Cybersecurity Consultants Weigh In: Healthcare Organizations Shouldn’t Go It Alone

Feb. 1, 2017
Mac McMillan, co-founder of cybersecurity consulting firm CynergisTek, and Joe Flynn, CEO of IT security services firm Auxilio, discuss the ongoing challenges facing data security leaders at patient care organizations and why they shouldn't go it alone.

Earlier this month, Austin, Tex.-based cybersecurity and privacy consulting firm CynergisTek announced it had been acquired by Auxilio, Inc., an IT security services provider based in Mission Viejo, California, in a deal valued at up to $34.3 million.

In addition to IT security services, Auxilio also provides document workflow solutions and services such as document consulting, print-as-a-service (PRaaS) and print device security. CynergisTek will continue to operate independently as a wholly owned subsidiary of Auxilio, and, as part of the deal, Auxilio’s Redspin division, which focuses on penetration testing and security assessment, will become part of CynergisTek. Following the acquisition news, it was announced this week that CynergisTek was ranked Best in KLAS in the Cyber Security Advisory Services category in the 2017 Best in KLAS Awards: Software & Services report.

Company co-founders Mac McMillan and Michael Mathews, Ph.D, launched CynergisTek in 2004 and in the past 13 years the data security landscape in healthcare has changed significantly. With the advancement of the Internet of Things (IoT) and connected medical devices, healthcare cybersecurity has only become more complex and challenging.

At the time of the acquisition announcement, McMillan said, “Our clients recognize that document and device security are important components of their overall security risk profile and the ability to deliver an integrated approach to managing those aspects of their infrastructure along with the digital pieces we’ve traditionally focused on is something we are laying the foundation for now.”

In a prepared statement, Auxilio CEO Joe Flynn said when announcing the acquisition, “We have come to know the founders and employees of CynergisTek quite well over the last couple of years and from the earliest conversations it was obvious we shared a vision of what the future of healthcare IT security and document workflow looked like and how the two will become increasingly intertwined.”

Healthcare Informatics assistant editor Heather Landi recently spoke with both McMillan and Flynn about how the cybersecurity threat landscape in healthcare has changed and the ongoing challenges facing data security leaders at patient care organizations. Below are excerpts from that interview.

Both of your companies have experienced strong growth in the last few years. How might that reflect the current security landscape?

McMillan: There’s no doubt about it, bad news or good news, whichever way you look at it, the threat environment is not abating at all. It’s going to continue to create challenges for organizations or industries that are very reliant on their information system and their data, which healthcare is. And, it’s an area that, unfortunately, healthcare is still very much behind the power curve, so to speak, in terms of the level of investment that the industry has made compared to other regulated industries. So there’s a tremendous amount of running room left in the market for companies to grow that have the right model and right approaches and the right set of services. So far, knock on wood, we’ve been there and hopefully the Auxilio transaction is going to give us the ability to turn up the heat and continue to grow in that direction.

Mac McMillan

Flynn: The need for healthcare to operate more efficiently and to save dollars has been the focus of our model, however, over the last four or five years, security has been number one on the list of priorities for our IT clients, which prompted us to make investments in this area. Typically, our team reports in to the IT organizations, so wanted to have a good answer them as to how we were going to help them secure the document production side of things. That is absolutely a priority and I don’t see that priority going away anytime soon.

What are the biggest data security challenges facing healthcare CIOs and CISOs?

McMillan:  I think one of the biggest challenges they are dealing with is their shrinking budgets and trying to catch up with where they need to be on the security front. It’s becomingly increasingly difficult for them to find the dollars to invest in the spend for an area that is typically not viewed as producing revenue, but there is an absolute critical need for them to do that to protect the environment that actually is producing the revenue, so that’s a big challenge.

Another challenge is the absolute pace at which technology is evolving and innovating. They are deluged, with new applications, new systems, new devices and new approaches to handling data and sharing data, and at an exponential rate, and that in and of itself is creating tremendous challenges for them to try to keep up and to try to understand the risks associated with that. Right behind that is the fact that healthcare is absolutely a target today for cybercrime. Criminals have figured out how to monetize cybercrime and they have figured out how to push healthcare’s buttons with respect to the types of attacks that are effective and those three things create a very challenging landscape for a CIO.

Flynn: To echo Mac’s comments, we see a lot of concern about their ability to have the financial capacity to keep up with all the changes that are happening on the technology side--security as well as data and the applications that run on their network. And shrinking budgets means, a lot of times, shrinking staff as well, so that’s another big issue that healthcare is facing right now.

Joe Flynn

What are CIOs and CISOs at patient care organizations going to be focused on in 2017 regarding data security?

McMillan: I think they are going to be focused more on looking for efficiencies in their support structures. I think they’re going to be focused on outsourcing more of their security to trusted advisors and partners, and I think they are going to be looking for staffing support with respect to security. We have a number of clients that are coming to us now saying they can’t fill these positions, can’t find a good CISO and need support in that arena. They’re going to be focused on trying to make the right choices with respect to the technology that they invest in and deploy to meet their cybersecurity needs. So, I think it’s really going to be around trying to be as effective as possible with their dollars and figuring out what should I be doing and what should I have someone doing for me as part of a hybrid approach as doing it all in-house is not going to work going forward. Outsourcing everything is not necessarily comfortable for most organizations either. They’re really to try find that right hybrid balance between the right amount of external support with trusted partners and the right amount of internal activity.

Flynn: I agree with Mac 100 percent. We see the same thing and our model is very much a staffing model, in that, when we get a contract with a big health system, we put a number of people on site at the major facilities, and that is an absolute benefit because oftentimes because they are short on staff or the document management side of the house is not prepared enough to deal with the demand from the end users. So, staff augmentation in our world is very important and staff augmentation of people that have the skill sets to understand the clinical environments is even more important And, to echo Mac’s sentiment, these are times in healthcare right now where dollars are thin and, more importantly, staffing is thin.

In the time that you’ve been in the healthcare cybersecurity space, what are the biggest changes that you’ve seen?

McMillan: I think the biggest changes that have occurred most recently relate to the fact that the industry’s maturity level has risen to the level that they recognize that this is a very complicated part of their business. It’s not something that they can just assign a network guy to or the compliance guy who’s interested in security so we make him the security manager. They are recognizing that there is a level of expertise, experience and sophistication that they are going to have to throw at this problem and this is not something that they can or should go alone. So we’re seeing more and more of our hospitals ask us to take over certain functions, to provide services, to provide dedicated support. They really want security partners now. They want security vendors who provide services, and not just products and not just a project. The industry is changing and that’s probably the biggest change in the industry—they are embracing this partner model and outsourcing model as it relates to security and as opposed to trying to do it all in-house like they were before.

Flynn: We’ve only actively been in the security business since 2014, but the change that we’ve seen in our world is that security around devices that are on the network, which had previously been overlooked and it’s thousands of devices in the area of print, that wasn’t really a priority when we started this business and organizations never asked about it much. Over the last four or five years, it’s become a major priority. I think the IT leaders have recognized the vulnerability of the situation because of all these devices being on the network, and most of the devices are computers in and of themselves with a tremendous amount of PHI [protected health information] on them. So the threat level and the anxiety around securing these devices has become a big issue in the last four or five years.