It was fascinating to read the report published last week by KLAS Research and CHIME (the College of Healthcare Information Management Executives), whose publication was announced in a press release this morning, and about which we published a news report, also this morning.
As the report noted, “Many organizations that participated in the CHIME HealthCare’s Most Wired program in 2018 reported they follow cybersecurity practices recommended by a federally convened task group of private and public cybersecurity leaders.”
The whitepaper report noted several key findings:
Ø Regardless of size, most organizations have deployed email and endpoint protection systems, establishing an initial layer of defense against internal and external threats.
Ø Many organizations are transitioning from homegrown identity and access management (IAM) solutions to commercial solutions to support their identity policies. Multifactor authentication (MFA) remains a gap for half of small organizations.
Ø Data-loss prevention (DLP) solutions have been widely adopted, though deployment of on-premises DLP solutions has slowed, as organizations have transitioned to the cloud.
Ø Today’s security requirements are challenging historical asset management practices.
Ø Most organizations have network access control (NAC) solutions to monitor devices that connect to their networks; however, less than half of small organizations are using network segmentation to control the spread of infections.
Ø Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Small organizations more frequently turn to penetration testing to identify vulnerabilities.
But the report also noted a number of gaps, including this one, from the section above: “Most organizations have network access control (NAC) solutions to monitor devices that connect to their networks; however, less than half of small organizations are using network segmentation to control the spread of infections.”
Fewer than half of smaller organizations have implemented network segmentation strategies to date? Yikes. That is a truly frightening fact.
Back in February 2018, in a feature entitled “A New Era in Network Segmentation?” I wrote the following:
“[T]he challenges facing the IT leaders of patient care organizations are also facing IT leaders in every type of business organization, in every industry. John Friedman, a managing consultant at the CyberEdge Group consulting firm, puts it this way in his recent white paper, “The Definitive Guide To Micro-Segmentation,” published last year by Illumio, a Sunnyvale, Calif.-based cloud computing security solutions provider: ‘We can no longer rely on perimeter defenses to keep the bad guys out, and are not doing so well catching them inside the data center either. Most IT security professionals are familiar with frameworks such as Lockheed Martin’s Cyber Kill Chain,’ Friedman notes. But, he says, “Statistics show that it is extremely difficult to reduce the 'dwell time' of attackers once they have a foothold inside the data center. Virtualization and cloud technology exacerbate this challenge. It is hard to protect applications that can be executing anywhere, with pieces being moved around continually. In this environment, limiting lateral movement within the data center becomes a top priority for IT groups. If a cybercriminal compromises the credentials of an employee who uses application A, can we make sure he can’t reach applications B, C, and D? If a hacker uncovers the password of a system administrator in location X, can we make sure she has no way to connect to systems in locations Y and Z?” That remains a fundamental IT security challenge in healthcare.”
What’s more, in an interview in February of last year, John Robinson, senior advisor at the Naperville, Illinois-based Impact Advisors, shared further wisdom with me on this subject. How many IT security professionals in patient care organizations are still manually configuring their network segmentation? I asked him. “The vast majority of healthcare organizations are still back in the manual configuration phase, trying to address rapidly evolving threat vectors with a manual methodology that just can’t keep up,” Robinson said. “You can’t type fast enough, basically, to do manual configuration in order to keep up with the threat vectors that are accelerating on a daily basis.”
Meanwhile, in response to my question asking what’s involved in software configuration, and how it makes a difference, Robinson said, “Creating a software-defined network allows you to apply policies, processes, and procedural rules to the traffic and data on the network itself, as opposed to manual configuration, where you are still manipulating software, but where you’re still essentially twisting wires. So this is not something that’s an alternative to manual configuration. You still need to electronically twist the wires, as it were, to keep your basic physical infrastructure chugging along, but you apply software definitions to that network so that you’re looking not at physical attributes of connectivity, but at the data flowing across that physical infrastructure, and applying polices and rules to that data, to make sure it goes where you want it to go, and doesn’t go where you don’t want it to go.”
Given that there are many new potential approaches in this area, approaches that are showing themselves to be effective, it is particularly striking—and disturbing—that fewer than half of smaller patient care organizations are doing what they should be doing, implementing basic network segmentation strategies.
Indeed, the risks to core clinical information systems, especially electronic health records (EHRs) are only growing by the day, as the “bad guys” become ever more cunning and determined. And that element touches on the issue of funding and resources, given that the healthcare IT leaders of smaller patient care organizations literally lack the resources to accomplish what they need to overall. And, as the survey found, they are lagging behind in terms of implementing multifactor authentication strategies as well, even as MFA strategies are precisely among those that could make a huge difference in resources-strapped hospitals and health systems.
So in the end, the landscape portrayed in the KLAS/CHIME report is a very mixed one, to be sure. Not everything is negative, but neither is everything positive. And, as I’ve stated publicly previously, both in written form, and at our Healthcare Innovation Summits, is that ultimately, the increasing financial pressures connected to the need to significantly boost cybersecurity and data security in patient care organizations may force many smaller hospitals and many medical groups to join larger and ever-growing multi-hospital systems, simply to keep up. Put another way, cybersecurity’s connection to consolidation could become clearer and clearer over time. This will definitely be one of the broad situations for everyone to continue monitoring, going forward. Clearly, the last act of this drama is far from written.
