On Friday, May 12 at the Health IT Summit in Chicago, sponsored by Healthcare Informatics, and held at the W-City Center Hotel in downtown Chicago, a panel discussion focused on some of the broad issues around IT security management in healthcare.
The panel discussion, entitled “Building an Integrated Security Strategy—Practical Tips for Creating a Governance Structure that Meets Your Standards,” was led by Sriram Bharadwaj, chief information security officer (CISO) and director, information services, at UC Irvine Health (Irvine, Calif.). Bharadwaj was joined by Michael Brunelle, privacy officer and data security analyst, Norwegian American Hospital (Chicago); Fred Kwong, Ph.D., director, information security, and CISO, Delta Dental; Adam Page, CISO and director, application services, NorthShore University Health System (Evanston, Ill.); and Chuck Podesta, CIO, UC Irvine Health.
It should be noted that the discussion took place from 9:00 to 10:15 AM central time, nearly four hours before the news of the global cyberattack known alternatively as Wanna Cry and Wanna Decryptor, broke in the U.K. and elsewhere; so that subject had not yet emerged to be discussed.
In any case, the discussion Friday morning was very wide-ranging. After general introductions and an overall framing of the subject, Bharadwaj turned to his discussants to get their perspectives on how they handle data security from the data governance and data management levels, specifically, how they’ve worked to develop an internal IT security framework. With regard to how the process moves forward at NorthShore University, Page said, “In terms of how we assess our security position, it had been up to the person leading those efforts” to manage governance, before he arrived at the organization. “So,” he said, “my first task was to assess our options. The first thing we did was to think, OK, if something does happen and we have to publicize some sort of breach, OCR [the Office of Civil Rights in the Department of Health and Human Services] is going to come in and ask questions, probably in the format of the OCR audit profile. So the first thing we did was to fill out that profile, and answer the questions, and score things red, yellow, or green, and why.”
Page continued, “When we felt we had gotten everything at least up to a yellow level, we did a reassess, looking at the progress we’d made in the past year. Documentation is huge: you’re using a framework to prevent a breach; but you’re also using those assessments to document what you’re doing. And from there, we’re now using the Resilience framework or assessment from the Department of Homeland Security/Carnegie Mellon. No matter what,” he said, “you need to use tools that are out there. And very importantly, what’s your scope, what angle are you coming from? And what software are you using? And how are you responding to each of the questions in any of the frameworks. That’s all very important.”
Delta Dental’s Kwong testified that “The reason why we went down the path of a framework, is this: if you think about it from a legal perspective, frameworks allow you to show to auditors and/or OCR if you ever get audited, what you’ve done in terms of legal standards. Following frameworks shows that you’ve followed reasonable steps to protect the data you hold. You cannot show something that you’re doing is reasonable if you don’t have it allied to some sort of framework; otherwise, someone’s going to poke holes. And so, how can you answer the question as to whether you’ve done what you need to? Following a framework isn’t the only thing you need to do,” he added, “but it’s a good foundation. There are a lot of frameworks: the NIST Framework that came out about three years ago, and the older NIST framework. The ISL Framework, and others.”
“If what you have today is mainly compliance-based security program, and you want to switch over to a risk-based program, start with a relatively simple framework,” Norwegian American’s Brunelle offered. “If you haven’t done this in the past, that’s a good way to start. If you’re more mature, you might be able to go to a more advanced framework. Or there might be pressures in your organization to go to something more advanced like the HITRUST framework. So once you’ve gone down that path, you can start moving forward, choosing a framework and developing a security program based more on risk than compliance. And 1.1 added in the concept of risk. And the ISL framework is more of an international standard. But ultimately, you want to adopt one that works with your organization.”
In response to a question from an audience member on whether a framework exists that focuses on the internal side of identity management and IT security governance, and on whether that is something that is important, Delta dental’s Kwong said, “Any of the major frameworks will address identity protection. There’s a Rising Breach Report—the most recent one found that 68 percent of breaches occur from the inside out. If you think about data that walks out of your organization, how often does that happen? It happens to everybody.”
And UC Irvine Health’s Podesta noted that “There are ways to map out your processes; you can use rules to create spreadsheets that show behavioral patterns. You can utilize those tools—and as you avert these breaches, you can create educational programs around what you’ve found out. You don’t use employees’ names, but use circumstances. These frontline employees are absolutely essential to educate,” in order to minimize the chances of breaches, Podesta emphasized. “Of course, there are bad actors out there. But it’s so easy for breaches to occur because of mistakes made by your frontline employees. So no matter what you do on the outside, there’s always a way in. But what you can do on the inside, you can really protect against internal threats.”
“With regard to the challenge of identity management—for me, coming into a smaller organization with no security mindset, it was all very challenging four years ago, and remains challenging four years later,” Norwegian American’s Brunelle conceded. “Educating people about all of this—and roles and responsibilities change on a constant basis—all of those dynamics become a huge problem. I had to figure out a strategy around access, and sharing. And within the framework, that helps us to put a process in place to make sure that we’re thinking through carefully who has access to data.”
“Chuck, regarding governance of this at the board level, they don’t understand what this is about,” Bharadwaj said. “How do you handle that?”
“With a framework, you have risk management and compliance aspects,” Podesta said. “And the board has a fiduciary responsibility, but also a compliance responsibility, for the organization, as well. And so adhering to a framework helps them. So from that standpoint, it’s super-important. On the other hand, you also want to educate the board on the fact that you’ll never be able to prevent a breach—it’s not if it’s going to happen, it’s when it’s going to happen, and they need to understand that. That’s partly why you follow a framework. And doing tabletop exercises is very important. So I think it’s a two-way conversation with them. They need to understand the compliance aspect, but they also need to know what you’re going to do when a breach occurs.”
Bharadwaj noted that, “In Irvine, we have a compliance, risk, information security and privacy program; we call it CRISP. We bring issues together and try to solve them. We work through the process and respond to questions. It’s a governance body that really helps to pull together information. And we have a lot of takeaways from this that we use to help educate. Seventy percent of my job is educating the end-users to not do the wrong thing,” he noted. “It’s mostly not malicious, it’s mostly, ‘Oh, I didn’t know I was doing this.’ It’s very interesting how people change the way they behave once they understand the whys. We also have to make it work for them. So when people say, ‘You guys keep saying no!’ I say, it’s not about the no’s, it’s about the whys. It’s about explaining how we can get together and mitigate the risk together.”
Bharadwaj then turned to Page, and said, “Adam, can you talk about how you really operationalize a framework for risk management activity in your organization?” “You could spend a year or more just assessing your framework, depending on how deep you want to go,” Page replied. “So we believe there should always be short-term, medium-term, and long-term efforts. And doing those tabletop exercises is important, because you’re bringing in other areas of the organization and raising awareness. It’s nice t0 bring in your chief compliance officer, your CIO, your marketing people, your legal people. So you act out, OK, one piece of our network has been infected, now it’s going over to another. And it’s incredible the discussions that ensue. The goal is not to have everyone say, ‘OK, we’re good!’ when you do these exercises. No one’s 100-percent ready. But discussing questions like, so, what is the threshold in terms of how many machines are infected, as to when you call in external resources?
“In a small organization, how do you handle frameworks?” Bharadwaj asked Brunelle. “Managing activity and tracking what we do in a structured enough way so that we are hardwiring some sort of process that fits within the framework, that is our challenge,” Brunelle responded. “While we’re thinking about security more and more now, we’re still cycling through new systems, new processes, new activities, that very often involve uncontrolled processes in terms of security; and business associates are involved in many of those processes. Do we have a business associate agreement each time? That’s a huge gap in things. And as we look ahead to the next couple of years, so much of the breach activity that’s going on is happening outside our walls, but affects us. So frameworks are nice; we have a lot to do within our own walls. And if we’re going to start to build tolls and checklists, we have to build those tools. And that’s a huge gap and challenge for our organization. I’m hoping that more and more frameworks start to include created tool sets, knowing that every healthcare organization has issues in working with associate organizations.”
“We do have a third-party questionnaire we use, based on ISL controls,” Kwong reported. “It’s a good process to follow. I encourage people to follow that. So based on their completed questionnaires, we score them for risk, in terms of how it tracks with our framework, and whether it’s an acceptable level of risk or not. If not, we’ll work with our vendor and determine what we’re willing to accept. And we’ll suggest a remediation plan—and if they’re not willing to remediate, we have to consider either accepting that level of risk, or potentially looking at another vendor. And some of this has to do with how much leverage you have with a particular vendor. We also bring in evidence, not only from the assessment, but from external sources as well. A lot of external organizations will do research for you about vendor organizations—how financially stable are they? Is there information on the dark web about them?”
“We do an annual risk assessment process, per vendors and business associates,” Podesta noted. “We have a cloud-based vendor. And it’s one thing for them to sign a BAA, and tell you that they have policies and procedures in place, but how do you know that they really do? So requiring them to work with a third-party vendor to go through that assessment process and report back to you, is a real comfort. So I would urge you to consider using an outside assessment company, find out if they have that capability, and build that into your interactions with vendors.”
Further, Podesta said, “With your assessment from any external company, that will be the basis of your framework. And once you score 80, 90 percent on your first plan, you can move to NIST or ISO or HITRUST. And now you can go to your c-suite and say, these are the dollars I need to put this in lace, and by the way, the first thing that will happen if OCR comes in is, have you done the things identified on your risk assessment? And if you say no, that’s probably not the answer they’re going to be looking for.”
“I agree with Chuck,” Page said. “The first thing you have to do to prioritize is to do your assessment and look at the results. And Verizon just did a good report. And you can look at which damages might be most significant or problematic. And you can look across healthcare and see what some of the serious issues have been—for example, you can encrypt your laptops. So ours at the end of the day, all fits into a security plan, a two-year plan with three sections: must do, should do, would like to do.”
“You don’t need to boil the ocean right now,” Kwong emphasized. “Start with the simple question of, what do you get yelled at most when a system goes down. So start with that—your most business-critical or sensitive data areas, right? Start with your crown jewels. I get yelled at all the time if this system goes down, so this must be the most important stuff. You know that you get the phone call in the middle of the night about the mission-critical systems. And even before you look at larger frameworks—there’s a security controls framework from the Center for Internet Security. This comes from a group of experts made up of hackers, protectors, scientific people, the 20 things that hackers use to get into your network. You can start with that. They have great tools that are all free, and give you the questions to ask around those tools. So don’t boil the ocean, start small, using tools in combination."