What are some of the most urgent cybersecurity issues facing the IT leaders at patient care organizations and health plans right now, in the wake of some recent, massive attacks on organizations worldwide? And what must healthcare IT leaders do in order to ramp up their cybersecurity strategies and implementations? Those were some of the questions pondered by industry leaders during a session entitled “Practical Tips for Creating a Cybersecurity Framework that Meets Your Privacy Standards,” on Friday, August 11. The session was held on the second day of the Healthcare Informatics Health IT Summit Series-Philadelphia, being held at the Warwick Hotel in center-city Philadelphia.
The panel was moderated by Sriram (Sri) Bharadwaj, chief information security officer and director, information services, at UC Irvine Health (Irvine, Calif.). Bharadwaj was joined by Leo Scanlon, HHS senior advisor for healthcare and public health and deputy chief information security officer in the Department of Health and Human Services; and J. Mark Eggleston, vice president and chief information security officer and privacy officer at Health Partners Plans (Philadelphia).
Early on in the discussion, Bharadwaj asked his fellow discussants, “Why do we need to make use of a framework for data security? What do we need to get done, from a framework perspective, Leo?”
“I was listening to the last panel with a great deal of interest, because the description of what’s being done” in patient care organizations “mirrors what’s been done in the federal government for the past 12 years,” Scanlon told Bharadwaj. “It’s very difficult work; we have a lot of scars. And the hardest thing is persuading people of the risks involved. We have a framework based on NIST [the cybersecurity framework from the National Institute of Standards and Technology], based on FISMA [the Federal Information Security Modernization Act of 2014]. The guideline,” in short, he said, is, “use commercial software and manage the risk. That’s basically what the FISMA statute said. NIST was tasked with developing the framework. Congress asked them to develop what became 800-53 [the Security and Privacy Controls for Federal Information Systems and Organizations, from the Joint Task Force Transformation initiative], the control set. And we wasted probably five to seven years, spending a tremendous amount of money, demonstrating that we were compliant with controls, but showing very little that we had developed the craft of risk management,” Scanlon recalled.” And then there was a revolt among federal CISOs, and at the same time, NIST was busy developing the control set. One could argue that a framework should have been developed first, but they were under pressure to develop a control set,” he said, so that’s what happened.
“The reality,” Scanlon continued, “is that we’re going to use software that is not secure and was never designed to be secure. Andin the outside world, outside segments of the military, the reality is that nothing will ever be fully secure. The key is to suggest approaches.” In the areas of the Department of Health and Human Services (HHS) focused on data security, he reported, “We’ve developed a whole array of tools and self-assessments. We use audits, and we have a staff of people who organize audits and do nothing but respond to audits. And we use those audits as the cross-check against the self-assessments in various areas, to measure maturity. The cybersecurity framework was developed to be directly connected to the NIST framework. It involves a maturity model assessment. So our big lesson,” he said, “was how to get out of a compliance mode and get out of checking boxes and writing reports, but rather, moving towards targets.”
(l. to r.) Panelists Scanlon,Eggleston, and Bharadwaj discuss cybersecurity issues
In addition, Scanlon said, “The other thing out of the federal government was an executive order, which said that cybersecurity is the responsibility of the individual agency, full stop. The executive order said, stop this, pay attention, and lead it.” Meanwhile, he said, “The third leg of what the federal government has done to support the framework is workforce development. To implement the framework, you need skill sets at every level—people who can understand these things, lead, and translate this into strategies at the upper management level. And need to evaluate tools and technologies, and apply them in the appropriate way. That’s what all of this is about, and what drives the cybersecurity framework in the federal government.”
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.