A Nashville-based FBI agent offered a strong dose of reality to healthcare IT professionals attending the CHIME/AEHIS LEAD Forum Event, being held Monday, August 10 at the Sheraton Downtown Nashville, in Nashville, Tennessee, and co-sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), and its subsidiary association, the Association for Executives in Health Information Security (AEHIS), and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella). Scott Augenbaum, Supervisory Special Agent in the Memphis Division of the Federal Bureau of Investigation, offered a bracing opening keynote address during Monday’s event, tagged “The Health Information Executive’s Guide to Cybersecurity.”
Among other things, Augenbaum, who has spent two decades at the agency, told attendees that the leaders of patient care organizations are simply not moving quickly and strategically enough yet, to meet the huge challenges facing them in the fast-moving landscape of healthcare IT security.
A fundamental issue, Augenbaum told his audience, is that it is no longer true that foreign entities are not interested in protected health information (PHI); they now are. Among other elements in the emerging landscape, he noted that the government of China has said that its plan is for China to be the world’s leading innovator in healthcare research by 2020, but that the government of China has also said that it does not want to spend money on research. Inevitably, he said, that means that governments including those of China and Russia, are doing a lot of work to breach healthcare databases and information systems in the United States; so are criminal syndicates in Nigeria and other countries.
Inevitably, Augenbaum said, when he goes into patient care organizations that have experienced data breaches, he finds preventability. “This element drives me crazy,” he told his audience: “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated. And that’s because the bad guys are getting more and more sophisticated. The problem is we’re throwing more money into this problem than ever before, but are things getting better or worse? They’re getting worse.”
In that context, Augenbaum said, it distresses him that the leaders of most patient care organizations are “not doing the basic cyber-hygiene. And it doesn’t matter how much money we spend, if the bad guys are still getting into the network.” Fundamentally, he said, chief information security officers (CISOs) and others tasked with IT security in patient care organizations, tell him that their number-one complain is, as he put it “My upper-level management doesn’t get it.” What’s more, he added, there is a widespread lack of understanding about firewalls. Put simply, he said, “Firewalls are great controls, but they’re not a strategy.” And coupled with a lack of understanding of the broader context of IT data security strategy, is the fact that most patient care organizations have not designated any individual who is in charge of information security at the highest level of strategy. Many organizations have left the ultimate responsibility to their (physical) security officer, “who’s former law enforcement and knows nothing about information technology.” Next down the line is often an organization’s chief privacy officer, who, he said, typically says, following a breach, “But we’re HIPAA-compliant!” Others who end up taking the blame for a breach include the chief financial officer and the CFO’s audit personnel. But all of the finger-pointing following a data breach is really pointless and unfortunate, he said, adding that the key is for the leaders of patient care organizations to move forward now to build comprehensive strategies in this area.
Instead, Augenbaum said, “We’ve found that 90 percent of data breaches could be prevented if the leaders of patient care organizations simply began by focusing on the “CIS Critical Security Controls for Effective Cyber Defense,” as articulated by the SANS Institute. Those five, as described on the SANS Institute’s website, are:
> Inventory of Authorized and Unauthorized Devices
> Inventory of Authorized and Unauthorized Software
> Secure Configurations for Hardware and software on Mobile Device Laptops, Workstations, and Servers
> Continuous Vulnerability Assessment and remediation
> Controlled Use of Administrative Privileges
“If an organization does those top five tasks to protect its data security, it can reduce its risk of exposure by 90 percent,” Augenbaum stressed. “Things like only allowing approved software and applications onto the network, making sure to do a good patch management job (and the less software, the fewer vulnerabilities), limiting admin rights on machines—all of those kinds of things can drastically reduce your exposure.”
And, Augenbaum said, it is very important to understand that “It takes a full three to five years to implement a comprehensive IT security strategy. People simply don’t understand this,” he noted. But it is time for the leaders of patient care organizations in U.S. healthcare to accept the reality of the current situation, and to move forward from wherever they and their organizations are right now, to implement a comprehensive strategy, even as the landscape around IT security is becoming more challenging every day.