In healthcare, there can often be a disconnect between IT and executive leadership when it comes to prioritization of cybersecurity risk management. Finding ways to bridge this gap has been a prevailing theme at both this week’s HIMSS 2017 Conference and Exhibition and last quarter’s HIMSS Privacy and Security Forum.
Between Two Worlds
When it comes to cybersecurity governance for healthcare, I’m a bit of a unicorn—in that I work both in the cybersecurity industry at Gigamon Canada and serve as an active member on the board of directors for the Brant Community Healthcare System. Having lived and worked in the two worlds, I have a unique perspective.
On one hand, I’m all too aware of the challenges CISOs and security teams face in getting the attention of senior leadership and the budgets they need (but most often don’t get) to properly protect their organizations.
At the same time, I also understand how difficult it is for board members to assess and prioritize cyber risk alongside the immense financial challenges of operating a complex multi-site hospital system, including:
- Maintaining and improving the quality of patient care at a time when obesity rates are skyrocketing
- Managing the complexity and costs associated with chronic diseases—such as cancer, cardiovascular disease, and diabetes—that are taxing many healthcare systems to their limits
- Ensuring employee satisfaction and engagement
- Finding funding and resources to keep up with innovation and improvements in medical equipment and technologies
Let’s just say, our meetings often run long.
Striking a Balance
For many healthcare executives and board members, addressing and managing cybersecurity risk can be both a distraction and gratuitous expense at a time when every dollar is needed for patient care.
Striking a balance and integrating the needs of privacy and security into the strategic objectives of an organization and not simply treating it as an “IT thing” was reiterated throughout the event to be “an absolute necessity.”
Having attended the HIMSS Privacy and Security Forum, my top takeaways were:
#1 Healthcare is vulnerable and under attack like no other industry, and we need to work together more often and more effectively to find solutions.
The headlines never stop. Hospital hacked. Hospital network held for ransom. Tens of thousands of medical records breached. Most of us can’t even read the news anymore, let alone the growing list of breaches on the U.S. Department of Health and Human Services Office for Civil Rights Break Portal (dubbed “the wall of shame” by many in the industry).
Keynote speakers Joel Brenner, former senior counsel for the NSA, and Stephen Nardone, practice director of security and mobility at Connection, drove the “vulnerability” message home in their presentations, respectively: “Cybersecurity: How’d It Get So Bad – and Can We Do Anything about It?” and “Mitigating Cyber Threats in Healthcare.”
Unlike monetary transactions, health data is very detailed, unstructured, and personal. For instance, if someone commits fraud by using your credit card to make unauthorized purchases, it’s relatively easy for your bank to detect, investigate, and get your money back. But once someone steals your health information, it’s out there. There’s no way to get it back and cybercriminals can use it for more nefarious purposes than simply taking a stolen credit card number to buy a gigantic TV on Amazon.
Due to the unique characteristics of healthcare data, it can also take weeks, months, or years to even detect fraud, making it much more valuable than credit card data. The risk of losing this data isn’t simply costly for patients or an annoyance, it can be life-threatening, making the stakes—and value to cybercriminals—much higher.
Stealing hospital and patient data is highly profitable with a low risk of getting caught. Steve Borg, Director and Chief Economist U.S. Cyber Consequences Unit presented a session, “Economics of Cyber Attacks on Healthcare Providers,” that made me think more about how changing these economic factors will be key to combating cybersecurity threats. He also discussed how sharing threat intelligence and security best practices plus creating new forums for education and collaboration can improve security defenses. Denise Anderson, the executive director of NH-ISAC, reiterated his position in her “real case scenarios” session, “Threat Intelligence: Head off Attacks before the Damage Is Done.”
In short, the most important thing organizations can do is ensure that cybersecurity risk management is an enterprise-wide strategic focus. An executive-level mandate is critical to success, as all departments and employees—from clinicians to housekeeping—need to be engaged to make a difference.
#2 We’re bad at framing and communicating risk to executives and the board. We need to do better.
Telling the board scary stories isn’t effective anymore, if it ever was. At this point, everyone has CNN-sensationalized breach headline fatigue and another slide deck filled with hacking horrors isn’t going to resonate. In fact, it may even annoy them—which certainly won’t help your business case to get a new firewall approved.
As much as we may complain that executives and boards don’t really understand cybersecurity, we continue to present highly technical presentations that confuse and bore them. This has to change. We in IT need to take the time to understand their priorities and communicate strategically from a business and financial risk perspective—not just tactically or with a myopic viewpoint limited to our own project and department needs.
Most CISOs are coming around to the idea that cybersecurity risk has to be framed in a language that CEOs, CFOs, and boards can understand and act on. Sure, this includes dropping computer industry jargon, but the true value will come from calculating and communicating the value of what’s at risk and aligning your efforts to the overall strategic objectives of the organization.
The Healthcare Security Leadership Panel: State of the Union—including John Donohue, associate CIO of Technology and Infrastructure Penn Medicine, Anahi Santiago, CISO of Christina Care Health System, and Darren Lacey, CISO of Johns Hopkins University & Johns Hopkins Medicine—discussed how CISOs are being rewarded for taking a more strategic approach by “getting a seat at the c-level table” where enterprise-wide strategy is developed.
I reiterated similar points during my own session, recommending CISOS to always speak the language of your audience and simplify messaging to the very core of what you’re trying to accomplish. For example, stop calling them “hackers” and start calling them just plain old “criminals.”
A CPA on a board, for instance, can’t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed IPS by encrypting command and control messaging. But he can relate to spending $100k on a firewall because criminals just tried to steal personal health data that’s worth $20 million—which could also expose the organization to the risk of HIPAA violation fines, potential class-action suits in the tens of millions and damage to hospital’s reputation.
By the same token, if a CEO is a former physician, frame the risk of a cybersecurity breach that steals patient information within the context of an imperative to “do no harm.” She’s likely to relate the nature of the risk directly to the patient, which will result in better understanding.
And lastly, it doesn’t hurt to establish a bit of situational awareness to the strategic needs of the organization. For example, it might not be in the best idea to request funds for an anti-phishing application (one that tricks employees into clicking on fake emails and shames them into compliance with security policies and procedures) when the next item on the board’s agenda is addressing low employee morale.
We also need to reciprocate by doing a better job of understanding c-level and board priorities and communicate strategically. CISOs who crack this code and carry it out effectively will have a much greater success and be less likely to have their organizations end up on the breach “wall of shame.”
#3 Privacy and security must be baked into not only every system, but also every business decision.
CISOs understand that the Target breach was a result of compromised third-party credentials and, as a result, senior executives lost their positions. Retail has an added complexity in managing non-traditional endpoints such as cash registers and inventory-tracking handheld devices, but that’s nothing compared to what healthcare contends with today.
The Internet of Medical Things is already here and it’s not very secure. Stephanie Jernigan, assistant professor, Operations Management Department at Boston College, presented a session based on findings from a global research study at MIT Sloan Management Review titled, “Ready of Not: Here Comes the Internet of Things.”
While the study confirmed much of what we thought we knew about IoT in healthcare, it also provided some new insights. It found that organizations with strong analytics infrastructures and skillsets were better able to leverage IoT investments. Devices that fall under the Internet of Medical Things category are easier to attack because they are more physically and digitally accessible. This is especially true with wearable devices that leave the hospital with the patient.
Another disturbing finding showed that, “Despite these issues, 76% of the survey’s respondents felt they didn’t need to improve their sensor data security and 68% felt they didn’t need to improve their overall data security.” What makes this doubly disturbing as the study also revealed that as analytics capability improves so does overall success in terms of both patient outcomes and overall security posture.
And yet, there is no perceived need to improve analytical capabilities? And while medical IoT devices are likely to be the most at risk of any devices in this category, little is being done in terms of securing these devices?
#4 Achieve security success by managing a portfolio of innovation.
The highlight of the forum was Aetna CISO Jim Routh’s presentation, “How to Build a Security Technology Portfolio: Take Risks to Manage Risks.” Aetna serves more than 46 million people and, therefore, has a great deal of personal health information to protect.
Routh’s unique approach to not only keeping up with, but also staying ahead of hackers is to devote 25 percent of his budget in purchasing new and emerging technology from early-stage start-ups. Start-ups are more likely to make a better deal financially than established players and they also may provide a technology edge in that most attackers are likely to target and exploit vulnerabilities in more mature and widely deployed solutions.
Routh views this overall approach much like how one would build a balanced and diversified investment portfolio with 75 percent in blue chips and 25 percent in high-growth, high-impact, but also potentially higher-risk investments.
No other speaker personified the need to frame risk and communicate strategically more than Routh. And I particularly loved his phrase to describe his approach: “Taking risks to reduce risks.”