At St. Luke’s Health System, based in Boise, Idaho, executives are as concerned as everywhere about cybersecurity. And with nine hospitals, over 200 clinics, and 14,000 employees, in locations across southwest Idaho and a few locations in eastern Oregon, there is a lot of data, and there are a lot of devices, in a lot of places, to protect. Reid Stephan, the health system’s chief information security officer, has been in his current position at St. Luke’s Health System for a little over four years. Prior to that, he spent a decade at Hewlett-Packard managing that company’s global security and incident response team. Under Stephan’s leadership, St. Luke’s has been partnering with the San Mateo, Calif.-based BrightPoint Security (formerly Vorstack), a provider of security intelligence solutions, to achieve genuine IT security threat management.
Stephan spoke recently with HCI Editor-in-Chief Mark Hagland regarding his organization’s focus on data security. Below are excerpts from that interview.
Tell me what your organization’s IT security landscape looks like?
Our biggest concern is securing the critical and confidential data we’re responsible for, ensuring that it’s available when needed, that end-users can have a high degree of confidence in the integrity of the data. So what keeps me up at night is something my team might have done or not have done, that might somehow interfere with that. What are the biggest IT security threats right now, healthcare industry-wide? It’s always been and will always be the end-user. And with regard to the recent Target, Anthem, and Community Health and other breaches, if you look at those situations, typically, an employee divulged their access information, perhaps in responding to a phishing information request. And often, the employee, the weakest link in the chain, can make the attacker’s job all too easy.
BrightPoint Security executives are focus on what they call threat management. Why is that important for you?
One of the evolving and more widely embraced mindsets is, our goal is not to 100-percent prevent breaches; because that’s not realistic. There’s an understanding that there are so many different vectors into the network, paths in and out of it. You’re going to have a breach. And having that mindset, you naturally focus on your response. Accepting that a breach will occur, we need to focus on being able to detect when a breach occurs and respond as quickly as possible. So when Sony experienced a breach involving 100 terabytes of data—I mean, 10 terabytes is the equivalent of the data in the Library of Congress—and if they’d been able to detect that breach early on, there would have been a magnitude of difference, perhaps an exposure of 5 terabytes of data. So we need to have a high degree of confidence that our threat information is relevant and current, and that our IOCs—indicators of compromise—are current and accurate, and that we have a high degree of confidence in them.
What are the best indicators of compromise in healthcare organization?
The best sources for us on IOCs are from threat intelligence companies that have arrays of systems monitoring, collecting, and aggregating those IOCs. Another good source is a company that has been compromised, like Anthem. They shared with others through some trusted sources, about their breach. So their benefit, in turn, is, if they shared this out, and no one else has seen it, then it turns out they might have been a victim of a targeted attack, scripted and geared specifically towards them. Experts say that healthcare organizations are dramatically less prepared than they think. The attacker completely has the advantage; they know how and when they’ll attack; they just have to be right one time. It’s like a gaming situation. The defenders have to be prepared every single time, and never know when attackers will attack. So we need to invest in protective and preventive controls; but we have to invest more in detection and response. And what will separate a major breach from a minor breach is how quickly you detect and respond.
The CISO of Boston Children’s Hospital, Paul Scheib, has spoken to HCI and in public forums about his hospital’s denial of service experience, which was intense and sustained over several days. Do you think we’ll see more incidents like that one?
It will depend on the motive, right? If an attacker wants to extract data, typically a DDoS—distributed denial of service—attack won’t be the method. And with Boston Children’s, over the course of those several days, yes, it was disruptive and terrible, but once ISPs were able to calm down those attacks, it got down to business as usual again. If you’re talking about a serious data breach, the fallout from that will be much more painful lo0ng-term. And we’re in an era of big data breaches—Anthem, CareFirst, that’s the new reality we’re going to be seeing for a long period of time. What would your advice be to your colleagues about achieving successful cybersecurity? You can’t do it alone. You can’t exist as an island in this day and age. In the Internet of things, in this connectivity, you really need to collaborate with others. It’s a rising tide kind of mentality. We collect data and share our insights with trusted peers, and you get a ripple effect that’s essential.
So this whole concept of information-sharing and collaboration is essential to changing the nature of the game here. How is it possible to determine the appropriate level of budgeting needed for these efforts? That really is a tough question. But if you think your cyber-security question is something you can spend your way out of, you’ll spend a lot of money without a lot of return. So it really is a focus on risk-based security management instead of compliance-based. The reality is that you can be very compliant and yet fundamentally insecure. So I tell people, really focus on defining a program, refine your strategy, and via process, you can lay out a management plan for where you need to invest to address these high-risk problems. We’ll look at Gartner. We try to invest 4-6 percent of our total IT budget on security. It’s not a science, but a general measuring stick.
Why should organizations consider threat intelligence strategies?
For us, as a not-for-profit health system, it would not be consistent with our mission to invest a lot of our resources in subscribing to a lot of threat information feeds, and then operationalize it, so we look for solutions like BrightPoint that can leverage and tap into a very rich data set of threat information. It also helps us to establish a trusted circle of organizations with who we can choose to share information with. We have a security events incident management system that correlates logs from a bunch of systems. And as it correlates them, it generates events—15 million events—that may or may not be incidents. And a bigger system might generate more. And I would have to hire two full-time people to do that kind of scanning. But what I can do with BrightPoint, with that rich threat intelligence feed, is that I can distill that down, through BrightPoint, to a few most important potential incidents, and can dive down into it.
Any last advice you might like to share?
One thing is that if you’re the security lead in your organization, you really need to be an effective communicator with the business. And I tell people there has never been a better time to be a cybersecurity professional—but also never a worse time. The pace and intensify attacks have never been worse. But there’s also a lot of public awareness now. Ten years ago, I would have had to sweat a great deal to try to justify spending one more dollar. Now, I sometimes have to pull them back from spending extra money, and convince them we just need to move forward as we have been with optimized processes. So being able to have those kinds of discussions is really key.