Moving from Hacker to Attacker: Intermountain CIO Marc Probst on Healthcare's Increasing Data Security Challenge

At the World Health Care Congress 2016, Marc Probst, notable vice president and CIO of Salt Lake City, Utah-based Intermountain Healthcare, discussed the continual—and increasing— threat that the healthcare industry is facing when it comes to protecting data.

During his case study presentation, "Avoid Data Breaches and Strengthen Health Information Security" at the Marriott Wardman Park Hotel in Washington D.C., Probst reflected on when he first started working at Intermountain 12 years ago. Back then, he recalled, IT security consisted of just passwords and usernames. There wasn't anything close to the chief information security officer (CISO) that you see all across patient care organizations today, but just someone who ran the data center and was mostly concerned about locking doors and changing passwords. "Physicians would get ticked off every five years when we asked them to change their passwords. Yes, every five years," Probst said, partly facetious. 

Probst further looked back at one of the first data breaches at Intermountain since he was there, involving  a lost laptop which was unencrypted and had a lot of behavioral health data on it. "We spent tens of thousands of dollars investigating it, and we did recover it. We had poor security on it and no way to track it. It woke us up," he admitted. He additionally recalled another incident at the nearby University of Utah Health Care involving records stored on backup security tapes being stolen from an employee's car overnight. It cost the healthcare organization about $2 million, and Intermountain, having learned from the incident, began encrypting their tapes two weeks later, Probst said. 

The current environment at Intermountain, however, reveals the obvious—times sure have changed. "Now, it's the chief job of the CISO to be in charge of information security," Probst said. "IT is clearly the fastest growing area in information systems. I am incredibly concerned about security as a CIO, and it's mostly because we have people in the most vulnerable times of their lives with their most private data. It's our duty to protect that data that's been entrusted to us," he said.

As such, Intermountain now has a a multi-faceted, layered approach to tackling the one thing that Probst has previously said keeps him up at night more than anything else in healthcare. "I'd rather our data center go completely dark than have a major data breach," Probst said, confirming that fear. Part of this proactive strategy is a recently deployed security operations center (SOC), a 24/7 monitoring system that generates daily security reports across Intermountain by looking at business activity, network traffic, and actionable events. 

Probst said that the health system is looking to take this information center and make it a shared one, in which Intermountain and other local healthcare systems pool all of their assets together into one center. He said this isn't outsourcing IT security, but rather sharing playbooks and use cases so that when an incident happens at one organization, everyone in this collaboration can be made aware and help remedy the situation. Probst admitted that this "sharing" process has challenges and isn't operating very smoothly right now, but his hope is that the kinks can be worked out soon. 

Indeed, Probst said that the biggest strength at Intermountain when it comes to data security is its ability to work as a team, an essential ingredient as cybersecurity has clearly gone from hacker to attacker. "Information systems security and privacy requires a team. I meet with the head of compliance at least twice a month, with my CISO. We look at where our vulnerabilities are, and best practices emerge daily," he said  

What's more, every four months Intermountain performs a practice run on what to do if it was faced with a ransomware incident, Probst said. "What would we do in that case? Well, we would call the CEO, so we do that in our practice run. We prepare, and doing so allows you to learn where you can be better." Probst added that if Intermountain were to get hit with a ransomware attack, he would be forced to pay the ransom as the consequence of hurting patient care is just too severe. "If that were to happen, we know that we would have to divert patients. In Utah, I don't know how you can do that without a really big crisis," Probst said. 

When asked about if Intermountain would ever think of deploying something such as mirrored systems—an approach that would allow the health system to have a completely separate system with data on it in reserve in case the original system has to be wiped out—Probst noted the high expense associated with it,  adding that it could be possible, and while it wouldn't be as information-complex as the other system, it would do the job in terms of keeping patients healthy. 

To this end, Probst brought up the three different types of cyber attackers: criminals, spies and terrorists. Criminals, he said, are motivated by money; cyber spies are employed by a nation state, are highly trained with resources, and are looking to take data to learn things; and cyber terrorists, according to Probst, are motivated by an ideology or allegiance to a cause, referencing the terrorist group ISIS who has some 60 cyber professionals in its group that are clearly not motivated by money. 

As a CIO, Probst said he thinks of the three pillars that support information systems security: the team that comes up with polices; the vendors you are using and the money you're putting into technology; and looking into the future. "What are you doing to get involved and advance security?" Probst asked. "On a scale from 1 to 100 with 100 being perfect security, the financial industry, as I understand it, is at about an 85. Healthcare is around a 35 on that scale," Probst said, noting that healthcare's systems were designed for open access, contrary to other industries. "So what are we willing to do to get involved and enhance security? Now, whenever I go to our board, and I'm there almost every quarter, the conversation is around information security. People say it's inevitable that we will get a breach. If that's true, then we need to spend energy there." 

Looking at other sectors has helped Intermountain implement some new tools when it comes to IT security, Probst said. The health system has started a Security Showcase, in which it invites in leading edge organizations, mostly outside of healthcare, to present to Intermountain ideas and tools that have worked. As such, Probst said Intermountain has put more emphasis on controls beyond defending the perimeter, moving more to the offensive. Now, it does real-time audits that look at its technology systems and examines who has access to what information. Nonetheless, Probst admitted that there are definitely ways to get into Intermountain's security system, as the industry for attackers is massive, with specific objectives and polished operational tactics with incentives for breaking in. "But once you get in, we will get you," Probst declared. 

Probst noted that phishing is the health system's biggest issue, and it's the prime reason for the majority of the ransomware attacks that have recently struck healthcare. He said that Intermountain performed a "white hat" operation to phish its organization, and the scheme resulted in 40 percent of system users clicking the scamming link. "They got a nasty message and we followed up with more training," Probst said, adding that "Hackers only need to get it right one time."