizations do have a chief information security officer (CISO), which most often report to the CIO.

Indeed, CISOs within healthcare organizations—not too long ago a position with a limited role—have now become a part of the broader senior leadership team, experts say. Nick Giannas, consultant in search firm Witt/Kieffer’s IT practice, and who specializes in executive searches for CISOs in healthcare and education specifically, notes that “There needs to be an executive to oversee security across all of the organization’s business areas and to encourage a culture of information security.”

He adds that organizations are looking for someone who can build that culture, someone who is a strong communicator, and someone who not only has the cybersecurity expertise, but also the business acumen. “You need to have better alignment between cybersecurity and the business so it doesn’t hinder operations,” Giannas says. “All of this together requires a senior executive; it’s an executive level position, so it’s about having those soft skills such as being able to build a relationship, communicate effectively, and translating those cybersecurity concepts in a way that business leaders can understand. The [CISO] has become a trusted advisor,” he says.

However, while the CISO role is clearly now evolving, Giannas does note that there is an industry-wide gap in terms of skilled candidates. “The demand for qualified CISOs far exceeds the supply of top talent for these positions,” he says. And, he adds, “There is a need to expand and look beyond healthcare to find top talent in other industries who can make a difference and who might be coming from much more secure information security environments. Now that’s not to say that there are not strong individuals in this space in healthcare—because there are—but there are just not enough.”

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Nick Giannas

Throughout his searches, Giannas does find that organizations are now truly realizing the need for a talented executive leading their information security program. And beyond recognizing and recruiting that top talent, there are also other factors to consider in the hiring process, such as compensation and the actual commitment that an organization will make in terms of dollars to information security. “Gaps do remain in [budget allocation for information security], but if you look at the reports out there, with the threats continuing to evolve, we’re starting to pour more money into cybersecurity. Regarding data breaches, it’s not a matter of if, but when. So making sure you have the right tools and programs in place is important,” he says.

Certainly, these are responsibilities that fall on the CISO, and Giannas says that the forward-thinking provider organizations are starting to deploy advanced technologies such as machine learning intelligence software and predictive analytics to help protect their environments. He notes that the commitment and investment that C-suite leaders are now making in security are actually better than what many people think. “If not for organizations dedicating the resources that they are righty now, we could really be much worse off. And that’s not to say that they aren’t still behind, because they are, but the commitment is starting to pay off,” he says, adding that the pressure is on both CIOs and CISOs to look at new tools in this space. “You hear CIOs saying that cybersecurity is both the first and second thing on the list that keeps them up at night. So it really helps when you have a strong CISO in place that you can rely on. I think there is inherent pressure involved with this position, and the talented CISOs out there are really up to that challenge,” he says.

While Giannas says that in most places, the CISO is reporting to the CIO—a trend that’s in line with what the above-mentioned HIMSS Analytics survey reported—he is hearing organizations talk about moving the reporting structure to someone outside of the IT part of the organization. “I think just as cybersecurity incidences and threats evolve, thus forcing cybersecurity programs to evolve, the CISO position will also evolve. It’s an enterprise function, so you could see a trend in the future that the position will not be reporting into IT. That makes logical sense; it’s the evolution of the position. But that isn’t happening yet,” he says.

As the CISO position indeed continues to grow, a key to that evolution will be how the person in this role establishes a culture of security within the patient care environment. Adam Tallinger, vice president at consulting firm Impact Advisors, says that creating a culture of security carries equal weight to everything else that an organization dedicates culture to. He says, “If you have a culture where someone feels comfortable to reporting some [wrongdoing] or a breach in security, then you will be able to mitigate that, and restrict access to that data a lot quicker than if you have someone who tries to ignore it. Bad news never gets better with age,” Tallinger says.

In the end, just like with anything else in healthcare IT, some organizations are further along than others, so CISOs being able to create a culture of security “is an ongoing process,” Giannas says. “It’s not just about IT, and it’s not just about the information security departments. It’s about everyone playing a role across the organization, at all levels. All CISOs, even in mature environments, would say that they’re still continuing to grow in the area of establishing the right culture.”


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/ever-intensifying-threat-environment-healthcare-cisos-become-part-bigger
/news-item/cybersecurity/anthem-agrees-record-payment-16m-largest-us-health-data-breach

Anthem Agrees to Record Payment—$16M—for Largest U.S. Health Data Breach

October 16, 2018
by Heather Landi, Associate Editor
| Reprints

Anthem, Inc., the second largest health insurance company in the U.S., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations in the largest U.S. health data breach in history.

In early 2015, Anthem, based in Indianapolis, was hit with a series of cyberattacks that led to an unprecedented health data breach that exposed the electronic protected health information (PHI) of almost 79 million people.

The $16 million settlement is a record HIPAA settlement that eclipses the previous high of $5.55 million paid to OCR in 2016, according to a press release from OCR. As part of the settlement, Anthem also agreed to take substantial corrective action.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

As reported by Healthcare Informatics Feb. 5, 2015, the payer announced details of the breach late Wednesday (Feb. 4) in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.”

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

According to OCR, the agency’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” according to the OCR press release.

In the Healthcare Informatics story at the time of the breach, reported by Gabriel Perna, Anthem faced criticism from industry observers for its lack of encryption. Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, said, at the time, that the company was irresponsible for not protecting the data.

“We do not know what they were after and we do not know what they plan to do with the data—what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves,” he said in a statement that was quoted in the story. “It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in—they will always build a taller ladder to climb over your perimeter security - we must protect the data itself.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan can be accessed here.

 

More From Healthcare Informatics

/news-item/cybersecurity/minnesota-dhs-acknowledges-increase-targeted-phishing-attacks

Minnesota DHS Acknowledges Increase in Targeted Phishing Attacks

October 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Two phishing attacks on employees at the Minnesota Department of Human Services (DHS) resulted in the possible leakage of about 21,000 Minnesotans’ personal information.

The state health agency issued a notice last week that explained over the last several months, several phishing campaigns have targeted Minnesota’s executive agencies, including DHS. Two of these attacks were deemed “successful,” in that hackers—once in June and another time in July—were able to gain access to the state email accounts of two DHS employees, using these accounts to send out spam emails. The agency’s IT department didn’t find out about the attacks until August, officials said.

According to DHS, the two email accounts contained information about some people who have interacted with DHS, including the Minnesota citizens who were notified. Examples of the type of information found in the email accounts at the time they were compromised include: first and last names, dates of birth, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment records, and/or financial information, officials noted.

The agency did add in its notice, “We currently have no evidence that this information was actually viewed, downloaded, or misused.”

According to a report in the Minnesota Star Tribune, this is just the latest cyberattack on Minnesota’s state agencies, “which fend off about 3 million hacking attempts daily, state officials have said. In fact, attacks are increasing, said Aaron Call, the chief information security officer for Minnesota IT Services, which provides technology services to state executive agencies,” according to that report.

In fact, in just the past nine months, “more than 700 security incidents have been reported affecting state agencies, Call said, adding that the attacks are becoming ‘more pervasive and more sophisticated,’” according to the Star Tribune report.

Related Insights For: Cybersecurity

/article/cybersecurity/cisos-cios-not-confident-their-medical-device-security-strategy-new-klas

CISOs, CIOs Not Confident in Their Medical Device Security Strategy, New KLAS Research Finds

October 9, 2018
by Heather Landi, Associate Editor
| Reprints
According to a survey of CIOs and CISOs, healthcare organizations have an average of 10,000 connected medical devices
Click To View Gallery

The healthcare industry continues to be bombarded with security attacks, and these cyber attacks are continuously evolving and become more sophisticated over time. At the same time, the healthcare ecosystem has become more connected with the increasing use of Internet of Things (IoT) medical devices, and these medical devices introduce vulnerabilities into healthcare organizations.

Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked, while also posing a threat to the security and privacy of patients’ protected health information (PHI). A recent medical device security report, the result of a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), and the Orem, Utah-based KLAS Research, sheds light on the current state of the medical device security industry. For the report, KLAS interviewed 148 CIOs, chief information security officers (CISOs), chief technology officers (CTOs) and other professionals at provider organizations to gauge their level of confidence in their medical device security strategies, the most common challenges they face, their perceptions of the security and transparency of major medical device manufacturers, and the best practices they leverage to overcome medical device security challenges.

The author of the report, Dan Czech, director, market analysis, cybersecurity at KLAS Research, will provide an in-depth overview of this report and medical device security trends during Healthcare Informatics’ Seattle Health IT Summit Oct. 22-23 at the Grand Hyatt Seattle.

The sheer number of connected medical devices that the average healthcare provider is trying to manage speaks to the tremendous challenge IT security leaders face, says Czech. “We spoke to organizations ranging from small to mid-sized clinics all the way to large multi-hospital IDNs (integrated delivery networks), and everyone in between, and the average number of connected medical devices was just under 10,000 medical devices. You think of the enormity of that problem, for an organization to wrap their arms around the problem of managing 10,000 devices,” he says.

What’s more, respondents reported that, among the thousands of connected medical devices that their organizations are managing, about one-third (33 percent) of those devices are “unpatchable.”

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

According to the research, 18 percent of provider organizations had medical devices impacted by malware or ransomware in the last 18 months, although few of these incidents resulted in compromised PHI or an audit by the Office for Civil Rights, U.S. Department of Health and Human Services (HHS OCR).

Czech notes that there have not been any patient safety events, to date, as a result of a medical device security issue; however, respondents cite patient safety as a top concern. “Let’s take an infusion pump,” he says. “The ability for a bad actor to gain access to that pump and change the dosage of the medication that’s being injected into a human, that is the kind of patient safety issue that we are concerned about.”

Czech continues, “Another way medical device security affects patient safety is if a device is on Windows XP, and WannaCry ransomware hits; if something like that happens, that device is taken out of production. You may have an oncology patient who needs consistent treatment with a medical device, and if you take that out of production, it disrupts patient care and impacts patient safety.”

The report found that most respondents are either neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. Only 39 percent of respondents said they were very confident or confident that their current strategy protects patient safety and prevents disruptions in care. Thirty-one percent said they were unconfident or very unconfident, and another 30 percent were neutral. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.

Those healthcare leaders who expressed confidence most often point to their security processes and policies, including access limitations, network segmentation and regular device monitoring and risk assessment, as the source of their confidence, followed by strong technology. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies, according to the report.

“Respondents who report they are more confident also are those that have a clear line of ownership, not a shared responsibility,” Czech notes.

Those respondents that lacked confidence in their medical device security cited lack of manufacturer support as the top reason. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to. “Asset and inventory visibility is the basic blocking and tackling of medical device security strategy—you can’t protect what you don’t know. They are looking for tools and processes that they can put in place that will help them understand all the devices they have, what’s connected to their networks, and some cases, what software is on the devices” Czech says.

What’s more, 76 percent of provider organizations report that their resources are insufficient or too strained to adequately secure their medical devices.

More Manufacturer Support and Collaboration Needed

Taking a deep dive into the root causes of medical device security struggles, the report finds that interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. Most provider organization see this issue as one of shared responsibility. As one CISO explained in the report, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”

According to Czech, the research findings indicate there is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations (93 percent) have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves, or void warranties if they do.

Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security.

However, the industry is beginning to shift, Czech notes. "Many provider organizations have drawn a line in the sand to say all contracts now and going forward will include standardized security contract language," he says. "This trend has been led by forward-thinking provider organizations and it also has benefited smaller organizations that may not have the legal teams or the cybersecurity teams that bigger organizations have, but they can use that standardized language in their contracts as well."

What’s interesting, Czech notes, is that many respondents spontaneously brought up frustrations regarding the role of the U.S. Food and Drug Administration (FDA) in medical device security, though KLAS did not specifically ask respondents about it. “It gets back to shared responsibility,” he says. “Respondents feel that manufacturers have a stake in this, they have a stake in this, but so does the FDA. Predominantly, the concern that they shared was that their manufacturer would hide behind their perceptions of the FDA regulations."

Almost two-thirds of respondents said manufacturers blame FDA policies, claiming the policies prevent them from making devices more secure. About a third said FDA policies are unclear, giving manufacturers ways to skirt around responsibility and a third said that even when policies are clear, the FDA doesn’t hold manufacturers accountable, according to the report.

Cybersecurity Programs Advancing Forward

According to the research, organizations are increasingly adopting a number of best practices to strengthen medical device security. There are foundational best practices that organization should implement, such as performing risk assessments, ensuring the inclusion of security provisions in their contracts, and ensuring they receive a software bill of materials, Czech notes. Organizations also report using the most common and basic defense techniques such as network segmentation, antivirus software, and vulnerability scanning to ameliorate security risk.

With regards to organizations’ patching strategies, many provider organizations have begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.

Providers also are leveraging third-party solutions to improve medical device security, with nearly 75 percent of respondents currently using or planning to use third-party software or services, according to the report. Network access control (NAC) is most often used to segment networks and approve/deny access. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering as well.

Looking at overall cybersecurity trends, the report indicates that organizations are investing more resources, both operationally and financially, in their cybersecurity programs. Almost 70 percent of organizations (68 percent) report having a VP or C-level leader in charge of the security program, and that’s up from only 42 percent in 2017, representing a 26-percent increase.

“Large IDNs are definitely leading the way with CISO leadership, as about 80 percent of their organizations have a CISO in charge, whereas if you look at clinics and community hospitals, those would be hospitals under 200 beds, only less than 10 percent have a CISO in charge,” Czech says. “Many of those smaller organizations have a CIO that wears two hats—an IT hat and a security hat.”

Organizations also reported improvements to security programs compared to a year ago. Twenty-seven percent considered their security programs to be fully functional and 47 percent said they were developed or starting to function in 2018, compared to 16 percent and 41 percent, respectively, in 2017.   

More than half of organizations (57 percent) report that security is an agenda item at board meetings monthly or quarterly. In addition, 83 percent of organizations have increased their security budget in the last two years, and, on average, budgets increased by 85 percent, according to the report.

 


See more on Cybersecurity

betebettipobetngsbahis