In healthcare, there can often be a disconnect between IT and executive leadership when it comes to prioritization of cybersecurity risk management. Finding ways to bridge this gap has been a prevailing theme at both this weekâ€™s HIMSS 2017 Conference and Exhibition and last quarterâ€™s HIMSS Privacy and Security Forum.
Between Two Worlds
When it comes to cybersecurity governance for healthcare, Iâ€™m a bit of a unicornâ€”in that I work both in the cybersecurity industry at Gigamon Canada and serve as an active member on the board of directors for the Brant Community Healthcare System. Having lived and worked in the two worlds, I have a unique perspective.
On one hand, Iâ€™m all too aware of the challenges CISOs and security teams face in getting the attention of senior leadership and the budgets they need (but most often donâ€™t get) to properly protect their organizations.
At the same time, I also understand how difficult it is for board members to assess and prioritize cyber risk alongside the immense financial challenges of operating a complex multi-site hospital system, including:
- Maintaining and improving the quality of patient care at a time when obesity rates are skyrocketing
- Managing the complexity and costs associated with chronic diseasesâ€”such as cancer, cardiovascular disease, and diabetesâ€”that are taxing many healthcare systems to their limits
- Ensuring employee satisfaction and engagement
- Finding funding and resources to keep up with innovation and improvements in medical equipment and technologies
Letâ€™s just say, our meetings often run long.
Striking a Balance
For many healthcare executives and board members, addressing and managing cybersecurity risk can be both a distraction and gratuitous expense at a time when every dollar is needed for patient care.
Striking a balance and integrating the needs of privacy and security into the strategic objectives of an organization and not simply treating it as an â€œIT thingâ€ was reiterated throughout the event to be â€œan absolute necessity.â€
Having attended the HIMSS Privacy and Security Forum, my top takeaways were:
#1 Healthcare is vulnerable and under attack like no other industry, and we need to work together more often and more effectively to find solutions.
The headlines never stop. Hospital hacked. Hospital network held for ransom. Tens of thousands of medical records breached. Most of us canâ€™t even read the news anymore, let alone the growing list of breaches on the U.S. Department of Health and Human Services Office for Civil Rights Break Portal (dubbed â€œthe wall of shameâ€ by many in the industry).
Keynote speakers Joel Brenner, former senior counsel for the NSA, and Stephen Nardone, practice director of security and mobility at Connection, drove the â€œvulnerabilityâ€ message home in their presentations, respectively: â€œCybersecurity: Howâ€™d It Get So Bad â€“ and Can We Do Anything about It?â€ and â€œMitigating Cyber Threats in Healthcare.â€
Unlike monetary transactions, health data is very detailed, unstructured, and personal. For instance, if someone commits fraud by using your credit card to make unauthorized purchases, itâ€™s relatively easy for your bank to detect, investigate, and get your money back. But once someone steals your health information, itâ€™s out there. Thereâ€™s no way to get it back and cybercriminals can use it for more nefarious purposes than simply taking a stolen credit card number to buy a gigantic TV on Amazon.
Due to the unique characteristics of healthcare data, it can also take weeks, months, or years to even detect fraud, making it much more valuable than credit card data. The risk of losing this data isnâ€™t simply costly for patients or an annoyance, it can be life-threatening, making the stakesâ€”and value to cybercriminalsâ€”much higher.
Stealing hospital and patient data is highly profitable with a low risk of getting caught. Steve Borg, Director and Chief Economist U.S. Cyber Consequences Unit presented a session, â€œEconomics of Cyber Attacks on Healthcare Providers,â€ that made me think more about how changing these economic factors will be key to combating cybersecurity threats. He also discussed how sharing threat intelligence and security best practices plus creating new forums for education and collaboration can improve security defenses. Denise Anderson, the executive director of NH-ISAC, reiterated his position in her â€œreal case scenariosâ€ session, â€œThreat Intelligence: Head off Attacks before the Damage Is Done.â€
In short, the most important thing organizations can do is ensure that cybersecurity risk management is an enterprise-wide strategic focus. An executive-level mandate is critical to success, as all departments and employeesâ€”from clinicians to housekeepingâ€”need to be engaged to make a difference.
#2 Weâ€™re bad at framing and communicating risk to executives and the board. We need to do better.
Telling the board scary stories isnâ€™t effective anymore, if it ever was. At this point, everyone has CNN-sensationalized breach headline fatigue and another slide deck filled with hacking horrors isnâ€™t going to resonate. In fact, it may even annoy themâ€”which certainly wonâ€™t help your business case to get a new firewall approved.
As much as we may complain that executives and boards donâ€™t really understand cybersecurity, we continue to present highly technical presentations that confuse and bore them. This has to change. We in IT need to take the time to understand their priorities and communicate strategically from a business and financial risk perspectiveâ€”not just tactically or with a myopic viewpoint limited to our own project and department needs.
Most CISOs are coming around to the idea that cybersecurity risk has to be framed in a language that CEOs, CFOs, and boards can understand and act on. Sure, this includes dropping computer industry jargon, but the true value will come from calculating and communicating the value of whatâ€™s at risk and aligning your efforts to the overall strategic objectives of the organization.
The Healthcare Security Leadership Panel: State of the Unionâ€”including John Donohue, associate CIO of Technology and Infrastructure Penn Medicine, Anahi Santiago, CISO of Christina Care Health System, and Darren Lacey, CISO of Johns Hopkins University & Johns Hopkins Medicineâ€”discussed how Â CISOs are being rewarded for taking a more strategic approach by â€œgetting a seat at the c-level tableâ€ where enterprise-wide strategy is developed.
I reiterated similar points during my own session, recommending CISOS to always speak the language of your audience and simplify messaging to the very core of what youâ€™re trying to accomplish. For example, stop calling them â€œhackersâ€ and start calling them just plain old â€œcriminals.â€
A CPA on a board, for instance, canâ€™t relate to an APT that has exploited privileged user credentials to install root kits on multiple endpoints and has bypassed IPS by encrypting command and control messaging.Â But he can relate to spending $100k on a firewall because criminals just tried to steal personal health data thatâ€™s worth $20 millionâ€”which could also expose the organization to the risk of HIPAA violation fines, potential class-action suits in the tens of millions and damage to hospitalâ€™s reputation.
By the same token, if a CEO is a former physician, frame the risk of a cybersecurity breach that steals patient information within the context of an imperative to â€œdo no harm.â€ Sheâ€™s likely to relate the nature of the risk directly to the patient, which will result in better understanding.
And lastly, it doesnâ€™t hurt to establish a bit of situational awareness to the strategic needs of the organization. For example, it might not be in the best idea to request funds for an anti-phishing application (one that tricks employees into clicking on fake emails and shames them into compliance with security policies and procedures) when the next item on the boardâ€™s agenda is addressing low employee morale.
We also need to reciprocate by doing a better job of understanding c-level and board priorities and communicate strategically. CISOs who crack this code and carry it out effectively will have a much greater success and be less likely to have their organizations end up on the breach â€œwall of shame.â€
#3 Privacy and security must be baked into not only every system, but also every business decision.
CISOs understand that the Target breach was a result of compromised third-party credentials and, as a result, senior executives lost their positions. Retail has an added complexity in managing non-traditional endpoints such as cash registers and inventory-tracking handheld devices, but thatâ€™s nothing compared to what healthcare contends with today.
The Internet of Medical Things is already here and itâ€™s not very secure. Stephanie Jernigan, assistant professor, Operations Management Department at Boston College, presented a session based on findings from a global research study at MIT Sloan Management Review titled, â€œReady of Not: Here Comes the Internet of Things.â€
While the study confirmed much of what we thought we knew about IoT in healthcare, it also provided some new insights. It found that organizations with strong analytics infrastructures and skillsets were better able to leverage IoT investments. Devices that fall under the Internet of Medical Things category are easier to attack because they are more physically and digitally accessible. This is especially true with wearable devices that leave the hospital with the patient.
Another disturbing finding showed that, â€œDespite these issues, 76% of the surveyâ€™s respondents felt they didnâ€™t need to improve their sensor data security and 68% felt they didnâ€™t need to improve their overall data security.â€ What makes this doubly disturbing as the study also revealed that as analytics capability improves so does overall success in terms of both patient outcomes and overall security posture.
And yet, there is no perceived need to improve analytical capabilities? And while medical IoT devices are likely to be the most at risk of any devices in this category, little is being done in terms of securing these devices?
#4 Achieve security success by managing a portfolio of innovation.
The highlight of the forum was Aetna CISO Jim Routhâ€™s presentation, â€œHow to Build a Security Technology Portfolio: Take Risks to Manage Risks.â€ Aetna serves more than 46 million people and, therefore, has a great deal of personal health information to protect.
Routhâ€™s unique approach to not only keeping up with, but also staying ahead of hackers is to devote 25 percent of his budget in purchasing new and emerging technology from early-stage start-ups. Start-ups are more likely to make a better deal financially than established players and they also may provide a technology edge in that most attackers are likely to target and exploit vulnerabilities in more mature and widely deployed solutions.
Routh views this overall approach much like how one would build a balanced and diversified investment portfolio with 75 percent in blue chips and 25 percent in high-growth, high-impact, but also potentially higher-risk investments.
No other speaker personified the need to frame risk and communicate strategically more than Routh. And I particularly loved his phrase to describe his approach: â€œTaking risks to reduce risks.â€