At the Health IT Summit in Chicago, a Discussion of IT Security Focuses on Frameworks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At the Health IT Summit in Chicago, a Discussion of IT Security Focuses on Frameworks

May 18, 2017
by Mark Hagland
| Reprints
A discussion of IT security strategy at the Health IT Summit in Chicago turned to a discussion of frameworks

On Friday, May 12 at the Health IT Summit in Chicago, sponsored by Healthcare Informatics, and held at the W-City Center Hotel in downtown Chicago, a panel discussion focused on some of the broad issues around IT security management in healthcare.

The panel discussion, entitled “Building an Integrated Security Strategy—Practical Tips for Creating a Governance Structure that Meets Your Standards,” was led by Sriram Bharadwaj, chief information security officer (CISO) and director, information services, at UC Irvine Health (Irvine, Calif.). Bharadwaj was joined by Michael Brunelle, privacy officer and data security analyst, Norwegian American Hospital (Chicago); Fred Kwong, Ph.D., director, information security, and CISO, Delta Dental; Adam Page, CISO and director, application services, NorthShore University Health System (Evanston, Ill.); and Chuck Podesta, CIO, UC Irvine Health.

It should be noted that the discussion took place from 9:00 to 10:15 AM central time, nearly four hours before the news of the global cyberattack known alternatively as Wanna Cry and Wanna Decryptor, broke in the U.K. and elsewhere; so that subject had not yet emerged to be discussed.

In any case, the discussion Friday morning was very wide-ranging. After general introductions and an overall framing of the subject, Bharadwaj turned to his discussants to get their perspectives on how they handle data security from the data governance and data management levels, specifically, how they’ve worked to develop an internal IT security framework. With regard to how the process moves forward at NorthShore University, Page said, “In terms of how we assess our security position, it had been up to the person leading those efforts” to manage governance, before he arrived at the organization. “So,” he said, “my first task was to assess our options. The first thing we did was to think, OK, if something does happen and we have to publicize some sort of breach, OCR [the Office of Civil Rights in the Department of Health and Human Services] is going to come in and ask questions, probably in the format of the OCR audit profile. So the first thing we did was to fill out that profile, and answer the questions, and score things red, yellow, or green, and why.”

Page continued, “When we felt we had gotten everything at least up to a yellow level, we did a reassess, looking at the progress we’d made in the past year. Documentation is huge: you’re using a framework to prevent a breach; but you’re also using those assessments to document what you’re doing. And from there, we’re now using the Resilience framework or assessment from the Department of Homeland Security/Carnegie Mellon. No matter what,” he said, “you need to use tools that are out there. And very importantly, what’s your scope, what angle are you coming from? And what software are you using? And how are you responding to each of the questions in any of the frameworks. That’s all very important.”

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

Delta Dental’s Kwong testified that “The reason why we went down the path of a framework, is this: if you think about it from a legal perspective, frameworks allow you to show to auditors and/or OCR if you ever get audited, what you’ve done in terms of legal standards. Following frameworks shows that you’ve followed reasonable steps to protect the data you hold. You cannot show something that you’re doing is reasonable if you don’t have it allied to some sort of framework; otherwise, someone’s going to poke holes. And so, how can you answer the question as to whether you’ve done what you need to? Following a framework isn’t the only thing you need to do,” he added, “but it’s a good foundation. There are a lot of frameworks: the NIST Framework that came out about three years ago, and the older NIST framework. The ISL Framework, and others.”

“If what you have today is mainly compliance-based security program, and you want to switch over to a risk-based program, start with a relatively simple framework,” Norwegian American’s Brunelle offered. “If you haven’t done this in the past, that’s a good way to start. If you’re more mature, you might be able to go to a more advanced framework. Or there might be pressures in your organization to go to something more advanced like the HITRUST framework. So once you’ve gone down that path, you can start moving forward, choosing a framework and developing a security program based more on risk than compliance. And 1.1 added in the concept of risk. And the ISL framework is more of an international standard. But ultimately, you want to adopt one that works with your organization.”

In response to a question from an audience member on whether a framework exists that focuses on the internal side of identity management and IT security governance, and on whether that is something that is important, Delta dental’s Kwong said, “Any of the major frameworks will address identity protection. There’s a Rising Breach Report—the most recent one found that 68 percent of breaches occur from the inside out. If you think about data that walks out of your organization, how often does that happen? It happens to everybody.”

And UC Irvine Health’s Podesta noted that “There are ways to map out your processes; you can use rules to create spreadsheets that show behavioral patterns. You can utilize those tools—and as you avert these breaches, you can create educational programs around what you’ve found out. You don’t use employees’ names, but use circumstances. These frontline employees are absolutely essential to educate,” in order to minimize the chances of breaches, Podesta emphasized. “Of course, there are bad actors out there. But it’s so easy for breaches to occur because of mistakes made by your frontline employees. So no matter what you do on the outside, there’s always a way in. But what you can do on the inside, you can really protect against internal threats.”

“With regard to the challenge of identity management—for me, coming into a smaller organization with no security mindset, it was all very challenging four years ago, and remains challenging four years later,” Norwegian American’s Brunelle conceded. “Educating people about all of this—and roles and responsibilities change on a constant basis—all of those dynamics become a huge problem. I had to figure out a strategy around access, and sharing. And within the framework, that helps us to put a process in place to make sure that we’re thinking through carefully who has access to data.”

“Chuck, regarding governance of this at the board level, they don’t understand what this is about,” Bharadwaj said. “How do you handle that?”

“With a framework, you have risk management and compliance aspects,” Podesta said. “And the board has a fiduciary responsibility, but also a compliance responsibility, for the organization, as well. And so adhering to a framework helps them. So from that standpoint, it’s super-important. On the other hand, you also want to educate the board on the fact that you’ll never be able to prevent a breach—it’s not if it’s going to happen, it’s when it’s going to happen, and they need to understand that. That’s partly why you follow a framework. And doing tabletop exercises is very important. So I think it’s a two-way conversation with them. They need to understand the compliance aspect, but they also need to know what you’re going to do when a breach occurs.”

Bharadwaj noted that, “In Irvine, we have a compliance, risk, information security and privacy program; we call it CRISP. We bring issues together and try to solve them. We work through the process and respond to questions. It’s a governance body that really helps to pull together information. And we have a lot of takeaways from this that we use to help educate. Seventy percent of my job is educating the end-users to not do the wrong thing,” he noted. “It’s mostly not malicious, it’s mostly, ‘Oh, I didn’t know I was doing this.’ It’s very interesting how people change the way they behave once they understand the whys. We also have to make it work for them. So when people say, ‘You guys keep saying no!’ I say, it’s not about the no’s, it’s about the whys. It’s about explaining how we can get together and mitigate the  risk together.”

Bharadwaj then turned to Page, and said, “Adam, can you talk about how you really operationalize a framework for risk management activity in your organization?” “You could spend a year or more just assessing your framework, depending on how deep you want to go,” Page replied. “So we believe there should always be short-term, medium-term, and long-term efforts. And doing those tabletop exercises is important, because you’re bringing in other areas of the organization and raising awareness. It’s nice t0 bring in your chief compliance officer, your CIO, your marketing people, your legal people. So you act out, OK, one piece of our network has been infected, now it’s going over to another. And it’s incredible the discussions that ensue. The goal is not to have everyone say, ‘OK, we’re good!’ when you do these exercises. No one’s 100-percent ready. But discussing questions like, so, what is the threshold in terms of how many machines are infected, as to when you call in external resources?

“In a small organization, how do you handle frameworks?” Bharadwaj asked Brunelle. “Managing activity and tracking what we do in a structured enough way so that we are hardwiring some sort of process that fits within the framework, that is our challenge,” Brunelle responded. “While we’re thinking about security more and more now, we’re still cycling through new systems, new processes, new activities, that very often involve uncontrolled processes in terms of security; and business associates are involved in many of those processes. Do we have a business associate agreement each time? That’s a huge gap in things. And as we look ahead to the next couple of years, so much of the breach activity that’s going on is happening outside our walls, but affects us. So frameworks are nice; we have a lot to do within our own walls. And if we’re going to start to build tolls and checklists, we have to build those tools. And that’s a huge gap and challenge for our organization. I’m hoping that more and more frameworks start to include created tool sets, knowing that every healthcare organization has issues in working with associate organizations.”

“We do have a third-party questionnaire we use, based on ISL controls,” Kwong reported. “It’s a good process to follow. I encourage people to follow that. So based on their completed questionnaires, we score them for risk, in terms of how it tracks with our framework, and whether it’s an acceptable level of risk or not. If not, we’ll work with our vendor and determine what we’re willing to accept. And we’ll suggest a remediation plan—and if they’re not willing to remediate, we have to consider either accepting that level of risk, or potentially looking at another vendor. And some of this has to do with how much leverage you have with a particular vendor. We also bring in evidence, not only from the assessment, but from external sources as well. A lot of external organizations will do research for you about vendor organizations—how financially stable are they? Is there information on the dark web about them?”

“We do an annual risk assessment process, per vendors and business associates,” Podesta noted. “We have a cloud-based vendor. And it’s one thing for them to sign a BAA, and tell you that they have policies and procedures in place, but how do you know that they really do? So requiring them to work with a third-party vendor to go through that assessment process and report back to you, is a real comfort. So I would urge you to consider using an outside assessment company, find out if they have that capability, and build that into your interactions with vendors.”

Further, Podesta said, “With your assessment from any external company, that will be the basis of your framework. And once you score 80, 90 percent on your first plan, you can move to NIST or ISO or HITRUST. And now you can go to your c-suite and say, these are the dollars I need to put this in lace, and by the way, the first thing that will happen if OCR comes in is, have you done the things identified on your risk assessment? And if you say no, that’s probably not the answer they’re going to be looking for.”

“I agree with Chuck,” Page said. “The first thing you have to do to prioritize is to do your assessment and look at the results. And Verizon just did a good report. And you can look at which damages might be most significant or problematic. And you can look across healthcare and see what some of the serious issues have been—for example, you can encrypt your laptops. So ours at the end of the day, all fits into a security plan, a two-year plan with three sections: must do, should do, would like to do.”

“You don’t need to boil the ocean right now,” Kwong emphasized. “Start with the simple question of, what do you get yelled at most when a system goes down. So start with that—your most business-critical or sensitive data areas, right? Start with your crown jewels. I get yelled at all the time if this system goes down, so this must be the most important stuff. You know that you get the phone call in the middle of the night about the mission-critical systems. And even before you look at larger frameworks—there’s a security controls framework from the Center for Internet Security. This comes from a group of experts made up of hackers, protectors, scientific people, the 20 things that hackers use to get into your network. You can start with that. They have great tools that are all free, and give you the questions to ask around those tools. So don’t boil the ocean, start small, using tools in combination."


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/health-it-summit-chicago-discussion-it-security-focuses-frameworks
/blogs/mark-hagland/cybersecurity/assessing-new-cybersecurity-practices-publication-why-small-and

Assessing the New Cybersecurity Practices Publication: Why Small and Medium-Sized Care Organizations Have Reason to Rejoice

| Reprints
A new set of voluntary cybersecurity practices just released by HHS offers practical advice and conceptual supports that fill information gaps
Click To View Gallery

How helpful will the new set of voluntary cybersecurity practices that the Department of Health and Human Services (HHS) released in late December, be, to the leaders of patient care organizations? Only time will tell, as part of the value of the release will only be made manifest as the leaders of patient care organizations move forward to implement some of those practices, and the potential success of such implementations is in some way measured and benchmarked.

But the release is a first start, at least. As Healthcare Informatics Associate Editor Heather Landi reported on January 2, HHS released the set of practices in the form of a publication “that marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.”

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health.  In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” Janet Vogel, HHS Acting Chief Information Security Officer (CISO), said in a statement published with the release of the new publication.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector,” HHS officials stated. “It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes. The publication includes a main document, two technical volumes, and resources and templates.”

The overall publication consists of several sections, the first being the HICP, which “examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores five current threats and presents 10 practices to mitigate those threats; “Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations,” which offers cybersecurity practices for small healthcare organizations; “Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations”; the “Resources and Templates” portion, which “includes a variety of cybersecurity resources and templates for end users to reference”; and a Cybersecurity Practices Assessments Toolkit, which “helps organizations prioritize their cyber threats and develop their own action plans using the assessment methodology outlined in the Resources and Templates volume”—that last section being still under development as of Jan. 2.

As Landi reported, “The HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 cybersecurity practices to help mitigate these threats.”

What’s more, she wrote, “The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents.  It also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. The publication also includes two technical volumes geared for IT and IT security professionals, one focusing on cybersecurity practices for small healthcare organizations, and one focused on practices for medium and large healthcare organizations.”

Among the salient statistics reported in the HICP:

  • Fifty-eight percent of malware attack victims are small businesses.
  • In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million.
  • Sixty of small businesses go out of business within six months of an attack.
  • And, 90 percent of small businesses do not use any data protection at all for company and customer information.

How does that translate into impacts on smaller healthcare organizations? Among other incidents, the HICP notes that:

  • A popular orthopedic practice announced that its computer system was hacked via breach of a software vendor’s log-in credentials. This breach put just under a half-million people at risk of identity theft. Of those, 500 patient profiles appeared for sale on the dark web. The information for sale included names, addresses, social security numbers, and other personally identifiable information (PII). Although not posted for sale, pertinent PHI such as X-ray results and medical diagnoses were also stolen.

 

  • A rural hospital had to replace its entire computer network after a ransomware cyber-attack froze the hospital’s electronic health record (EHR) system. Doctors were unable to review their patients’ medical histories or transmit laboratory and pharmacy orders. Officials were unable to restore essential services and could not pay the ransom for the return of their system. After consultations with the Federal Bureau of Investigation and cybersecurity experts, hospital officials made the difficult decision to replace the entire system.
  •  

Of particular practicality is some of the very basic advice given to the leaders of smaller healthcare organizations. To wit: “Doctors and nurses know that hand sanitizing is critical to prevent the spread of germs. That does not mean health care workers wash up as often as they should. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches. Just as we are able to protect our patients from infection, we should all work towards protecting patient data to allow physicians and caregivers to trust the data and systems that enable quality health care. Just as health care professionals must wash their hands before caring for patients, health care organizations must practice good ‘cyber hygiene’ in today’s digital world, including it as a part of daily universal precautions,” the HICP notes. “Like the simple act of hand-washing, a culture of cyber-awareness does not have to be complicated or expensive for a small organization. It must simply be effective at enabling organization members to protect information that is critical to the organization’s patients and operations. Your organization’s vigilance against cyber-attacks will increase concurrently with your and your workforce’s knowledge of cybersecurity. This knowledge will enable you to advance to the next series of cybersecurity Practices, expanding your organization’s awareness of and ability to thwart cyber threats.”

Meanwhile, both smaller and larger patient care organizations will benefit from the technical supports, including a Security Risk Assessment Tool, a set of recommendations on medical devices and cybersecurity, and an incident response risk management handbook.

What this set of resources does is to fill a gap between theory and technical practice in a key area. Will it shift the entire landscape of cybersecurity for patient care organizations? No, that would be a far-too-ambitious goal. But the healthcare IT leaders of smaller and medium-sized patient care organizations in particular, will welcome practice advice and supports, as they move forward in their journeys around cybersecurity. Any such journey is inherently challenging, and federal publications and resources like these will be of real value in moving patient care organization HIT leaders forward.

 

 

More From Healthcare Informatics

/news-item/cybersecurity/hhs-releases-voluntary-healthcare-cybersecurity-practices

HHS Releases Voluntary Healthcare Cybersecurity Practices

January 2, 2019
by Heather Landi, Associate Editor
| Reprints

In late December, the Department of Health and Human Services (HHS) released voluntary cybersecurity practices to the healthcare industry with the aim of providing practice guidelines to cost-effectively reduce cybersecurity risks.

The “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication aims to provide guidance to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.

The industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.

According to HHS, the publication marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health.  In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” Janet Vogel, HHS Acting Chief Information Security Officer (CISO), said in a statement.

While technologies are vital to the healthcare industry and help provide life-saving treatments and improve patient care, these same technologies are vulnerable to myriad attacks from adversaries, ranging from criminals and hacktivists to nation-states, according to HHS. These technologies can be exploited to gain access to personal patient data or render entire hospital systems inoperable. Recent cyber-attacks against the nation’s healthcare industry continue to highlight the importance of ensuring these technologies are safe and secure.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, said in a statement.

The HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 cybersecurity practices to help mitigate these threats.

The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents.  It also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. The publication also includes two technical volumes geared for IT and IT security professionals, one focusing on cybersecurity practices for small healthcare organizations, and one focused on practices for medium and large healthcare organizations.

 

Related Insights For: Cybersecurity

/news-item/cybersecurity/cynergistek-protenus-partner-privacy-monitoring-programs

CynergisTek, Protenus Partner on Privacy Monitoring Programs

December 26, 2018
by Heather Landi, Associate Editor
| Reprints

CynergisTek, Inc., an Austin, Texas-based healthcare cybersecurity firm, is partnering with Protenus, a healthcare compliance analytics company, to combine the companies’ technology tools and services with a focus on patient privacy monitoring programs.

The partnership will grant health systems access to Protenus’ analytics platform that leverages artificial intelligence to gather data related to potential patient privacy risks, along with CynergisTek’s patient privacy monitoring services.

According to the Protenus research, insider incidents accounted for 23 percent of all breaches that occurred at health systems in Q3 2018. This figure will only continue increasing, indicating that now more than ever, health systems need a cost-effective solution to meet the daily challenges of managing patient privacy.

To address this need, CynergisTek and Protenus formed a preferred partnership to combine CynergisTek’s healthcare consulting experience and privacy programs with Protenus’ healthcare analytics technology to offer health systems both the people, processes, and technology components of a strong patient privacy monitoring program, according to the companies.

“As health systems face mounting challenges in creating and maintaining robust patient privacy monitoring programs, we identified a need to partner with a company offering complementary services so that health systems can act on the insights uncovered by our analytics,” Nick Culbertson, CEO and co-founder of Protenus, said in a statement.

 “Data privacy is evolving as a dominate theme in conversations, both in healthcare and other industries, and health systems need to take an end-to-end approach to patient privacy to truly address this complex and mission-critical challenge,” Mac McMillan, CEO and president of CynergisTek, said in a statement.

 

See more on Cybersecurity

agario agario---betebet sohbet hattı betebet bahis siteleringsbahis