On June 28, at the Health IT Summit in Nashville, sponsored by Healthcare Informatics and held at the Hilton Downtown Nashville, a panel of industry experts on health IT security had a complex, layered discussion of the complex, layered current landscape around data security.
The panel discussion session, entitled “Building an Integrated Security Strategy: Practical Tips for Creating a Governance Structure that Meets your Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Patty Lavely, senior vice president and CIO at Gwinnett Medical Center (Lawrenceville, Ga.); Shane Pilcher, administrative director, information services, Siskin Hospital for Physical Rehabilitation (Chattanooga); Shayne Champion, director, information security and architecture, Erlanger Health System (Chattanooga); and David Finn, a former CIO and the health information technology officer at the Mountain View, Calif.-based Symantec Corporation.
The discussion quickly became very pragmatic, after Barrett asked his fellow panelists, “As each of you have developed and managed your security strategies for your organizations, what are some of the practical things you’ve done to support governance structures?”
“One of the things we’ve done,” said Champion of Erlanger, “is to look at our governance structure and look at what’s practical. For some organizations, you can do something as robust as what we’ve been doing; for others, that’s not possible.”
“Working for years on the technical side to harden our structures, we didn’t really have a formal security risk program,” Pilcher reported, of the situation at Siskin. “So we’ve taken a journey over the last year and a half to start to develop governance and management structures. We’ve consulted outside organizations. We’re using NIST [the framework from the National Institute for Standards and Technology, within the U.S. Department of Commerce] and other frameworks to help us start. We’ve putting committees into place to help us start as a body. And we wanted to make sure it wasn’t information systems-driven, but organizationally driven. So we brought in our compliance officer, our HR director, so that as we put out new policies, they w ere organizational.”
Finn said, “I’m going to echo those comments. I spent 25 years in the provider space, in roles ranging from a systems auditor to a CIO, prior to joining Symantec. And when I arrived in a security and privacy officer role in a hospital organization, I realized that we had a lot of data—but at the same time, that we didn’t understand the data. And the last people to understand the data are the IT people. So you have to understand the data and what’s at risk, and what’s important, and you have to tier that data,” he said. “IT cannot make those decisions; you’ve got to have the organizational and data owners, and the users—clinical, finance, etc.—and they’ve got to decide what levels need to be protected, and levels of protection on that data.”
“I agree with everything said,” Gwinnett Medical Center’s Lavely said. “And the most important element has been education. We put into place some formal policies, pulled together a framework. Then the next step was to bring in compliance, risk, and HR, and get them on board with the framework. And then I went to the c-suite and the board, because the board is ultimately responsible. And I’ll say, with the leadership, it’s a constant work in progress of continuing that education. It’s a little easier now [to persuade people of the need for healthcare IT security], because we have so many public issues affecting us personally as individuals, whether with Target or Home Depot, for example. But we continue to look at issues like password expiration and other issues—and it’s becoming more and more acceptable to put in [more rigorous] policies and procedures than previously, but not without education.
Achieving—and Maintaining—Board-Level and C-Suite-Level Engagement
“As you’re working with your management and board of directors, how do you keep the informed and engaged, and supportive of your various objectives and work?” Barrett asked his fellow panelists. “How do you engage and keep the board engaged? And are there other committees, like the audit committee, that you involve? How do you manage all of those groups? Patty, any specific kinds of ideas?”
“Well, we’re very fortunate,” Lavely responded. “We have a member of our board who comes from the telecom industry. He’s actually no longer in that industry, but that background has been tremendously helpful. And cybersecurity now reports to the audit committee on the board, and he’s on that committee. In fact,” she went on, “we had a board meeting Monday night. And we just produced our section on cybersecurity for the board; in my report to the board every month is a section on cybersecurity; it takes their eyes to that section of the report. And then we do an extended report to our audit and compliance committee every month. And when we have a potential big breach, I will call to give that member a heads-up. We don’t want them involved in the operations, that’s not their role; but we try to keep a high level of awareness. And I would not go to the board for funding without going to the c-suite first, but when I do bring something to the board, it’s a non-issue; it gets approved.”
“To Patty’s point,” Finn said, “it really is educational. And particularly the community hospital boards, they’re not IT experts; sometimes, they’re not even healthcare experts. So it’s a long, slow process. And you have to meet them where they are. If you start talking about IT, you’re going to lose them, or clinical workflow. You have to meet them where they are.”
There’s also the element of time for the education to sink in, and also the need to find data and statistics that will impact board members’ thinking, Pilcher noted. “This year, we’ve actually had a cyber-insurance expert on our board, to get that expertise and knowledge,” he said. “So the education doesn’t happen overnight. And one of the challenges is finding the metrics to submit to the board that provide value and interest and don’t waste time. And we also report to the audit and compliance committee as well. And teaching them is very important as well. We’ve had a penetration test. And if you’re updating them, they know the issues involved. And it doesn’t take a lot of convincing. They will start asking deeper questions and start asking you follow-up questions; they want to go deeper with you.”
Champion agreed, adding that “As a cybersecurity professional, I feel like a lot of my job is to be a professional translator. I’m constantly translating between technical teams and business. So when we speak to executives and our board level leadership, we speak at a high level. I don’t want to talk subjectively; I want to talk about the percentage of risk of something happening this year, and the dollar impact if something happened. I want them to be able to make choices based on those factors. And we also want them to understand how well we’re doing or not doing. And I want to make sure that we can compare ourselves not just against local competitors, but against industry generally, so we can be as competitive as we can be.”
Are Healthcare Leaders Really Sharing About Breaches Yet?
At this point in the panel discussion, an audience member raised his hand to ask a question. “The speaker before this advocated for sharing in the event of a misadventure of some type,” the audience member stated. “Do any of the panel members discuss this with their boards, what steps we should take in the event something happens? Are we going to share? Healthcare is not a big ‘sharer.’ I don’t believe that a lot of people are sharing.”
In response to that audience member’s question, Champion asked a question of his own. “How do you turn that into a business proposition?” he asked. “It’s really simple. Compare this to a security guard in a hotel. He has to make sure that every door and window is locked at all times; the bad guy only has to find one unlocked door or window. That’s the thing: if one person finds an opening… Teaching that, and that’s what Patty was talking about, teaching that, that’s changing the valuable proposition, making it harder for the attacker. And if we share, that helps.”
“You’re right, the culture has been to hold that information very tightly, but that’s a culture that’s changing,” Pilcher said, in response to the audience member’s contention that the healthcare industry has not been an open one when it comes to sharing challenges. “When it comes to security, that’s the one thing that I’m seeing organizations breaching that competitive wall, and working together to combat this. Because it is a war, and there’s no single silver bullet for this. It’s also very costly. The scope may change, but the same problems are there for everyone. In Chattanooga, we’ve developed a regional group that meets once a quarter, and we’ll invite CISOs from major Fortunate 500 companies. And we’re sharing with each other how we’re going about doing things.”
Finn reported that “I had the pleasure of serving on the Healthcare Cybersecurity Task Force, under CISA, the Cybersecurity Information Sharing Act, passed by Congress. We’ve got to get over people not wanting others to know they have flaws and problems. Quality is about sharing information,” he emphasized. “To Shane’s point, this drives down incidents of all kinds. That said, we have a very fascinating industry, because we range from huge, multi-billion-dollar corporate providers, to solo physicians. We got into this mess together; we’ve got to get out of it together.”
“And I’m seeing that organizations are starting to get over it; they’re starting to share information with each other. And they’re learning ahead of time what sorts of strategies they might pursue,” Barrett said. “So I’m starting to see a lot more openness; it’s happening> And because people are looking at cost, they’re saying, hey, we need to be proactive rather than reactive. In the last session we had a few weeks ago, the entire session consisted of how we could come up with some practical suggestions for medical practices, from single-doc practices to larger group practices. But it’s all education and awareness. The good news is that, from the EHNAC level, I’m seeing a lot more sharing.”
“I agree with what everybody said; but from my point of view, I’m not seeing the sharing of information, yet,” Lavely interposed. “And we desperately need it. The only w ay we’ll combat the Petya, the NonPetya, the WannaCry—is through sharing. And our board and senior executive management, are still skittish about sharing information publicly. There are a lot of issues to consider. However, for survival, we’ve got to share. And I’ve recently been trying to pull together all the CIOs from the Atlanta area, to share. The first battle is getting everyone together, per schedules. And we’re all friends; but the first thing someone said was, can we put together a confidentiality agreement? So there’s a way to go.”
“And during WannaCry, HHS was holding daily open phone calls on the situation,” Finn said, referring to the Department of Health and Human Services. “So it is changing. And we’re seeing a shift around security; traditional security people wanted to lock things down and keep moving. Risk management is different from security. So we’re seeing a shift from it being just a security issue, to being a risk management issue.”
“And when you’re sharing information about an incident, you’re not having to share everything—every vector you got hit with, every failed policy,” Pilcher noted. “You’re sharing the major points. So you’re not having to share everything. I do advocate not sharing everything, but sharing enough to give benefit, and get benefit back.”
“And because we’re talking about technology, we sometimes fail to talk about this in ways we can understand,” Champion added. “Who invented the polio vaccine? Jonas Salk. How many people in his family or among his friends were affected by polio? No one knows, and it doesn’t matter. So you don’t have give tremendous amounts of data, nor do you need to get into tremendous levels of data with your board and c-suite. Explain things in simple terms they can understand.”
The Board’s Responsibility
“What is the board’s responsibility in all of this?” Barrett asked his fellow panelists.
“The board’s responsibility is to manage risk, so I try to put everything in terms of managing risk,” Lavely said. “And we do a comprehensive annual cybersecurity risk assessment. And we use that assessment, and the elements in it, to measure risk and how we’re reducing risk. That’s the main part of what I share with the big board every year. We try to keep it to a high level for them. Now, for the audit and compliance committee, we give them much more detail, such as anything we’re doing, like encryption, and all the tools we’re using, and our assets, and so that’s much lengthier. And it’s a tough one to determine how much detail to share with them [in terms of what they can absorb].”
Finn offered that “Bruce Schneider, one of the security people I most admire, has said that more people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk—and Bruce is one of the true thought-leaders around data security. We all know where the sharks are; we need to figure out where the pigs are.”
“Yes, and keeping the board completely informed at the business level remains important,” Pilcher said.
“A couple of things around metrics,” Champion said. “What’s important to the board is your business’s mission—and its goals, assets, etc. So being able to draw a direct line back to the organization’s core emission, is important.”
Creating a Cybersecurity Culture
“How do you create a cybersecurity culture within your organizations?” Barrett asked his fellow panelists.
“I think that’s a top-down kind of thing,” Lavely responded. “And I don’t know if we’ve created it yet, but we’ve actually got a lot of clinicians, of medical staff, calling us and asking whether something is fraudulent or not. So it goes back to the education, because our best defense is our employees. We continue to send out tips on a regular basis, we do phishing campaigns, and education around phishing campaigns, and we even provide handouts for how to do safe computing at home, because we hope that helping them in their home environment will translate to their habits in their work environment.”
“I started out as a privacy and information security officer, in 2001,” in a health system, Finn said. “I had a medical staff of 1,600 doctors, and a staff of 10,000 employees, and a health plan and an MSO, and I had a privacy compliance person and security compliance person, and myself. And I realized I need about 12,000 security officers—and that’s what we set out to do! For months, I visited every practice, every floor, every location, as did my managers. And we did basic training, and made it fun. And it has to be personal. And we did a privacy and security fair. And by the time I left the organization, we had a few thousand people coming to that privacy and security fair. And we live in a whole different world from even 10 years ago. Everyone’s got a smartphone, and a tablet,” he added. There’s a statistic that says that the average adult has 3.6 Internet-connected devices. So we have to change the way we think about data, about information technology; and we have to change the way we live our lives.”
Pilcher offered that, “As Patty indicated, there’s not one single approach that works for everyone; so you’ve got to be flexible. And so you need to take every opportunity you have, to talk about security. Make it fun and topical. I usually put out tips every month, to warn and update users; and the feedback has been very positive. And like Patty, I give people tips they can use at home, because improving their computing habits at home will help us. And every hospital typically has a cafeteria that sells cookies and treats—post tips in that area.”
And, noted Champion, “Microsoft calls their salespeople ‘product evangelists’—and that’s the kind of attitude I’d like us to take, to evangelize around the importance of [health IT security]. And we reach out to people, we have lunch-and-learns that help them do safer computing at home. And we actually tell them, give us a call, and we’ll help you with your home network. We also have a training session with physicians—and the big problem with them is, ‘so what? How does this affect our worklives?’ So we’ll go up on stage and live-hack a medical device. And all of a sudden, they realize the importance of this, and how it connects with the need to protect their patients.”