At the Health IT Summit in Raleigh, a Nuanced Discussion of CISO-Level Challenges | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At the Health IT Summit in Raleigh, a Nuanced Discussion of CISO-Level Challenges

October 20, 2017
by Mark Hagland
| Reprints
At the Health IT Summit in Raleigh, CISOs and other cybersecurity experts engaged in a nuanced discussion of the complex issues facing healthcare IT leaders right now industry-wide

A number of complex, nuanced issues at the CISO level came to the fore in a panel discussion on Friday afternoon at the Cybersecurity Forum, on the second day of the Health IT Summit in Raleigh, being held at the Sheraton Downtown Raleigh (N.C.), and sponsored by Healthcare Informatics.

The panel, entitled “Practical Tips for Creating a Cybersecurity Framework that Meets Your Privacy Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Johannes (John) Boehme , CISO, Wake Forest Baptist Health (Winston-Salem, N.C.); Chuck Kesler, CISO, Duke Health (Durham, N.C.); Chris Beal , director of security and chief security architect, MCNC (Durham); and Carl Cammarata , CISO at Northwestern University’s Feinberg School of Medicine (Chicago).

EHNAC’s Barrett opened the discussion by asking his fellow panelists, “What’s the single most complex and challenging issue your organization is facing right now with respect to security and privacy compliance?”

(l. to r.:) Barrett, Beal, Kesler, Boehme, Cammarata

“It’s a continuous challenge—knowing where you’re data’s at,” said the Feinberg School of Medicine’s Cammarata. “In the culture of our organization, with 3,600 researchers in 2,400 departments, although they are connected together through the School of Medicine, they are run by their department heads, in a very entrepreneurial way. So the challenge is knowing where the data is, knowing the level of sensitivity involved; and if it’s consented research data, it’s treated differently from ePHI under HIPAA.”


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

“And you have millions of dollars in research grants and projects coming into your organization,” Barrett said. “Does that add another level of complexity?”

“We receive $676 million in research grants a year,” Cammarata replied. “And absolutely, that adds a huge level of complexity to this. And yet it ends up having only an incremental effect on my staffing model, which is constrained by budgets. I have to learn how to manage what I have. So I built out an extensive risk assessment process—we have over 5,000 data security plans prepared by the principal investigators,” reported.

“The challenge we have right now is the maturation process for our medical device program,” said Wake Forest Baptist’s Boehme. “This to us is our next frontier: the ability to get everything together, to know what’s in your assets, what’s in your production network. That’s a real challenge. It’s similar to the days when we were moving from analog film to digital” in radiology, he added. “But I think we’ve put a handle around that, and around the technical questionnaires and interactions with the vendors. Our challenge is how we govern it. You’ve got radiology, laboratories, and biomedical, all spread out. Our challenge will be how to put a governing set of principles around all those areas. Who’s going to govern those areas, and which would be the overarching committee over a particular issue? One team says, ‘We have to do this for patient care,’ while the security people say, ‘It’s going to be a detriment to the network.’”

“Building on those themes,” said Duke Health’s Kesler, “Duke is both highly centralized, but also decentralized, in terms of the organization’s research functions. It really comes down to people. We have 30,000 users, including faculty, students, affiliates, staff members, etc. We’ve done a lot of work educating people and trying to instill good behaviors. But at the end of the day, usually when we have a problem, it’s because someone’s made a mistake, and that results in an infected machine or other problem. At the same time, people are our greatest asset, and are an extension of my team,” he added. I’ve got a team of 20 people, but by extension, a team of 30,000. And another challenge we’re dealing with is that a lot of people are bringing devices into the network. So bringing in training and awareness hopefully helps change the equation.”

“At an abstract level, the biggest challenge is culture and change,” said MCNC’s Beal, whose organization provides a secure communications network for North Carolina’s state government, its public and some private universities, and numerous hospitals, public safety organizations, libraries, and other organizations. “The threat landscape has changed. And we have many people who have been here for a long time, in IT. And their attitude is, our job is to move packets, not to care what’s in it. So we need to change that, and that’s a challenge at a really high level.”

What’s more, Beal continued, “Bringing it down to the next level, we are challenged greatly by scale. We have 2,700 miles of fiber. And our backbone network moves a lot of data. And there are a lot of tools we could take advantage of, but the vast majority of solutions are designed for enterprise scale, not service provider scale, and the service provider scale solutions are really, really, really expensive. So affording what we need to provide is a significant challenge.”

Balancing data availability and data security

“A lot of data has been shared now, including among ACO [accountable care organization] partners, other organizations,” Barrett noted. “So how do you look to balance data availability and data security? Because the number of connections you’ve got is growing exponentially out there.”

“Knowing what data is yours remains very important,” Duke Health’s Kesler emphasized. “And we’re trying to move towards a system of virtualized desktops and laptops, where we provide the availability, but control the management of the data.”

“And what about role-based authorization?” Barrett asked.

“Yes, that’s a basic area in which we need to move forward,” Kesler replied.

“Viewing it in terms of risk is important, so it shouldn’t be a question of, is this thing secure?” Beal said. “The question is, is this a risk worth taking? We need to answer whether we’re comfortable taking a risk—but that falls to the stakeholders, not the IT security people. We need for people to be accountable for those decisions.”

“You need a level of rigor to make sure that you are going through every single system you’re implementing, and go through a risk analysis,” Barrett emphasized. “That’s something you need to constantly assess.”

“Yes, finding specific pathways to use data—one way to do collaboration, one way to do file transport—make it as easy to use as possible, but not allow multiple points,” said Wake Forest Baptist’s Boehme.

“You’ve got a lot of audit committees, boards of directors, to report to. How do you handle that?” Barrett asked.

“I do monthly risk assessments that go to the School of Medicine and leadership teams,” Cammarata noted. “I trust that that gets percolated up. Second, we prepare monthly metrics, including the percentage of data security plans we’ve performed every month, which is 100 percent; and percentage we’ve audited. And we audit compliance plans. And we also manage the vendor assessment and approval vendors. So we’re making sure the plans have been approved.”

“I don’t have direct access to the board, but I do have direct access to the audit compliance committee,” Boehme said. “Our board has shown a lot of interest. And boards change with the personalities on the board. And right now, we’ve got a fair number of technocrats, which is good, because it’s increased the awareness of the c-suite around security. I also have had a security governance committee established about a year-and-a-half.”

“We have a very similar situation at Duke,” Kesler noted. “I have a counterpart CISO on the university side; in other words, we have a CIO and a CISO on both the health system and university sides. The board and audit committee have been very engaged for the last few years. Certainly, what happened at Anthem was huge. And when we need to report out, they’re interested. And we do multi-factorial authentication, which is difficult. And one of the board members, a member of the audit committee and the CTO of a major tech company, has been important. And with board support, we’ve moved forward with engaged support, which is very helpful.”

“We generate risk scores, in a dashboard-type format, and share that data with boards,” MCNC’s Beal reported. “It’s important to have consistent measurement across your assets. Boards are very interested in that, as well as in reports on DDOS attacks, which are very significant for us as an ISP.”

In response to a comment from an audience member, who said that he sees significant staffing challenges in healthcare IT security, compared to in other industries, Duke Health’s Kesler agreed that “That is a challenge. We have had engagement with the board” at Duke, he noted. “And they’ll ask, what resources do you need? And we want to manage expectations. You need not only the technology, but the appropriate people who can best manage the technology for you. So we try to build in the ‘ask’ for the headcount as part of that.”

What’s more, Kesler said, “In terms of how you staff things, we’re lucky here in the Research Triangle area [Raleigh-Durham-Chapel Hill], we have a lot of tech people here. We have the second-largest chapter of information technology specialists in the world, in terms of members of a leading professional association. But that is an issue in many places. I count myself lucky that we have access to the talent pool that we have.”

“It’s a blend of strategy, where you could get a third party to augment staff, where appropriate,” Boehme added. “And also, we continue to acquire technology, but we’re paying more attention to technologies that integrate with the existing systems, so our analysts don’t have to log into every different system we have. So we’re trying to identify one or two gold-standard apps in a family. We may be OK with that, if they integrate well.”

“I think part of why that challenge exists is where we are in the maturity curve with security organizations,” Beale said. “We heard this morning that security still very often is viewed as a technology issue. We need to be able to articulate a business case for why we need three more people, for example, and to be able to explain the need to the executives who control the budget. And as we get better at doing that, we’ll become more successful in pulling away the resources we need.

“I believe we have to do the security basics really, really well; unless we’re doing the basics really well, we don’t need to add more complexity to an already-stretched staff,” Cammarata said.

What about cybersecurity frameworks?

“What kinds of security frameworks are you using right now?” Barrett asked his fellow panelists. “And what are your thoughts on using frameworks?”

“Cyber-frameworks can absolutely be useful; but don’t be a slave to them,” Beal advised. “In terms of best practices,” he added, “multi-factor authentication really raises the bar for improving your security posture. In terms of ransomware, you need to look at your backup processes; and you need to do continuous vulnerability assessment, and continuous patching. And critical controls are very important.”

“I think that starting with controls is very important,” Kesler opined. “In general, harden as close to the application as possible; don’t depend on your external firewall. That’s particularly true as we move more towards mobile and cloud. Frameworks, yes, I absolutely agree. The NIST Cybersecurity Framework is a great one. And yes, critical controls. And in terms of cyber-hygiene, what does that really mean? And I need to make security as simple for end-users as hand hygiene is for the clinicians in our organizations, for it to be effective.”

“I agree with what Chuck and Chris have said,” Boehme said. “And I would add, we need to spend a lot more time on what we’ll allow on a production network. It’s perhaps not the most favored aspect in the eyes of our end-users, but we’re spending a lot more time focusing on locking down the production network. We’ve been using the HITRUST Framework, and used it to blend processes together, and it’s been very helpful; it’s given us a good control view, and we build a lot of our strategic plans on a control methodology. And in terms of cyber-hygiene, security has got to be executed by our entire enterprise; it can’t just be done by IT security people. It’s an organic growth opportunity.”






2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


HIPAA Settlements: Three Boston Hospitals Pay $1M in Fines for “Boston Med” Filming

September 20, 2018
by Heather Landi, Associate Editor
| Reprints

Three Boston hospitals that allowed film crews to film “Boston Med” on premises have settled with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

According to OCR, the three hospitals—Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH)—compromised the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film “Boston Med,” an ABC television network documentary series, without first obtaining authorization from patients.

OCR reached separate settlements with the three hospitals, and, collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations due to the unauthorized disclosure of patients’ PHI.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Roger Severino, OCR director, said in a statement. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid OCR $100,000, BWH paid $384,000, and MGH paid $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media, according to OCR. Boston Medical Center's resolution agreement can be accessed here; Brigham and Women’s Hospital's resolution agreement can be found here; and Massachusetts General Hospital's agreement can be found here.

This is actually the second time a hospital has been fined by OCR as the result of allowing a film crew on premise to film a TV series, with the first HIPAA fine also involving the filming of an ABC medical documentary television series. As reported by Healthcare Informatics, In April 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to settle potential HIPAA violations in association with the filming of “NY Med.”

According to OCR announcement about the settlement with NYP, the hospital, based in Manhattan, violated HIPAA rules for the “egregious disclosure of two patients’ PHI to film crews and staff during the filming of 'NY Med,' an ABC television series.” OCR also stated the NYP did not first obtain authorization from the patients. “In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.”

The OCR director at the time, Jocelyn Samuels, said in a statement, “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.” 

OCR’s guidance on disclosures to film and media can be found here.

More From Healthcare Informatics


Independence Blue Cross Notifies 17K Patients of Breach

September 19, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Philadelphia-based health insurer Independence Blue Cross is notifying about 17,000 of its members that some of their protected health information (PHI) has been exposed online and has potentially been accessed by unauthorized individuals.

According to an article in HIPAA Journal, Independence Blue Cross said that its privacy office was informed about the exposed information on July 19 and then immediately launched an investigation.

The insurer said that an employee had uploaded a file containing plan members’ protected health information to a public-facing website on April 23. The file remained accessible until July 20 when it was removed from the website.

According to the report, the information contained in the file was limited, and no financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed, HIPAA Journal reported.

The investigators were not able to determine whether any unauthorized individuals accessed the file during the time it was on the website, and no reports have been received to date to suggest any protected health information has been misused.

A statement from the health insurer noted that the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1 percent of total plan members were affected by the breach.

Related Insights For: Cybersecurity


Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

See more on Cybersecurity