10 CYBERSECURITY LESSONS LEARNED AT HiMSS 2018
1. The More Things Change, the More They Stay the Same. What struck me most about this year’s HiMSS’ Conference, March 5-9, relative to cybersecurity was how much the issues this year were much the same as last year. Even though the number of attendees at the Cybersecurity Forum on March 5th doubled from last year, it seems that many cybersecurity basic requirements are still unfunded and resourced adequately. Basic preventative actions like mobile device encryption, comprehensive security awareness programs, and even ensuring the windows in envelopes do not reveal PHI are not being done consistently. There is a reason why most cyber-attacks are on healthcare—the data is valuable and the protections are weak.
2. Insider Negligence. We all knew that attacks emerging from phishing emails hit healthcare more than any industry and is the number one cause of a successful intrusion. However, insider negligence is number two. Both reflect a lack of employee awareness of attack methods. My recommendation is to fund and resource a Security Awareness Program that engages employees every month, keeping data privacy and security top of mind. We must approach this just like we hand wash and wear gloves when engaging with patients. We have done this type of cultural change before and can do it again. We know how to do this.
3. Security Risk Assessments. The number one finding from recent Office of Civil Rights audits is a lack of cybersecurity risk assessments. This is basic to any information security program. Organizations must identify the places where their entity is vulnerable to attack. If possible, engage a qualified third party, experienced in conducting assessments in the healthcare industry entity. Sometimes, we can be too close to the processes to really understand where the gaps. A third -party can take an objective, comprehensive view, provide a prioritized action list, and results can be measured over time. My recommendation is to conduct a third-party assessment at least every other year, and if possible, annually.
4. Medical Device Security. Medical device security was a hot topic in several sessions. Concerns abound in this area, starting with having a good inventory of medical devices that hold or transmit data. Medical device manufacturers continue to be less than cooperative in enabling protection of data, continuing to use old operating systems and simple password access management. However, there are some innovative projects being done by the National Cybersecurity Center of Excellence and some manufacturers. There are also several new software products to help detect medical devices and look for behavioral anomalies. One colleague noted that it is very important to work with the Clinical Engineering staff regarding medical devices as their security is NOT usually under the control of the Information Security team. Consider moving CE under IT, as many hospitals have already done. To some extent, medical devices are just a different type of endpoint on the network, so this makes sense.
5. Cloud Migration. Besides medical devices, the next most popular topic was healthcare migration to the cloud and how to handle this change from a cybersecurity perspective. Two requirements flow from this move. First, this underscores the importance of a strong vendor risk management program. The program starts by including a cybersecurity risk review in the procurement process and continues with regular reviews based upon risk level. There are many third parties that can do this for a healthcare organization. By focusing on high risk suppliers, it is possible to keep the costs relatively low for this. It is also possible to accomplish this with trained, internal personnel using one of the many evaluation tools available.
6. Business Continuity Plan. The second issue with moving to the cloud is to ensure that there is still a business continuity plan in place in the event of a failure of the cloud service. This can be forgotten, because the care of the infrastructure for the particular is no longer the responsibility of the healthcare organization, so it is no longer top of mind. Even though the cloud service provider may appear to be invulnerable, it is possible that failures can occur, such as occurred with Nuance and Allscripts in 2017.
7. Academia. Most organizations are tying in with academic entities or hiring researchers from academia. Unfortunately, academia is still very open with its approach to data protection and it is critical to educate academic partners and new employees from academia to understand the importance of protecting patient data.
8. Multi-Factor Authentication. Organizations are finding that passwords are not adequate—users forget them, use easy to break codes, and use the same password for everything. Many entities are moving to multi-factor authentication methods that eliminate the use of passwords. Ultimately, it will be easier for users to log-in and more secure. At the very least, entities are opting to follow suit with the Financial Services industry, by adding verifications using a second device to password requirements.
9. Cybersecurity Spend. Even though healthcare is increasingly an information business, the percentage of IT funds spent on cybersecurity is about half of that in the Financial Services industry. My recommendation is that, healthcare organizations should measure the maturity of cybersecurity programs against financial services industries.
10. CAPEX vs OPEX. A major difficulty in cybersecurity program resourcing is the relentless move from capital expenditures to operational expenditures in funding cybersecurity programs. Software vendors have moved in general to an OPEX model (e.g., Office 365). In addition, finding qualified personnel is difficult and expensive, so many companies have turned to managed security system providers (MSSPs) and are paying monthly for the service.
However, hospital IT and cybersecurity funding have traditionally been one-time purchases that are funded from bond sales for general infrastructure improvement including facilities and medical equipment. Ongoing operating expenses are viewed as more directly affecting net income. Increases in OPEX run up against financial requirements that allow for zero or a small percentage increase year-to-year. The key to acquiring required funding, is to continue to educate management and the board of directors on the importance of protecting patient data, noting that these expenditures are part of the basic cost of providing patient care in 2018 and beyond.
Author, John Brady, CISSP is Chief Information Security Officer of Secure 24. He provides information security advisory services to clients in addition to his leadership role in the company.