Following up on the August 9 release of the results of the 2017 HIMSS Cybersecurity Survey, published by the Chicago-based Healthcare Information and Management Systems Society (HIMSS), HIMSS leaders organized a cybersecurity roundtable for the healthcare IT press on Friday, September 8, at its Chicago headquarters.
During the roundtable, Rod Piechowski, senior director, health information systems, at HIMSS, answered questions from the assembled members of the press, and elaborated his thoughts on some of the survey’s findings. The survey was conducted online between April and June, and obtained responses from 126 U.S.-based health information security professionals. Among those who responded, 54 survey respondents indicated that they worked at the “executive management” level, 51 said they worked at the “non-executive management” level (defined as “mid-level or senior management, but not executive-level”), and 21 were “non-management,” including “analyst, specialist, etc.”
In addition, 79 respondents said they have primary responsibility for information security in their organizations; 32 said they have “some responsibility” for information security; and 15 indicated that they “sometimes, as needed,” have such responsibility. Meanwhile, with regard to their organizations, 63, or 50 percent, work in acute-care provider organizations; 15, or 11.9 percent, work in non-acute-care provider organizations; 10, or 7.9 percent, work in “business associate” organizations; and 38, or 30.2 percent, work in “other” organizations, which can be health IT vendors, consulting firms, or payer organizations.
Among the key findings of the survey:
> With regard to the percent of their overall healthcare organization’s budget that is currently allotted to cybersecurity, 11 percent said more than 10 percent; 17 percent said 7-10 percent; 32 percent said 3-6 percent; 36 percent 1-2 percent; and 7.9 percent indicated zero percent.
> Asked whether their organization employed a “senior information security leader”—someone with a chief information security officer (CISO) title or similar, 60 percent indicated that their organization had designated such an individual.
> Asked whether or not they had an insider threat management program, 40 percent indicated that they had such a program and that it was formal, with formal policies in place; 35 percent have such a program, but indicated that it is “informal”; 21 percent have no such program; and 5 percent didn’t know whether they had one or not.
> Asked how often their organization conducted a security risk assessment, 9 percent indicated daily; 10 percent, once a month; 8 percent, once a quarter; 7 percent, once every six months; 51 percent, once every year; 1 percent, once every two years; 2 percent, once every three years; 2 percent, less often than every three years; 6 percent conduct no security risk assessments; and 6 percent didn’t know.
> With regard to penetration testing 3 percent of respondents indicated that their organization performed penetration testing daily; 7 percent, weekly; 18 percent, monthly, 38 percent, yearly; 9 percent, “other”; 15 percent said their organization did not perform penetration testing; and 10 percent didn’t know.
> With regard to the variety of cybersecurity frameworks available, 62 percent of respondents said that their organization uses the NIST Cybersecurity Framework; 25 use the ISO framework; 25 percent use the HITRUST framework; 22 percent use the Critical Security Controls framework; 11 percent use the COBIT framework; 8 percent use a framework from another organization; 12 percent use no cybersecurity framework; and 2 percent did not know.
> Meanwhile, with regard to cloud-based computing, the following were the top concerns of hospital-based survey respondents: ownership of data (53 percent); lack of cybersecurity (53 percent); lack of geographical restrictions (44 percent);lack of transparency (42 percent); insider threat (41 percent); costs and fees (37 percent); migration of data (37percent); lack of physical security (27 percent); and lack of availability, and downtime (25 percent).
> Among non-hospital respondents, the results were somewhat different, and were as follows: insider threat (44 percent); lack of cybersecurity (41 percent); ownership of data (36 percent(; costs and fees (32 percent); lack of physical security (26 percent); migration of data (24 percent); lack of transparency(21 percent); lack of geographical restrictions (18 percent); and lack of availability, and downtime (18 percent).
Piechowski, dialoguing with the healthcare IT journalists present on Friday, was asked about perceptions of the risk of cloud computing in healthcare, and whether hesitation on the part of some CIOs to move further into cloud computing, could be attributed to IT security concerns. “Yes,” he said, in response to a question, “a lot of healthcare organizations are moving into the cloud; and, while on the one hand, it takes away the burden of having to maintain an IT department, on the other hand, there are trust issues.”
Is there going to be a responsible way for healthcare organizations to make sure their data is secure? “I’ll say as a caveat, there are no absolutes, in all honesty,” Piechowski said. “But you can do your due diligence. You can ask cloud providers, what security framework do you use, what is your security approach? One of the biggest failures,” he said, “is the failure of organizations to patch their systems. And that’s a double-edged sword, because once you change your system, you don’t know what that affects. So a lot of organizations are taking a more cautious approach, doing regression testing—did this affect something else? This is also an issue with medical devices. They just issued a firmware update for Abbott, which used to be St. Jude’s; and these are implanted devices. It becomes a patient safety thing. So risk assessment is huge.”
Asked about insider threats, Piechowski said that “People aren’t that aware of insider threats, and a lot of organizations have a tendency to believe that that can’t exist in their organization, and we know that the opposite is very true. There are a couple of different types of insider threats. One is unintentional; the other is the obviously intentional, malevolent, approach, and those exist in any organization.” Asked whether insider-based actions might be under-reported, he said, “Yes, I think you’re onto something there. Organizations do not even want to admit that they’ve been breached. They’re required to report a breach if more than 500 records have been breached. Then they get put on the wall of shame, so a lot of organizations want to keep the internal-type threats under wraps. That comes from not wanting to expose more about your organization’s vulnerabilities. I’ve worked at organizations where people did things and got caught, and they didn’t call the Tribune. You’re right, this is something that organizations like to keep quiet. So this is an area where they can share things,” he said, referencing both some of the information-sharing taking place among HIMSS members, and also in other settings.
With regard to public collaboratives around cybersecurity, Piechowski said, “Yes, there are some beginning steps towards information-sharing about these cyber-risks. So there are a few [collaboratives] out there, and they are trying to establish themselves as an environment that can be trusted, even if the whole idea of the information-sharing organization is completely solidly organized and ethical, there are still organizations that might not want others within that network to know what’s going on.”
Might HIMSS as an organization create a forum for cybersecurity information-sharing? “Yes,” he said, “we’ve considered that kind of thing. HHS [the Department of Health and Human Services] has a group that they’ve convened, and they’re sharing information outbound.”
Asked about the implementation of programs to leverage analytics for behavioral monitoring, Piechowski said, “It can be done. It does add another layer of complexity, because you have to collect all that data and then analyze it. And if you see someone accessing files or data that they shouldn’t have access to, that’s obviously a red flag. And access control is super-important, but it’s also complicated to manage. I think it’s a good approach. It works with software. If you’ve got an operating system that is on guard, so to speak—this application doesn’t have the right to access this, this person doesn’t have the right to access that. And the whole BYOD [bring your own device] phenomenon adds a lot of complexity to it.
Asked about the forward evolution of the CISO role, Piechowski said, “It’s a positive change. It’s moving in the right direction. It shows that the awareness campaigns are taking off. It shows that boards are taking security seriously. Even if you look at the CIO role, for years, the CIO reported into finance/the CFO role, and only recently began reporting to the c-suite. And one of the things we’re asking for at the federal level is to elevate these roles, so they have portfolios within and outside the government, to help hospitals and physicians.” What’s more, he said, “Generally, you’ll be seeing more security-related roles at the executive level. And it isn’t just the clinical data, it’s the administrative data as well.”
What about artificial intelligence and machine learning, and the potential for AI and machine learning to support cybersecurity strategies? “I think it’s going to be really cool,” Piechowski said. “How well it works and how it’s managed, and how much power we cede to AI, is a question for the ages. This is a really interesting time, and the fact that we’ve even gotten to the point where we can talk daily about AI and machine learning in our lifetimes, is a really interesting thing. And you’re going to be seeing a lot of talk about putting an AI eye on cybersecurity.”
What’s more, Piechowski said, “AI will be able to process so much more data and identify risky types of behaviors, and patterns that indicate potential threats. In the old days, somebody would get into a system and shut it down, or get in and steal some data and get out. And now we’re seeing these attacks evolve over much longer timeframes. First, you lay this brick and sit around for a couple of months, and see if the organization discovered that or not. With AI, we’ll start to notice that more. On the flip side,” he cautioned, “what can be used for good, can also be used for evil. And once AI and other technologies are commonly used, you’ll see ‘bad’ AI being used as well.”
Piechowski was asked what role he thought was most appropriate for the federal government, with regard to establishing standards for cybersecurity practices. “We work a lot with NIST,” he said, referring to the National Institute of Standards and Technology, within the Department of Commerce. “NIST is very good at actually creating those kinds of things, at the behest of the government; they’re really good at creating a cybersecurity framework. I think right now, the government is also trying to encourage an environment where information can be shared, and start to reduce the barriers to the kind of sharing that’s required. So I think you’ll see a lot more effort going into that.”
Asked to opine on the profit motive in ransomware-driven criminality, Piechowski said, “Yes, ransomware really has become a franchise phenomenon now. You can purchase a kit online to develop ransomware. And you give the creators of the software a cut. And they’re making it attractive, because they’re only asking for 10 percent. People are making millions of dollars in a month.”
What about the fact that only 27 percent of patient care organizations are conducting risk assessments quarterly or more often than quarterly? “Risk assessments can be very complex,” Piechowski commented. Once a year is a minimum best practice. The HIPAA security rule requires that you do it. And if you think daily is too frequent [an interval], in essence, it’s not. The best ‘best practice’ is that risk assessment needs to be an ongoing operation.”
What’s more, Piechowski noted, “Data is the new everything. All organizations depend on it.” Having one’s information systems shut down entirely is now a devastating event for many organizations in many different industries, he noted. “Some organizations can go a day or a week without it, but in other fields, companies could go bankrupt if they’re down even five minutes. So security… and one way to approach this is to get the board and the c-suite to understand that it isn’t just an information technology responsibility. IT is the way we move all the facts and value of our organization around, and we have to protect that. This is about our business sustainability and credibility with our customers.”