At St. Luke’s Health System, based in Boise, Idaho, executives are as concerned as everywhere about cybersecurity. And with nine hospitals, over 200 clinics, and 14,000 employees, in locations across southwest Idaho and a few locations in eastern Oregon, there is a lot of data, and there are a lot of devices, in a lot of places, to protect. Reid Stephan, the health system’s chief information security officer, has been in his current position at St. Luke’s Health System for a little over four years. Prior to that, he spent a decade at Hewlett-Packard managing that company’s global security and incident response team. Under Stephan’s leadership, St. Luke’s has been partnering with the San Mateo, Calif.-based BrightPoint Security (formerly Vorstack), a provider of security intelligence solutions, to achieve genuine IT security threat management.
Stephan spoke recently with HCI Editor-in-Chief Mark Hagland regarding his organization’s focus on data security. Below are excerpts from that interview.
Tell me what your organization’s IT security landscape looks like?
Our biggest concern is securing the critical and confidential data we’re responsible for, ensuring that it’s available when needed, that end-users can have a high degree of confidence in the integrity of the data. So what keeps me up at night is something my team might have done or not have done, that might somehow interfere with that. What are the biggest IT security threats right now, healthcare industry-wide? It’s always been and will always be the end-user. And with regard to the recent Target, Anthem, and Community Health and other breaches, if you look at those situations, typically, an employee divulged their access information, perhaps in responding to a phishing information request. And often, the employee, the weakest link in the chain, can make the attacker’s job all too easy.
BrightPoint Security executives are focus on what they call threat management. Why is that important for you?
One of the evolving and more widely embraced mindsets is, our goal is not to 100-percent prevent breaches; because that’s not realistic. There’s an understanding that there are so many different vectors into the network, paths in and out of it. You’re going to have a breach. And having that mindset, you naturally focus on your response. Accepting that a breach will occur, we need to focus on being able to detect when a breach occurs and respond as quickly as possible. So when Sony experienced a breach involving 100 terabytes of data—I mean, 10 terabytes is the equivalent of the data in the Library of Congress—and if they’d been able to detect that breach early on, there would have been a magnitude of difference, perhaps an exposure of 5 terabytes of data. So we need to have a high degree of confidence that our threat information is relevant and current, and that our IOCs—indicators of compromise—are current and accurate, and that we have a high degree of confidence in them.
What are the best indicators of compromise in healthcare organization?
The best sources for us on IOCs are from threat intelligence companies that have arrays of systems monitoring, collecting, and aggregating those IOCs. Another good source is a company that has been compromised, like Anthem. They shared with others through some trusted sources, about their breach. So their benefit, in turn, is, if they shared this out, and no one else has seen it, then it turns out they might have been a victim of a targeted attack, scripted and geared specifically towards them. Experts say that healthcare organizations are dramatically less prepared than they think. The attacker completely has the advantage; they know how and when they’ll attack; they just have to be right one time. It’s like a gaming situation. The defenders have to be prepared every single time, and never know when attackers will attack. So we need to invest in protective and preventive controls; but we have to invest more in detection and response. And what will separate a major breach from a minor breach is how quickly you detect and respond.
The CISO of Boston Children’s Hospital, Paul Scheib, has spoken to HCI and in public forums about his hospital’s denial of service experience, which was intense and sustained over several days. Do you think we’ll see more incidents like that one?
It will depend on the motive, right? If an attacker wants to extract data, typically a DDoS—distributed denial of service—attack won’t be the method. And with Boston Children’s, over the course of those several days, yes, it was disruptive and terrible, but once ISPs were able to calm down those attacks, it got down to business as usual again. If you’re talking about a serious data breach, the fallout from that will be much more painful lo0ng-term. And we’re in an era of big data breaches—Anthem, CareFirst, that’s the new reality we’re going to be seeing for a long period of time. What would your advice be to your colleagues about achieving successful cybersecurity? You can’t do it alone. You can’t exist as an island in this day and age. In the Internet of things, in this connectivity, you really need to collaborate with others. It’s a rising tide kind of mentality. We collect data and share our insights with trusted peers, and you get a ripple effect that’s essential.