It is very important to break down the elements and steps involved in creating a robust and effective data security strategy in any patient care organization. That was the message that Cris V. Ewell, Ph.D., the chief information security officer at UW Medicine IT Services, in Seattle, told attendees Tuesday morning at the Health IT Summit in Seattle, sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella).
Dr. Ewell’s presentation, entitled “Healthcare Information Security Practices: Why are we failing?” was the opening keynote address at iHT2-Seattle, and challenged attendees, who are gathered at the Marriott Seattle Waterfront in downtown Seattle, to consider, and perhaps reconsider, how they are allocating resources and strategizing around assets, as they pursue healthcare IT and data security strategies in the current, unsettled operational environment in U.S. healthcare.
Ewell encouraged his audience to think carefully about assets, data, and intelligence, and to focus their efforts thoughtfully and strategically, when it comes to IT and data security in the present environment. Among the key points he stressed, under the question, “What are some things I can do?” were the following:
> Adopt a repeatable and transparent risk management framework and methodology
> Identify and prioritize assets and related risk-mitigation efforts
> Implement an intelligence program
> Develop aggressive risk transfer strategies
> Minimize the electronic attack surface in one’s organization
> Advance processes around incident response and management
> Ensure that the CISO in the organization has defined accountability and responsibility
“There is no shortcut” to developing a truly robust overall strategy for enterprise-wide IT and data security, Ewell told his audience. What’s more, the bigger and more complex the patient care organization, the more challenging it becomes to create and execute a truly comprehensive strategy, across the layers and dimensions of one’s organization, and across the complexities of people and processes.
One of the absolutely key elements in all this is developing a comprehensive risk management program for IT assets, Ewell told his audience. Among the key points he referenced in a slide in his presentation was around the core elements in a successful risk management program, which he said include the following:
> Concentrate protection efforts across the entire organization
> Be nimble enough to adapt to new threats
> Be risk-based and not compliance-driven
> Involve executive management and the board in your risk management program
And none of this is easy. “At the University of Washington, which is a complex organization, it is hard to get to an enterprise-level risk assessment, given that we have 14 entities, and many other departments, that are involved in ePHI [electronic protected health information],” Ewell said. Meanwhile, on the one hand, he supports the idea of bringing in outside consultants to help with processes around enterprise-level risk assessment—but he immediately adds that, “When you bring in an outside firm to do a risk assessment for you, what they will provide you is a technical risk assessment, not a true enterprise-wide risk assessment. They will tell you about your ‘things,’ not your processes,” he emphasized. “Only you and your team internally can really assess your processes.”
In addition, Ewell noted, “Our adversaries are changing. They know what’s going on” in the industry, and are closely following trends and developments in healthcare IT. They are also becoming increasingly sophisticated, as they seek ways to infiltrate and compromise organization’s network infrastructures. For example, he said, cybercriminals are closely monitoring the social media activity of individuals, especially those who are on the staffs of patient care organizations. “They’re watching your LinkedIn profile to see what’s in it,” he stated. And the more information they can find in end-users’ professional and personal accounts, the more readily they can tailor attacks and intrusions.
Of course, in all this, Ewell emphasized, a core perpetual threat remains the fact that end-users working in patient organizations continue to click on phishing e-mails, opening e-mails and attachments that lead to malware, including ransomware, attacks. To some extent, he said, there is an inevitable level of vulnerability in this area, given the human factors involved. In fact, he said, “People who work in healthcare want to help other people; and the cybercriminals know that and use that to their advantage.” It’s the social engineering aspect of humans, particularly humans working in patient care organizations, that will always be a point of vulnerability with regard to data and IT security, he said.
“Not a once-a-year thing”
One element in all this that is clear, Ewell said, is the need to change thinking and culture around data and IT security. “You cannot do this in a vacuum. And you need to get executive management and board support” in order to get not only the funding, but also the organizational support, to make IT security strategy work across any patient care organization. “There is risk, and what you need to do is to bring this up to your organization’s board, and ask the board members directly how much risk they’re willing to accept.”
Furthermore, he told his audience, “You should be doing all of this before you’re under attack. I’ve been at UW for six months now, and we’re doing risk assessments every single day. And that’s a whole change of culture. It was also a change of culture at Seattle Children’s when I was there.” Referring to Drex DeFord, a healthcare IT consultant who was CIO at Seattle Children’s during the same time that he was the organization’s CISO, Ewell hailed DeFord for being a strong partner with him around IT security strategy development and execution when they were both working at that hospital together.
Fundamentally, Ewell said, “risk management is not a once-a-year thing.” In fact, he stressed, “It needs to be an everyday thing. We have to constantly think, where is our risk? Where is it going? What kinds of controls do we have in place? What threats are emerging? What attacks are already happening?
And in doing that risk assessment, we look at threat actors, attack vectors, organizational risk, threats, aspects or targets, context for predictive analytics, and capabilities,” he said. One of the weaknesses in most patient care organizations, he added, is that “Most organizations focus only on capabilities.”
But, he said, “It is very important to ask the question, why do threat actors want our data? Where is our data? How is our data protected?” and other essential questions. In that regard, Ewell noted, I’ve started creating dashboards and reports. One thing we didn’t have when I joined UW was a risk mitigation plan. Now we can create one on the fly—one that includes threats, impacts, vulnerabilities, what we need to do to fix those risks—and we can do that at any time for any area. That’s what you need to do. Give me your risk assessment, give me your last risk assessment, give me your risk mitigation plan, give me your policies, give me your processes and procedures.”
In that context, Ewell said, “I create risk charts for our board and our executive team, charting our risk across the enterprise, and express where I’m concerned and where we need to change some of our practices.” The processes around that infrastructure have proven to be very successful, he noted.
Meanwhile, when it comes to assets, Ewell said that knowing one’s organization’s assets is not a straightforward thing; it is also not a simple or easy thing. “You need to begin with the process of asset profiling and inventory listing,” he said. “The first thing you need to do is to find out where all your assets are,” and that can turn out to be a long, complex, and difficult process. It is important to be able to understand the “attack surface,” meaning a mapped-out understanding of the range and particulars of threat risks. Among other elements, he noted, are the range of assets, including intellectual property; key services and products; applications; business partners; key individuals; and data. In turn, data includes the types of data involved; the volume of that data; and applicable laws and compliance requirements around all of the data.
One key element in all this is intelligence, as in intelligence-gathering, Ewell said. “This is a hard area, because you can consume your entire staff doing nothing but intelligence. And this is not just about news feeds,” he said. “Many vendors provide news feeds. And you can get inundated with an enormous amount of data, several gigs a day. But the whole purpose of this is to provide forecasting. I’m trying to figure out where the attacker will attack first.”
Attack vectors include the following: authorized account misuse; cryptographic and password attacks; data interception; denial of service; implied trust exploitation; malicious malware, misjudgment, or error; operating system and application vectors; physical attacks; social engineering issues; and supply chain compromise.
In the end, what should healthcare IT leaders do? “Begin by coming to an understanding of your information security and risk framework,” Ewell advised. “Discover and prioritize your assets, and understand what your high-risk assets are. Start with your data centers: do you even know 100 percent of the assets you have in your data centers? Develop dashboards; understand your threats; develop a continuous risk management and improvement process; and maintain a series of checks and balances” in terms of balancing the need for security with the need for data access.
Above all, Ewell urged his audience, “Do something. Determine the place to start.” As a CISO, he said, “I can’t fix everything. I can’t fix the world. I can do certain things. And I can work with my vendors.” It is extremely important to understand, he added, that “This is hard. You cannot simply download this list from the Internet. You can’t download an easy threat list. You have to do this work. This is not something you can download. And it’s continuous. This is not a one-time, once-a-year event. It has to be built into everything that you and your team do, and what your CIO does, and your medical staff, and your organization. This is an institutional problem,” he added.
And, in response to a question from Healthcare Informatics following the presentation, regarding what advice he would give hospital and health system CIOs, Ewell said this: “Recognize that it’s a partnership. You as the CIO have most of the financial and human resources. But the CISO, who may not report to you, has the authority for data and IT security. So it has to be a really good partnership. What’s more,” he said, “it’s very important to understand that you’ve got to get the security built into your implementations from the start. Don’t think that you can just ‘bolt on’ the security later; if you didn’t have the time to build the security into your information systems and applications the first time around, you won’t have the time to fix it later.”