As part of Healthcare Informatics’ Cybersecurity Special Report in its First Quarter 2018 print issue, in one of the report’s four pieces, healthcare IT security experts emphasized a few key strategies that forward-thinking organizations are deploying to improve their data security defense—namely, monitoring users’ behaviors, in which organizations monitor their users at a high level; and leveraging identity and access management (IAM) protocols to avoid unauthorized access or disclosure of information.
One of those interviewed experts was Bryan Kissinger, Ph.D., vice president and CISO (chief information security officer) at Phoenix, Ariz.-based Banner Health, one of the largest health systems in the U.S. Kissinger, who has been in his role at Banner for less than a year, said in the story that in some ways his organization is ahead of the curve in terms of leveraging these strategies to improve Banner’s cybersecurity defense; but in other ways, there is a lot of work to be done. Below is the full interview with Kissinger, edited for length and formatting purposes.
How are you taking to your new role at Banner Health?
I came here as part of an initiative to enhance the maturity of our information security program. My job was to come in, look at the people, processes and technology that we had, and rapidly mature the program. We’re making a big investment in IAM, and we’re also looking a lot at behavioral monitoring. We have a number of big projects that we are in-flight on.
Bryan Kissinger, Ph.D.
What are some of the specific projects you are working on right now?
On the identity side, we’re really looking at it from an efficiency and customer service perspective, so getting to day-one birthright access for all workforce members, and doing that in an automated way. Like most organizations, [Banner] has historically had an in-house developed system [for IAM] or they have done it manually, but now we are using a technology to help us give automated day-one access to all workforce members. And that access is tracked and governed within the platform such that on a quarterly basis we’re re-certifying that access with the workforce member’s manager.
For privileged access we are using a tool to vault privileged passwords and system, and privileged accounts in a safe vaulting technology such that database administrators and other privileged users need to go into the vault and check out an encrypted password to be able to escalade privileges from a normal user to an escalated user.
And lastly on the identity management front, we are getting ready to implement a single sign-on tool that allows clinicians to be able to tap their badges on a badge reader—say in an exam room or the ED, or wherever they need to access health record technology—which then single signs them in to all of the applications they need for their job. It probably saves each clinician five to six hours a week that he or she would normally need to do to manually type in log-ins and passwords to different systems throughout the day. So it’s a security feature but an efficiency one, too.
I am keenly aware of the concept that every click and keystroke that you add for security [to a doctor’s workflow] is not welcomed. I am doing as many things as I can that are either back-office, or doesn’t impact the end user, or if it will have to touch the end user, I am hoping it makes him or her more efficient.
How sophisticated are behavioral monitoring strategies at Banner?
We have one area that we’re mature in and another where we’re at the beginning. On the mature front, we have a technology in place that evaluates a number of inputs such as: the clinician’s job; where he or she physically is doing work; and which patients he or she is looking at, and it makes sure that clinicians are only accessing patient records they should be accessing.
But when it comes to malicious activity traversing the network or systems behaving the way they shouldn’t be, we’re only at the beginning. We are looking at baselining what normal behavior is for most of our systems. We have implemented some database anomaly monitoring technology to be able to look for normal behavior on our most critical databases, and then alert and take action when that behavior is not considered normal. And that all feeds into our SIM [security information management product].
How key is it to deploy these strategies in a proactive way rather than be reactive following an incident?
We would all prefer to be on the proactive and preventative side, so we are trying to do everything we can do to prevent an incident from happening. On the defensive/reactive side, we’re trying to shorten that window of reaction latency. Whereas a bot could be operating in your environment for months, we’re trying to make sure that as we see anomalous behavior happening, we can address it quickly. And we’re putting in drawbridge technology in some cases. If something is looking a little strange, the time to get that resolved could be hours or days. If there is an attempt to extract millions of medical records out through our network, you want that reaction time to be seconds or minutes—not hours or days. So it depends what part of the network you are talking about and what data you are talking about. The more on the preventative side, the faster the reaction time, and the more expensive that is. You can only spend so much money.
Does the “human factor” concern you most when it comes to cybersecurity incidents?
It’s the human factor; machines/computers/technology do not make mistakes. Most ransomware is the result of unpatched systems and most systems can’t patch themselves—they require human intervention. Humans are the ones who click on phishing emails, upload credentials and download malicious software. We and others spend a lot of our IS budget on technologies and staff, but we don’t spend a proportional amount of that money on training, awareness and addressing those human weaknesses. So at Banner, I am spending a significant amount of our budget on training and awareness, and what we can do to make sure the human element is as little of a weak link as possible.
Do you and other CISOs collaborate often on best practices and things you’re seeing? If so, how helpful is that?
Yes, and it’s very helpful. I am part of three or four different CISO forums. There is the informal network where I just know other CISOs, and we might get together once in a while for lunch or connect socially. Then there are formal monthly and quarterly CISO roundtables that people participate in. And in Phoenix, I have a special relationship with another big healthcare provider here, and we connect regularly and we get our leadership teams together on a quarterly basis. So we are sharing information and ideas that way. No one I know of in the healthcare CISO market views information security as intellectual property. We share threats, ideas, projects, technologies, successes and failures. There is tons of value in having an open and collaborative community.
When it comes to both areas—behavioral monitoring and IAM—if organizations invest more energy and effort into these strategies, could the adage we always hear about “cybersecurity getting worse before it gets better” reverse course?
They will make a difference but this is an area in which the threat will continue to evolve over time. There’s no limit to the creativity of organized crime or nation-state actors being able to try and get to sensitive information and resources. The old analogy of the Golden Gate Bridge applies; you start to paint it on one end and by the time you get to the other end you have to start back at the beginning. We are constantly painting this bridge. You always have your foundational technologies in place, and a lot of us in healthcare are still putting foundational security safeguards in place. Once that’s in place, it becomes what we need to do from a refresh perspective or an emerging technology perspective to keep up with how the threats are evolving.
