Chief information security officers (CISOs) at healthcare organizations are facing a number of security threats and challenges, including an increase in ransomware and other cyberattacks targeting the information systems at patient care organizations. Hussein Syed, CISO at the West Orange, N.J.-based RWJBarnabas Health, an integrated healthcare system in New Jersey, is acutely aware of these challenges and the need to use new processes and tools to adequately mitigate the risks of data breaches and ransomware attacks.
“Today’s hackers operate as professional organizations, meaning they do a lot of planning and diligence before executing attacks. This means healthcare organizations must be equally proactive and thoughtful in how we assess the security of our organizations,” Syed said back in February during the announcement of a healthcare security readiness program developed by VMWare and Intel Health and Life Sciences.
RWJBarnabas Health was an early participant in the VMWare/Intel healthcare security readiness program, which offers healthcare organizations free assessments to benchmark the organization’s security maturity, priorities and capabilities against their peers. According to Syed, the assessment tool provides valuable insight into the organization’s security posture compared to other healthcare organizations when it comes to breach mitigation in order to identify and implement solutions to further reduce risks. RWJBarnabas health was formed last year as the result of a merger of Barnabas Health and Robert Wood Johnson Health System. The health system, with a service area covering five million people, consists of 11 acute care hospitals, three acute care children’s hospitals, ambulatory care centers and geriatric centers
During the HIMSS17 Conference in Orlando, Syed, who has been in the CISO role at RWJBarnabas for two years, spoke with Healthcare Informatics Assistant Editor Heather Landi about how the threat landscape in healthcare has changed and the steps that RWJBarnabas Health is taking to combat cybersecurity threats and challenges in this evolving environment. Below are excerpts from that interview.
Leading up to the HIMSS17 conference, what were you interested in seeing?
I came here with a pretty open mind. This is a different conference for me [compared to the RSA Conference in San Francisco, a cybersecurity conference] because I’m not walking up to a booth thinking that they are selling security technologies. I walk into the HP booth and they are talking about imaging and after a little conversation, they say, ‘we also use these technologies, such as encryption, to provide security to the solutions as well.’ The paradigm has slightly shifted. [The health IT vendors] talk about how to do the security and meet HIPAA [Health Insurance Portability and Accountability Act] security requirements. A couple of years ago we would laugh when vendors would say ‘our products are HIPAA compliant.’ Nothing is HIPAA compliant unless you configure it to be HIPAA compliant. That’s changed as vendors now say ‘this product is designed to meet HIPAA compliance requirements.’
The healthcare market has changed; it’s not just HIPAA anymore. Five or six years ago, people worried about HIPAA. Now I’ve seen, last year, there were about 16 to 17 major ransomware challenges that the healthcare market had to face and they ranged from small health systems to large ones. And you can say that the smaller ones are not doing their job and that’s why they got infected, but it’s just the luck of the draw where there was a small gap and somebody was able to infiltrate and get through and encrypt the data. Anybody can be a victim, no one is safe from that anymore.
For healthcare CISOs, what are the top priorities right now?
Right now, we’re looking very carefully around how to build our environment to be safe, to be protected from risk. That’s a big challenge, and most organizations have gone through the basics stuff, such as malware protection, locking down the USB ports and email encryption and email filtering/spam protection solutions. So they’re well on the road to have a basic infrastructure in place. Now you need to go to the next level, because the threat landscape is changing. You can start looking at the predictions that analysts are making about what you should worry about for next year. And you can look at all those things and map everything with what you have, with the cybersecurity frameworks that you have adopted, and check off what’s there and what’s not there and evaluate where you can make a better mark.
What are the steps that RWJBarnabas is taking to enhance information security?
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.