TOP 10 CYBERSECURITY LESSONS FROM HIMSS 2019
More than 45,000 healthcare information and technology professionals from all over the world converged in Orlando to attend the annualHealthcare Information Management Systems Society Conference(HiMSS). I had the opportunity to participate as a panelist in a session on cybersecurity in Healthcare and to speak to numerous attendees in Secure-24’s exhibitor booth.
Below are my top 10 takeaways on cybersecurity trends that were on the minds of so many Healthcare professionals.
1. Cloud Security Concerns Grow as Data Moves to the Cloud
Everyone is talking about migrating their data to the “cloud”. What was unthinkable even a few years ago in Healthcare is now a reality—hospitals and other Healthcare enterprises are kicking the data center habit and joining the rest of business and industry in the cloud. Amazon® and Microsoft® are major players, but there are many organizations with a hybrid model of certain software as a service selections in their IT portfolio, while maintaining some of their systems in their own environments until they are fully depreciated. From a cybersecurity perspective, this presents a challenge. Multiple environments mean multiple controls to monitor and manage. Good cybersecurity monitoring and response does not disappear in a cloud environment. If you are challenged with creating a program that encompasses data protection in the cloud, check out the great resources of the Cloud Security Alliance .
2. Business Email Compromise and Phishing Increases as a Primary Threat
Healthcare is a major target for phishers, due to its lag in cybersecurity protections and employee lack of awareness. The answers appear to be security and phishing awareness and testing, multifactor authentication, and a tested incident response plan. Focusing scarce funds on tasks and projects that will make a significant difference is always critical in an effective cybersecurity program. Intensely honing in on these three areas will achieve sensitive data protection, with the ability to handle an incident, should one occur.
3. Incident Response Preparation is Key
For most enterprises in any industry, it is not a matter of if a successful phishing or other cybersecurity attack occurs, but when. Therefore, a tested response plan that involves IT, Cybersecurity, Privacy, Legal, Public Relations, Audit, and HR is a must. Enterprises should invest the time to prepare and create detailed run books for different types of incidents. I recommend: practice and continuous improvement; include any third-party security providers; and ensure that you have good relations with local law enforcement and the FBI. Organizations can purchase cybersecurity insurance and use free resources provided to refine a plan.
4. Medical Device Security News Is Getting Better
Mmedical device security was covered in several sessions. One of the biggest challenges in medical device security is a good inventory of medical devices that hold or transmit data.The good news is that there are now several tools on the market that can detect medical devices on the network.
The second piece of good news is that several major medical device manufacturers are actively working to update their device software to protect the data held or transmitted on the device. Once you have a good inventory, you can now check with the manufacturer’s web site to determine what their plans are and what has been accomplished to date. Several speakers noted that Healthcare tends to keep medical devices beyond their normal life due to replacement cost. Informing management about dated devices can be another impetus to update.
5. Analysis Automation and Use of MSSPs are Required to Keep Up with Attackers
Organizations are recognizing the need to add automated data protection to their tools portfolio. Although automation may reduce the number of cyber analysts and engineers needed, the cost is often prohibitively high. An increasing number of organizations are choosing to use a Managed Security Services Providers (MSSPs) for some tools. MSSPs can provide round-the-clock monitoring and coverage that most hospitals would be challenged to staff. One recommendation is a hybrid approach, with most of the services provided externally, with internal staff to address user issues, security awareness and phishing testing, local incident response, audit support, and vendor risk management, etc. Services that are readily available from third parties include: penetration testing, information security assessments and audit, anti-malware, intrusion detection and protection, vulnerability scanning, server configuration assessment, end point detection and response and advanced incident response.
6. Board Communication is Increasingly Required
As cybersecurity breaches multiply, board members are asking more questions about this area, that they never knew or cared about previously. The best approach is to continuously communicate the state of cybersecurity and relevant organizational risks to management and the board as often as possible. A positive, proactive approach is necessary. For example, draw the parallel with good hand-washing when working with patients. Wearing gloves, frequent hand-washing, and other protections are ingrained in the culture of Healthcare now, which was not the case 30-40 years ago. The same needs to be the case with handling PHI, deploying multifactor authentication, purchasing securable medical devices, and handling suspicious email. If you are in the cybersecurity department, be the YES person, not the NO person, to help encourage this change.
7. Risk Quantification Can Help Justify Cybersecurity Expenditures
Investment in cybersecurity is growing, and with the additional funding comes additional management and board requests. Take the time to share with senior management on a regular basis various breaches, fines and other adverse impacts of cyber-attacks and negligence in protecting PHI. HiMSS, HMS, and the OCR are free sources for this data. There are now a few companies that are mining this data with the ability to develop cost-based models that provide a dollar figure for the cyber risk the organization has based upon the status of its cybersecurity program. Check with your insurance company for ideas and their knowledge of experts in this area. Your insurance company can be a great resource, as they want to help your organization stay cyber healthy, just like the organization’s employee health plan wants employees to stay healthy.
8. Good Vendor Risk Management Grows in Importance
As entities are engaging more service providers in the IT and cybersecurity space and more devices have a data component, the importance of excellent vendor risk management practices becomes one of the top priorities of the information security and compliance department. The process of good vendor risk management starts before the acquisition of new products including the RFP and especially the contract. If these steps are missed, the whole process is considerably degraded. Regular vendors assessments must be conducted by trained personnel who know what to look for and what to follow up on. For more information on how to quickly set up a vendor risk management program, read my blog on Vendor Management: A Risky Business.
9. Virtualizing Infrastructure
Organizations are virtualizing their infrastructure for a smaller and more agile physical footprint to reduce hardware, software, space and utilities costs. The security benefit is smaller, but a smaller physical footprint is always a positive from a security standpoint. Of course, many organizations are improving their security status by moving to a private managed cloud or the public cloud and dispensing with their infrastructure altogether, as mentioned above.
10. Penetration Testing
Engaging a third party to perform at least a bi-annual test of the externally-facing network is not a new idea, but one that more Healthcare organizations are adopting. These are very helpful in that an objective set of experts simulate an actual attack, so organizations get a more realistic view of what is not adequately protected. Organizations can also purchase a service that will perform this against them and also their prime IT providers. My recommendation is quarterly testing of various infrastructure aspects. This can help guide decisions about funding security initiatives, as it provides actual data on exposure that can be provided to management.
Overall, I thought there were fewer sessions in the general conference this year, but Monday’s record-breaking attendance at the Cybersecurity Forum shows that interest and the need for more useful information about how to protect patient data is still at the forefront of Healthcare business practices. There were not any new earthshaking ideas on how to accomplish this, just good old-fashioned information security basics applied as I noted in the above list.
If you want to read more about the basics, you can check out more of my blog.
John Brady is the CISO at Secure-24.