At the Health IT Summit in Raleigh, a Nuanced Discussion of CISO-Level Challenges
A number of complex, nuanced issues at the CISO level came to the fore in a panel discussion on Friday afternoon at the Cybersecurity Forum, on the second day of the Health IT Summit in Raleigh, being held at the Sheraton Downtown Raleigh (N.C.), and sponsored by Healthcare Informatics.
The panel, entitled “Practical Tips for Creating a Cybersecurity Framework that Meets Your Privacy Standards,” was led by Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC). Barrett was joined by Johannes (John) Boehme , CISO, Wake Forest Baptist Health (Winston-Salem, N.C.); Chuck Kesler, CISO, Duke Health (Durham, N.C.); Chris Beal , director of security and chief security architect, MCNC (Durham); and Carl Cammarata , CISO at Northwestern University’s Feinberg School of Medicine (Chicago).
EHNAC’s Barrett opened the discussion by asking his fellow panelists, “What’s the single most complex and challenging issue your organization is facing right now with respect to security and privacy compliance?”
(l. to r.:) Barrett, Beal, Kesler, Boehme, Cammarata
“It’s a continuous challenge—knowing where you’re data’s at,” said the Feinberg School of Medicine’s Cammarata. “In the culture of our organization, with 3,600 researchers in 2,400 departments, although they are connected together through the School of Medicine, they are run by their department heads, in a very entrepreneurial way. So the challenge is knowing where the data is, knowing the level of sensitivity involved; and if it’s consented research data, it’s treated differently from ePHI under HIPAA.”
“And you have millions of dollars in research grants and projects coming into your organization,” Barrett said. “Does that add another level of complexity?”
“We receive $676 million in research grants a year,” Cammarata replied. “And absolutely, that adds a huge level of complexity to this. And yet it ends up having only an incremental effect on my staffing model, which is constrained by budgets. I have to learn how to manage what I have. So I built out an extensive risk assessment process—we have over 5,000 data security plans prepared by the principal investigators,” reported.
“The challenge we have right now is the maturation process for our medical device program,” said Wake Forest Baptist’s Boehme. “This to us is our next frontier: the ability to get everything together, to know what’s in your assets, what’s in your production network. That’s a real challenge. It’s similar to the days when we were moving from analog film to digital” in radiology, he added. “But I think we’ve put a handle around that, and around the technical questionnaires and interactions with the vendors. Our challenge is how we govern it. You’ve got radiology, laboratories, and biomedical, all spread out. Our challenge will be how to put a governing set of principles around all those areas. Who’s going to govern those areas, and which would be the overarching committee over a particular issue? One team says, ‘We have to do this for patient care,’ while the security people say, ‘It’s going to be a detriment to the network.’”
“Building on those themes,” said Duke Health’s Kesler, “Duke is both highly centralized, but also decentralized, in terms of the organization’s research functions. It really comes down to people. We have 30,000 users, including faculty, students, affiliates, staff members, etc. We’ve done a lot of work educating people and trying to instill good behaviors. But at the end of the day, usually when we have a problem, it’s because someone’s made a mistake, and that results in an infected machine or other problem. At the same time, people are our greatest asset, and are an extension of my team,” he added. I’ve got a team of 20 people, but by extension, a team of 30,000. And another challenge we’re dealing with is that a lot of people are bringing devices into the network. So bringing in training and awareness hopefully helps change the equation.”
“At an abstract level, the biggest challenge is culture and change,” said MCNC’s Beal, whose organization provides a secure communications network for North Carolina’s state government, its public and some private universities, and numerous hospitals, public safety organizations, libraries, and other organizations. “The threat landscape has changed. And we have many people who have been here for a long time, in IT. And their attitude is, our job is to move packets, not to care what’s in it. So we need to change that, and that’s a challenge at a really high level.”
What’s more, Beal continued, “Bringing it down to the next level, we are challenged greatly by scale. We have 2,700 miles of fiber. And our backbone network moves a lot of data. And there are a lot of tools we could take advantage of, but the vast majority of solutions are designed for enterprise scale, not service provider scale, and the service provider scale solutions are really, really, really expensive. So affording what we need to provide is a significant challenge.”
Balancing data availability and data security
“A lot of data has been shared now, including among ACO [accountable care organization] partners, other organizations,” Barrett noted. “So how do you look to balance data availability and data security? Because the number of connections you’ve got is growing exponentially out there.”
“Knowing what data is yours remains very important,” Duke Health’s Kesler emphasized. “And we’re trying to move towards a system of virtualized desktops and laptops, where we provide the availability, but control the management of the data.”
“And what about role-based authorization?” Barrett asked.
“Yes, that’s a basic area in which we need to move forward,” Kesler replied.
“Viewing it in terms of risk is important, so it shouldn’t be a question of, is this thing secure?” Beal said. “The question is, is this a risk worth taking? We need to answer whether we’re comfortable taking a risk—but that falls to the stakeholders, not the IT security people. We need for people to be accountable for those decisions.”
“You need a level of rigor to make sure that you are going through every single system you’re implementing, and go through a risk analysis,” Barrett emphasized. “That’s something you need to constantly assess.”
“Yes, finding specific pathways to use data—one way to do collaboration, one way to do file transport—make it as easy to use as possible, but not allow multiple points,” said Wake Forest Baptist’s Boehme.
“You’ve got a lot of audit committees, boards of directors, to report to. How do you handle that?” Barrett asked.
“I do monthly risk assessments that go to the School of Medicine and leadership teams,” Cammarata noted. “I trust that that gets percolated up. Second, we prepare monthly metrics, including the percentage of data security plans we’ve performed every month, which is 100 percent; and percentage we’ve audited. And we audit compliance plans. And we also manage the vendor assessment and approval vendors. So we’re making sure the plans have been approved.”
“I don’t have direct access to the board, but I do have direct access to the audit compliance committee,” Boehme said. “Our board has shown a lot of interest. And boards change with the personalities on the board. And right now, we’ve got a fair number of technocrats, which is good, because it’s increased the awareness of the c-suite around security. I also have had a security governance committee established about a year-and-a-half.”
“We have a very similar situation at Duke,” Kesler noted. “I have a counterpart CISO on the university side; in other words, we have a CIO and a CISO on both the health system and university sides. The board and audit committee have been very engaged for the last few years. Certainly, what happened at Anthem was huge. And when we need to report out, they’re interested. And we do multi-factorial authentication, which is difficult. And one of the board members, a member of the audit committee and the CTO of a major tech company, has been important. And with board support, we’ve moved forward with engaged support, which is very helpful.”
“We generate risk scores, in a dashboard-type format, and share that data with boards,” MCNC’s Beal reported. “It’s important to have consistent measurement across your assets. Boards are very interested in that, as well as in reports on DDOS attacks, which are very significant for us as an ISP.”
In response to a comment from an audience member, who said that he sees significant staffing challenges in healthcare IT security, compared to in other industries, Duke Health’s Kesler agreed that “That is a challenge. We have had engagement with the board” at Duke, he noted. “And they’ll ask, what resources do you need? And we want to manage expectations. You need not only the technology, but the appropriate people who can best manage the technology for you. So we try to build in the ‘ask’ for the headcount as part of that.”
What’s more, Kesler said, “In terms of how you staff things, we’re lucky here in the Research Triangle area [Raleigh-Durham-Chapel Hill], we have a lot of tech people here. We have the second-largest chapter of information technology specialists in the world, in terms of members of a leading professional association. But that is an issue in many places. I count myself lucky that we have access to the talent pool that we have.”
“It’s a blend of strategy, where you could get a third party to augment staff, where appropriate,” Boehme added. “And also, we continue to acquire technology, but we’re paying more attention to technologies that integrate with the existing systems, so our analysts don’t have to log into every different system we have. So we’re trying to identify one or two gold-standard apps in a family. We may be OK with that, if they integrate well.”
“I think part of why that challenge exists is where we are in the maturity curve with security organizations,” Beale said. “We heard this morning that security still very often is viewed as a technology issue. We need to be able to articulate a business case for why we need three more people, for example, and to be able to explain the need to the executives who control the budget. And as we get better at doing that, we’ll become more successful in pulling away the resources we need.
“I believe we have to do the security basics really, really well; unless we’re doing the basics really well, we don’t need to add more complexity to an already-stretched staff,” Cammarata said.
What about cybersecurity frameworks?
“What kinds of security frameworks are you using right now?” Barrett asked his fellow panelists. “And what are your thoughts on using frameworks?”
“Cyber-frameworks can absolutely be useful; but don’t be a slave to them,” Beal advised. “In terms of best practices,” he added, “multi-factor authentication really raises the bar for improving your security posture. In terms of ransomware, you need to look at your backup processes; and you need to do continuous vulnerability assessment, and continuous patching. And critical controls are very important.”
“I think that starting with controls is very important,” Kesler opined. “In general, harden as close to the application as possible; don’t depend on your external firewall. That’s particularly true as we move more towards mobile and cloud. Frameworks, yes, I absolutely agree. The NIST Cybersecurity Framework is a great one. And yes, critical controls. And in terms of cyber-hygiene, what does that really mean? And I need to make security as simple for end-users as hand hygiene is for the clinicians in our organizations, for it to be effective.”
“I agree with what Chuck and Chris have said,” Boehme said. “And I would add, we need to spend a lot more time on what we’ll allow on a production network. It’s perhaps not the most favored aspect in the eyes of our end-users, but we’re spending a lot more time focusing on locking down the production network. We’ve been using the HITRUST Framework, and used it to blend processes together, and it’s been very helpful; it’s given us a good control view, and we build a lot of our strategic plans on a control methodology. And in terms of cyber-hygiene, security has got to be executed by our entire enterprise; it can’t just be done by IT security people. It’s an organic growth opportunity.”