At Texas Health Resources, A Strategic Approach to Evolving Cybersecurity Challenges

Nov. 14, 2017
The health system’s CISO, Ron Mehring, details the organization’s data center transformation project and creating the security infrastructure needed to support future business and clinical initiatives.

With a fast-evolving cyber threat environment and a continuous flood of healthcare data breaches, chief information security officers (CISOs) at hospitals and health systems face mounting pressure to safeguard their organization’s networks as well as critical clinical and financial data. Healthcare CI­SOs face complex and challenging issues with respect to information security, including rapidly evolving mal­ware threats, insider data breaches and the increasing use of medical Internet of Things (IoT) devices across their organizations.

In addition to security-focused projects, CISOs are of­ten involved in enterprise-wide technology initiatives as well. At Texas Health Resources (THR) this past year, C-suite executive leaders have been focused on a massive data center migration initiative. THR is an integrated health system based in Arlington, Texas with more than 350 points of access, including 29 hospital locations that are owned, operated or joint-ventured with THR, 100 outpatient facilities and 250 other community ac­cess points, including the Texas Health Physicians Group clinics. THR has more than 24,000 employees and the system serves more than 7 million residents across 16 counties throughout North Texas.

The health system’s CISO, Ron Mehring, says the or­ganization is migrating data centers housed in individual hospitals to “sophisticated, advanced co-location facili­ties” and the new data centers provide increased secu­rity controls and protections.

“Throughout the whole year, our focus has been on transforming our data center, and that includes improv­ing the availability and integrity of data and overall per­formance. It also includes the security controls within the data centers, from the physical controls to environmen­tal controls, to improving the general security and tech­nologies within the data centers themselves. And that’s been a ton of heavy lifting this year,” Mehring says.

Ron Mehring

Mehring and his team also have focused on what he refers to as “blocking and tackling improvements,” ranging from multi-factor authentication enhancements to process improvements around vulnerability identi­fication and remediation activities. “We spent a lot of time trying to improve our assessment processes to get a little bit more detailed on the way that we identify risk and the way that we articulate risk to our stakeholders in the enterprise. We focused on general improvements in those areas, but most of our efforts have really fo­cused on our data center transformation, and some of the things that orbit around that.”

And, he adds, “That’s so important for our organization as we proceed to transform ourselves as a healthcare de­livery system. It’s really setting up the playing field; setting up the infrastructure and security services to support all those future business initiatives and clinical operations.”

The Current State of Healthcare Cybersecurity

When looking at the current state of cybersecurity in the healthcare industry, current data breach reports and news reports about malware incidents paint a trou­bling picture. Cybersecurity software company Protenus, which publishes a “Breach Barometer” report ev­ery month, reported 233 total breaches in the first six months of 2017; in all of 2016, about 450 breaches were reported. The company also reports that the trend first noted in 2016 has continued, with an average of one health data breach per day. Protenus tracks breach inci­dents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media.

However, there are indications that healthcare provider orga­nizations have boosted their cybersecurity efforts and are responding more quickly and strategically to cyber threats. In October, FirstHealth of the Car­olinas reported that it had shut down its computer networks af­ter a threat from a new version of the WannaCry malware virus was detected. The health sys­tem reported at the time that its information system team immediately identified the threat and implemented security protocols. The health system reported that because of the quick response by the infor­mation security team, the virus did not reach any patient information, operational information or databases.

In a 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, more than half of respondents (60 percent) reported their organizations em­ploy a senior information security leader, such as a CISO. What’s more, the survey results indicated that organiza­tions that employ a CISO or other senior information se­curity leader have adopted holistic cybersecurity practices.

Gauging the current state of healthcare cybersecurity, Mehring says, “Looking at it from a posture and a protec­tion perspective and when I talk to my peers, it feels to me that the water line is overall rising together. Five years ago, I think, in healthcare, what we saw is the ‘haves’ and ‘have nots’ at very dramatic levels. We had healthcare delivery systems and providers with differing levels of security, where a lot of the blocking and tackling secu­rity controls weren’t in place. There was this huge dispa­rate ecosystem, and that’s important because, especially when you get local, we all have to share; in a metroplex, all of our systems talk to each other. It’s important that we all understand that we all have to improve together.”

Mehring also says he is seeing more information shar­ing among healthcare security leaders, noting both infor­mal, local efforts as well as national efforts through cyber threat-sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the HITRUST Alliance. In the Dallas area, one local hos­pital hosts regular summits bringing together local CISOs and security staff. Mehring says, “We share information with each other and give best practices, which is great, as when you get into the healthcare delivery ecosystem, local really matters. National is important, but when we are delivering care and sharing information, a lot of that is happening at a very local level, between health systems.”

Evolving External Threats

It’s widely known that healthcare is a prime target for hackers and cybercrime, with malware and ransomware attacks a constant concern for healthcare security lead­ers. In May, the WannaCry ransomware virus plagued the National Health Service in the United Kingdom and the NotPetya malware caused massive disruptions to multinational companies in 65 countries back in June, including health IT company Nuance Communications, which had to shut down its network.

Like many other healthcare security leaders, Mehring sees ransomware as a major threat to many industries, including healthcare, and one that will not go away any­time soon. As one silver lining, though, he also notes that security vendors are providing more robust infra­structures in response to the malware threats.

“I think a lot of people learned their lessons very quickly around ransomware and how to handle it. That includes, number one, putting the right protections in place on the front end, and if it gets in, having the right response and recovery strategy in place. We see many organizations being able to recover quickly from those types of destructive events. I think what you see is a lot of lessons learned being applied, so the impacts have gone down. But, do I think that threat exists? Absolute­ly, and it will continue to evolve.”

One way cyber threats have evolved, Mehring points out, is that hackers are starting to attack what he refers to as the "underbelly,” or the technical supply chain. In the NotPetya malware attack in June, for instance, cybersecurity experts believe that a software update mechanism of a Ukrainian tax preparation program had been compromised to spread the malware.

“When they attacked the Ukrainian application, which was associated to some U.S. companies as well as other companies, they attacked that trust that had been built with that company’s application, and they attacked, es­sentially, the update service associated with that appli­cation. When a malware gets in, with the right level of permission and the right level of access to the environ­ment, it’s going to do a little bit of harm, and depending on how it’s set up, it could do lots of harm.

He continues, “This is something that we really need to pay attention to; the vendors or software services that are integrated tightly into our healthcare delivery sys­tems. It’s probably the next attack vector in, and, unfor­tunately, it’s a great vector into an enterprise, because of the trust that we lay into those types of services.”

The speed of malware attacks is increasing as well, Mehring notes, and that puts more pressure on health­care organizations to have the right tools, techniques and processes in place to respond and recovery quickly. “The organizations that are not able to start to apply automation and orchestration into their infrastructure and services will probably see in the future how the lack of that becomes the real problem and can really impact their infrastructure.”

At Texas Health Resources, Mehring says the organi­zation’s cybersecurity strategy evolves to address these threats, with an increased focus on the security postures of its vendor partners. “You have got to ask really good questions of your vendors and how their services integrate into your environment. You need to ensure they are doing all the things that they should be doing to protect their environment, and yours, in the delivery of that service.”

He adds, ‘If you are integrating a software service into your environment, that’s managed externally by a vendor, you need to ensure you’re putting the appropriate con­trols in place so that any harm caused on their side does not impact the rest of the environment. And we do that through a lot of different ways, through appropriate pro­visioning of accessing and identity, appropriate provision­ing of network services and isolation and segmentation.”

Insiders Remain a Constant Threat

Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than dou­ble that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.

At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health re­cord (EHR) and data loss prevention technologies.

There are also non-technical processes and programs that should be used, Mehring points out, such as a hot­line that employees can use to report anomalous behav­ior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or se­curity team,” he says.

At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to de­velop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanction­ing program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inap­propriately shared,” he says.

Medical IoT and Cybersecurity

For many hospital and health system CISOs, the gover­nance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cyberse­curity risk increases and intensifies in complexity.

“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a re­frigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.

A critical, foundational step to managing medical de­vices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start develop­ing at least some internal rules of how we characterize those types of IoT things and make sure we can differen­tiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.

Understanding how various medical devices communi­cate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understand­ing the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communica­tion security strategy is put in place around those devic­es,” Mehring says.

At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.