How secure are provider organizations from cyber crime? That was the focus of a lively panel discussion on Monday, September 15, in New York, which was part of the Health Information Executive’s Guide to Cyber Security, presented by the College of Healthcare Information Management Executives (CHIME) in partnership with the Institute for Health Technology transformation (iHT2). (Since December 2013 Healthcare Informatics has been in partnership with iHT2 through HCI’s parent company, Vendome Group, LLC.)
Four panelists—two executives from hospital systems and two from vendors—gave their takes on cyber threats and crimes. The four panelists were: Cletis Earle, vice president and CIO of St. Luke’s Cornwall Hospital; Richard Jankowski, information security officer of Memorial Sloan-Kettering Cancer Center; Paul Christman, vice president, public sector, Dell Software; and David Finn, health information technology officer, Symantec.
Jankowski observed that the nature of cyber threats is evolving as application development, such as mobile apps, are making changes to the IT infrastructure. He stressed the importance of security assessments to determine where an organization is today, and where it needs to be. “There isn’t such a thing as one size fits all. Security depends on your organization,” he said, adding that security awareness should be part of everyday discussions.
Finn, who prior to his role at Symantec was vice president and CIO of Texas Children’s Hospital, said that security is all about the data: “You can’t begin to deal with security until you understand the data, where it comes from, who is using it, how it’s being used, and where it is going after it leaves your network.” Understanding the data marks the beginning of risk assessment and applying proper security, he said. He added that CEOs regard ACOs and HIEs as operational issues; the data within those structures are business data, and decisions should be around that fact. The panel agreed that governance issues are important, and should include all stakeholders, but how data should be used is a high-level management decision.
The threat landscape is transforming itself rapidly and changes in the IT infrastructure are challenging from a security standpoint. Jankowski, for example, noted that Sloan-Kettering offers a patient portal, which is a large potential exposure for the organization. He noted that as technology gets more widespread and ubiquitous, cyber attacks are getting more complex. He said that attackers often research a target before launching “spearfishing” attacks. Attackers are much more motivated than they were 15 years ago, when there wasn’t much infrastructure or commerce going through the systems, he said. Today attacks are much more targeted and well-funded.
Earle observed that the level of complexity of cyber attacks is far more advanced than some in the IT sector believe. Some tools are not capable of detecting certain types of threats.
Christman said that there is a general recognition on the part of people who steal data that “IT professionals are pretty good.” The weakest link in the security chain, in his view, is often the users, because those are the people who are not necessarily IT savvy, and they are busy doing their main job during the day. Of course, he said, it’s still necessary to go after unpatched firewalls and unpatched servers, and do things like end-point management and encryption, but the biggest challenge is the user population. To address that, user “education has got to be pervasive, persistent, and just as diligent as the hackers are,” he said.
Christman gave three suggestions of how security can be improved from inside the organization. First, the activities of even “trusted and privileged” users need to be tracked; second, multiple authentication; and third, identity management.
End users need to be on board with security measures, the panelists said. Earle observed that cyber security issues can be viewed as cultural issues where end users are concerned. He said there needs to be a cultural transformation among end users that data does not belong to the institution; but belongs to the patient. In his view meaningful use will play a role in changing the dynamic of data ownership and sharing of patient information between the provider and patient.
He also noted that education should be a component of governance, where hospital leadership makes policy decisions, but there needs to be a way to implement the education and training of the doctors and nurses as they perform their daily tasks. “The key is getting that information transferred from the governance committees to the respective areas, and do it in a way that they understand that we are trying to help them, not hurt them,” he said.