Fight­ing Hack­ers

CIOs and CISOs work to­gether as at­tack threats grow.

Health Data Management - - INSIDE FEATURES - By Joseph Goed­ert

CIOs, CISOs and other C-suite ex­ecs col­lab­o­rate to bet­ter de­fend data.

As cy­ber­at­tacks against hos­pi­tals in­ten­sify, health­care or­ga­ni­za­tions are look­ing to boost se­cu­rity prac­tices, and more are turn­ing to chief in­for­ma­tion se­cu­rity o cers to bol­ster de­fenses.

Health­care IT ex­ec­u­tives say it’s cru­cial for them to work closely and in co­or­di­na­tion with CISOs to en­sure cy­ber­se­cu­rity strate­gies mesh e ec­tively with an or­ga­ni­za­tion’s IT ini­tia­tives.

Providers are re­al­iz­ing that the risks to their op­er­a­tions couldn’t be higher, par­tic­u­larly as health­care or­ga­ni­za­tions have be­come de­pen­dent on elec­tronic clin­i­cal records for con­ti­nu­ity of care and op­er­a­tions.

at point was ex­em­pli ed in Jan­uary, when Han­cock Health, a re­gional hos­pi­tal in In­di­ana, paid a $55,000 ran­som af­ter a ran­somware at­tack that in­fected the hos­pi­tal’s sys­tems and hin­dered its op­er­a­tions. At­tack­ers de­ployed SamSam ran­somware that en­crypted les, quickly a ect­ing op­er­a­tions and forc­ing the hos­pi­tal’s IT sta to shut down the net­work and re­sort to pen and pa­per.

Even though the hos­pi­tal had backed up its data, it opted to pay the ran­som of four bit­coin, or $55,000. Han­cock Health CEO Steve Long said that the les could have been re­cov­ered but restor­ing them would

have taken days or weeks.

The same vari­a­tion of SamSam crip­pled in­for­ma­tion sys­tems at Allscripts in Jan­uary, knock­ing 1,500 health­care providers off their cloud-based elec­tronic health records sys­tems and other ap­pli­ca­tions for at least a week. Allscripts ex­ec­u­tives ac­knowl­edged the in­cur­sion and said ser­vices to all cus­tomers were re­stored about eight days af­ter the at­tack at two of its data cen­ters.

Se­cu­rity chal­lenges have in­ten­si­fied be­cause most fa­cil­i­ties’ “at­tack sur­face” has in­creased ex­po­nen­tially in the past cou­ple of years; BI In­tel­li­gence, a re­search ser­vice, fore­casts that the in­stalled base of health­care IoT de­vices (not in­clud­ing wear­able de­vices such as fit­ness track­ers) will grow from ap­prox­i­mately 95 mil­lion in 2015 to 646 mil­lion in 2020. These med­i­cal de­vices are in­creas­ingly con­nected to hos­pi­tal sys­tems via the In­ter­net, giv­ing hack­ers more en­try­ways to hos­pi­tal net­works.

In ad­di­tion, providers are fac­ing ris­ing pres­sure to fa­cil­i­tate data shar­ing with other providers. Data ex­change ca­pa­bil­i­ties re­quire a fine bal­anc­ing act—sys­tems must be open enough to share data with oth­ers, but that also pro­vide more op­por­tu­ni­ties for hack­ers to break in, se­cu­rity ex­perts note.

Be­cause CISOs are fo­cused on se­cur­ing sys­tems, they can pay all their at­ten­tion to thwart­ing po­ten­tial threats, and CIOs are giv­ing them in­creased lat­i­tude in boost­ing se­cu­rity ef­forts. That’s stim­u­lat­ing the move to close co­op­er­a­tion be­tween CIOs and CISOs.

At­tack sur­face ex­pands

An or­ga­ni­za­tion­wide ap­proach to se­cu­rity is cru­cial be­cause vul­ner­a­bil­i­ties are not lim­ited to—and not un­der the con­trol of—sys­tems that IT de­part­ments over­see, CISOs say. For ex­am­ple, var­i­ous hos­pi­tal de­part­ments have been buy­ing “smart” or In­ter­net-con­nected med­i­cal de­vices, with lit­tle or no in­put from IT de­part­ments, and many of them are poorly pro­tected from a data se­cu­rity stand­point, says Kevin Charest, CISO at Health Care Ser­vice Corp., which op­er­ates Blue Cross and Blue Shield plans in five states.

In­creas­ingly, CIOs are look­ing for help with the broad­en­ing scope of se­cu­rity, and CISOs can bring a dif­fer­ent view of the in­ter­sec­tion of in­for­ma­tion tech­nol­ogy and in­for­ma­tion se­cu­rity, Charest says. Be­cause data and vul­ner­a­bil­i­ties are ev­ery­where, CISOs tend to bring ex­treme cau­tion to IT ef­forts be­cause “our ap­proach is zero trust. We have to as­sume folks we in­ter­act with may be com­pro­mised, so we need a mind-set for that chal­lenge.”

CISOs face ris­ing se­cu­rity chal­lenges at health­care or­ga­ni­za­tions, which in gen­eral lag far be­hind the so­phis­ti­ca­tion of the cy­ber crim­i­nals that are try­ing to ac­cess their sys­tems. The al­lure for hack­ers is twofold—hacked med­i­cal records have more black mar­ket value than fi­nan­cial records. Se­condly, ran­somware at­tacks are prov­ing suc­cess­ful against health­care or­ga­ni­za­tions, be­cause they’re eas­ily breached and of­ten in­cen­tivized by op­er­a­tional pres­sures to get pa­tient data and sys­tems re­stored as quickly as pos­si­ble.

Fill­ing se­cu­rity gaps

While some provider or­ga­ni­za­tions have ro­bust and proac­tive data se­cu­rity pro­grams in place, there’s much room for im­proved se­cu­rity lead­er­ship at most or­ga­ni­za­tions. A De­cem­ber 2017 sur­vey of 323 providers and in­surance pay­ers con­ducted by Black Book, a re­search com­pany serv­ing the health­care in­dus­try, found progress but also high lev­els of un­pre­pared­ness for grow­ing cy­ber threats.

Some 84 per­cent of re­spon­dents from providers said their or­ga­ni­za­tions did not have an en­ter­prise leader for cy­ber­se­cu­rity, and only 11 per­cent planned to in­stall such a leader in 2018. Among sur­veyed pay­ers, 31 per­cent had an es­tab­lished man­ager for cy­ber­se­cu­rity, and an­other 44 per­cent were plan­ning to have that po­si­tion filled this year.

The sur­vey also found that 54 per­cent of re­spon­dents from all or­ga­ni­za­tions do not reg­u­larly con­duct data se­cu­rity risk as­sess­ments, and 39 per­cent do not reg­u­larly con­duct pen­e­tra­tion test­ing on fire­walls. Fur­ther, nearly all C-suite of­fi­cers par­tic­i­pat­ing in the sur­vey ac­knowl­edged that cy­ber­se­cu­rity and the threat of breaches are still not ma­jor talk­ing points with their boards of di­rec­tors.

CISOs at provider or­ga­ni­za­tions be­lieve the trend for in­vest­ing money and re­sources in se­cu­rity is likely to grow as ran­somware at­tacks and other cy­ber in­ci­dents gain no­to­ri­ety, both within the in­dus­try and in the pop­u­lar press. New se­cu­rity ap­proaches must con­stantly be de­vel­oped to counter not only new threats, but also dis­cov­ered weak­nesses in se­cu­rity, and evolv­ing com­put­ing and de­vice trends.

Data se­cu­rity is very much a “peo­ple process,” and that can put CISOs and other se­cu­rity per­son­nel in high-pres­sure po­si­tions, says Shari Lewi­son, chief in­for­ma­tion se­cu­rity of­fi­cer at Univer­sity of Iowa Hos­pi­tals and Clin­ics, an 811-bed pub­lic teach­ing fa­cil­ity.

A year ago, the or­ga­ni­za­tion started see­ing ma­li­cious emails com­ing in at a rate not pre­vi­ously seen, and it cre­ated ad­di­tional train­ing mech­a­nisms for em­ploy­ees to en­able them to iden­tify in­ter­nal ver­sus ex­ter­nal emails.

In ad­di­tion, the univer­sity ex­tended the email sub­ject line to high­light emails that were com­ing from ex­ter­nal sources and quickly found that em­ployee aware­ness of po­ten­tial phish­ing emails in­creased dra­mat­i­cally. In De­cem­ber, Univer­sity of Iowa Hos­pi­tal and Clin­ics em­ploy­ees re­ported 8,000 sus­pi­cious emails to data se­cu­rity per­son­nel. “Email cy­ber aware­ness rose, phish­ing in­ci­dents dropped by 75 per­cent, and the pro­gram costs were very low,” Lewi­son says.

The or­ga­ni­za­tion also put in place a pro­tec­tion strat­egy of highly seg­ment­ing its net­works, in­clud­ing cre­at­ing a sep­a­rate wire­less guest net­work so pa­tients or vis­i­tors with their own com­put­ing de­vices could use them with­out jeop­ar­diz­ing

hos­pi­tal med­i­cal de­vices, in­for­ma­tion sys­tems and net­works. The hos­pi­tal has tens of thou­sands of con­nected med­i­cal de­vices, in­clud­ing more than 1,500 IV pumps.

Dur­ing 2015 and 2016, the univer­sity also im­ple­mented a se­cu­rity gov­er­nance plan that in­cluded a de­vice man­age­ment ap­proach to de­ter­mine which de­vices could be brought into the hos­pi­tal, as well as an an­nual re­view of de­vice patch­ing, ac­cord­ing to Maia Hightower, MD, chief med­i­cal in­for­ma­tion of­fi­cer at Univer­sity of Iowa Hos­pi­tals and a clin­i­cal as­sis­tant pro­fes­sor. By 2017, Univer­sity of Iowa Hos­pi­tals felt com­fort­able enough with its in­te­gra­tion pro­gram and se­cu­rity pos­ture to of­fer a bring-your-own-de­vice pro­gram to em­ploy­ees.

New se­cu­rity ini­tia­tives at the or­ga­ni­za­tion this year will in­clude next-gen­er­a­tion fire­walls on net­work bor­ders to pro­vide more vis­i­bil­ity into what is go­ing on in the net­works and fur­ther de­ter­mi­na­tion of what de­vices can be al­lowed on net­works, Lewi­son adds.

Get­ting along

CISOs and CIOs in­creas­ingly will need to work to­gether to raise se­cu­rity aware­ness, as well as dol­lar amounts or­ga­ni­za­tions spend to pro­tect them­selves.

For CISOs it is im­por­tant to have a good re­la­tion­ship with the CIO be­cause that’s who fights for funds for the CISO, says Charest of Health Care Ser­vice Corp.

Kris Kusche, vice pres­i­dent of in­for­ma­tion ser­vices and chief in­for­ma­tion se­cu­rity of­fi­cer and a bio­med­i­cal en­gi­neer at Al­bany (N.Y.) Med­i­cal Cen­ter, re­ports not just to the CIO but to the chief com­pli­ance of­fi­cer as well, and that gives him clout to a de­gree that other CISOs may not have in their or­ga­ni­za­tions.

“I have the best of both worlds to have this wide port­fo­lio and ex­ec­u­tive au­thor­ity,” he says. Other re­port­ing re­la­tion­ships he’s seen else­where in­clude the qual­ity as­sur­ance or le­gal de­part­ments. “The CISO has to be able to play across many roles and ac­quire a level of un­der­stand­ing of all clin­i­cal and busi­ness as­pects of the or­ga­ni­za­tion.”

Univer­sity of Iowa Health­care re­cently com­pleted an an­nual risk as­sess­ment that found 20 per­cent im­prove­ment in the or­ga­ni­za­tion’s over­all se­cu­rity score com­pared with the pre­vi­ous year, and that in­crease was achieved largely with lit­tle new fi­nan­cial in­vest­ment and with staff us­ing ex­ist­ing se­cu­rity tools and pro­cesses. This un­der­scores how tight re­la­tion­ships among the CIO, CISO and CMIO align the re­sources and mes­sag­ing that de­liver ser­vices in ac­cor­dance with poli­cies across the en­ter­prise, she says.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.