In a bracing discussion on Thursday morning in Los Angeles at the Health IT Summit-Beverly Hills, sponsored by Healthcare Informatics, the focus returned over and over again to some of the fundamentals of IT security strategy. The first panel discussion of the HIT Summit, which is being held at the Sofitel Hotel Los Angeles at Beverly Hills, focused largely on the major gap between available strategies and technologies and their actual implementation in patient care organizations across the U.S.
Ryan McDaniel, vice president of security and technology at the HCI Group consulting firm, moderated the panel. He was joined by Richard Greenberg, the information security officer at Los Angeles County Public Health; Gary A. Gooden, chief information security officer and director of IT at the Center for Personalized Medicine at Children’s Hospital Los Angeles; and Chris W. Jeorg, chief information security officer (CISO) at Cedars-Sinai Health System—all three IT security leaders local to the conference.
Framing the broad statistics around data security—and insecurity—in the U.S. healthcare system, McDaniel noted early on in his introduction of the panel discussion, that “We’re looking at approximately 118 million records that have been breached, which means that over one-third of the population of the U.S. has potentially been breached. And we should look at the most relevant updates from 2016. Over the next 24 months, any healthcare location has a 26-percent chance of being meaningfully breached,” he noted. “So certainly, this is an important topic we’re discussing.”
Turning to his fellow panelists, McDaniel asked, “What scares you, what is the one problem keeps you up at night? For me, what keeps me up at night as I work with different organizations, is the category of threats that can be described by the phrase ‘unknown unknowns,’ including insider threats.”
“I’ve been in IT for 25 years, and things are rapidly growing today,” Greenberg said, “And one of the big concerns I have is that the hackers are taking on all sizes, shapes, and forms, but they’re well-organized,” in fact, better-organized than ever. “And they’re sharing information on the dark side. They’re putting kits out there. It’s a multi-billion-dollar industry that’s underground. And each of us is trying to fight that with our little pockets. And we have a disconnect around laws that make it harder to share corporate information. You might recall a few years ago, President Obama asked for more data-sharing, and that’s what he had in mind.”
“To echo what Richard mentioned,” Gooden said, “while patients want to own their data, security is a multi-billion-dollar issue; at the same time, per what Richard said, the hacker today is not the hacker yesterday—this notion of some kid in somebody’s basement. This is a multi-billion-dollar business. And they don’t care about any of the rules or regulations; they care about gathering data to monetize it. And that’s only going to get worse. The rate of change of the technology, the mathematical models being generated to create these ransomware packages, is only going to get more prevalent.”
In addition, Gooden said, “What I found interesting is that several years ago, most healthcare organizations didn’t have CISOs. And upwards of 70 percent of healthcare organizations are already being compromised. And if their environment is hacked, the typical gap in time between the actual hack and its being discovered is 200 days. So what keeps me up at night is what I don’t know. And the second thing is the race to prevent biomedical devices from being compromised. And that’s a whole different level from the concern over ransomware. For instance, a lot of these biomedical devices are relatively primitive, in terms of their data architecture.”
“Information security is a big focus for us at Cedars-Sinai,” Jeorg said. “What keeps me up at night is what is sometimes referred to as ‘rogue IT,’ where users circumvent security controls to use their own devices. How do we prevent that, and address it in a meaningful way when it’s going on? The other piece for me is data loss because of a breach, and data loss that culminates in the eventual loss of patient trust. If someone’s data or privacy is breached through the fault of a healthcare provider, that is a very big problem.”
“Health data is worth more and is more easily accessible,” McDaniel said. “So let’s ask why healthcare is a primary target. Is it the monetary value of a patient record?”
“It’s the monetary value, and also, it’s a soft target, basically,” Jeorg replied. “If you go to a bank or a credit card company, they’re focusing on information security in a much more mature way. So it’s a lack of maturity in the focus in healthcare security. We need to protect the confidentiality, integrity, and availability of information.”
“Your patient record is worth $50” to hackers, Gooden said, “but in terms of the total capitalized cost—it’s worth more than $250. And healthcare is a softer target. I was here at this conference last year, and there was a panel discussion with CISOs, and one of the questions I was asked was, do you think the CISO should report to the CIO? And of the four panelists, including the moderator, they all said the CISO should not report to the CIO. At that time, a year ago, I wasn’t at the time a CISO. This is my first journey into healthcare, and I was shocked at the low level of maturity of technology when I came into the industry. So when I heard that said last year, I said, I don’t understand: if the rate of change in the level of attacks against healthcare organizations is growing exponentially… And why wouldn’t you want your security team to be part of your overall IT team? Because you need to be on a war footing; this is a war. I think this issue gets back to the issue of checkbox compliance for security. This isn’t a checkbox; it’s real. We just finished a PCI segmentation project. And if we focus on compliance, we can’t get to where we need to.”
“That’s right,” Greenberg said. “Many of the healthcare companies that have been breached were all compliant with regulations. And one of the reasons we’re a target is that the value of credit card information is miniscule. Hackers get credit cards, but they’re changed immediately. And the credit card companies have a great model for monitoring activity, and they call you. And your card gets changed immediately. In contrast, the life cycle for a breached medical record is very long. Medical records are worth a lot more, because it’s hard to immediately pinpoint a breach. If your ID is breached, you can go to a federal website, and they have a whole process to follow. If you’re breached in your medical records, there isn’t an obvious path. It’s incredibly difficult for people. We’re focused on being caregivers, and aren’t doing a good enough job of taking care of the security of the data of our patients. And we’re causing critical stress and doing a great disservice to our patients, if we’re not protecting the security of their data. It’s causing a lack of trust among patients.”
One of the core challenges goes back to end-users in healthcare, McDaniel noted. “You have a population that’s incredibly skilled at providing care and incredibly well-intentioned. But they may not have the sophistication around data security,” he pointed out. “Healthcare organizations lack both the budget and the defined processes needed in this area. So what do we do?”
“The insider threat remains a major one,” Greenberg insisted. “We take seriously educating our workforce. We can put in great firewalls, write great rules, deny access to certain sites, we can secure mobile devices with a tool that will allow us to remotely wipe them, we can push updates to users; we can put websites within security parameters. But the best-laid plans, infrastructure, and technological controls, can all be undermined by a single click, per phishing. HIPAA does require security training; it’s kind of vague on how often and what type. So it’s up to you to push for more required training; it’s a bit of a pain for end-users, but it’s very important. So we go out and do a road show, and we train people. And we’ve got hundreds of tablets being taken around. So we’ve encrypted all of our portable devices. HIPAA does say that if you have a lost device and it’s breached, you have to report it. But if the device was encrypted, you’re in a safe harbor. We also do awareness training, and we focus on phishing attacks. A URL zero-write. There are fake sites where you think you’re on the right site. But we have a tool that checks to see if a site is legitimate or not, and filters you out if it isn’t a legitimate site. That has great potential.
“I agree with Richard,” Gooden said. “And we’re trying to catch up strategically with our own roadmap. And there is typically a disconnect in most organizations between the infrastructure team and the data security team. Most of the initiatives ongoing, the data security people wouldn’t know they’re actually happening. So we’re looking at infrastructure security technologies; and also we’re doing behavioral monitoring. You have to do data analytics behind your security measures. We do 24/7/365 monitoring of our environment. And every single thing that’s being stood up in your environment has to be examined” from a data security standpoint. “And the monitoring has to be ongoing.”
Another element that Gooden says as an issue is the routine way in which end-user education is presented in patient care organizations. “We have to make the end-user training programs more interesting—they’re boring as hell! And because they’re so boring, they lack stickiness. Your brain becomes disconnected. It’s checkbox-writing. So we’ve been doing social engineering for some time, but we have to step up our game.” What’s more, he said, “You also have to look at things like identity-based access control. And that involves a multi-year process of change in your organizational culture. Because you cannot keep up with the mathematics involved in these hacker attacks in a static way. You have to combine strategies, and you have to implement social engineering at a much higher level. And look at your data security as a very high priority in your organization.”
McDaniel conducted a brief text-based poll of the audience, asking audience members which IT security strategies they were pursuing. That instant poll revealed that, while 73 percent are implementing antivirus protection, only 18 percent are engaged in developing advanced firewall protection strategies, and only 9 percent are engaging in behavioral analytics strategies and tactics—fairly low levels of engagement in advanced strategies.
With regard to those results, Gooden noted that “Next-generation firewall protection is leading-edge. And we’re looking at putting in advanced monitoring protections at the outside edge. We already have data loss prevention techniques in place, but we’re going to expand those. And it’s that balance between providing enough security to ensure the integrity of the environment, while allowing the end-users to participate in clinical or research work.”
Further, McDaniel emphasized, “The reality of risk in a clinical environment requires an integrated approach to security.
“The general understanding now,” Greenberg said, “is that it’s not a question any longer of if you will be attacked and breached, but when. And if that’s the case, you can’t just sit back and pour millions of dollars more into technical controls. One of the most important things an organization can do is to put into place really good incident awareness and response systems,” he emphasized. “The average period of time between a breach and its discover is 200 days. So that’s 200 days during which your data is being exfiltrated. And you cannot just have security involved; you have to have the business side involved, too, and your communications and public relations team—the press is going to come and visit you. So you have to test these incident response systems and capabilities. And over 90 percent of these breaches are not that sophisticated.”