BOSTON – After two days of wide-ranging and detailed discussion about the multi-faceted challenges of healthcare cybersecurity, data privacy and patient safety, some themes have emerged from the HIMSS Healthcare Security Forum, which took place earlier this week.
Here are a few top-level takeaways.
The role of the chief information security officer is changing
The challenges of the CISO (and all healthcare infosec professionals) are many. Whether it’s getting adequate resources from cost-conscious CFOs – one speaker suggested leaders communicate the stakes in business terms, framed as the catchall term of “risk,” rather than the specialized field of cybersecurity – or gaining clinician buy-in, the CISO has many more jobs than just keeping ones and zeroes on lockdown.
One consistent theme was the shift in how the CISOs are perceived – not just as security scolds who run phishing tests and shut down shadow IT, but as active strategic leaders, communicating regularly with other stakeholders across the enterprise to help with innovation and business transformation.
“A lot of it has to do with understanding an organization’s culture,” said Anahi Santiago, chief information security officer at Christiana Care Health System.
Still, there are the day-to-day challenges, such as keeping up with regulatory compliance and maintaining good vendor relationships in a world of “hyper-outsourcing.” And those challenges will only get more complex in the world of myriad mobile devices, empowered consumers, artificial intelligence and more.
“Many healthcare providers aren’t prepared for the new risks they will be introducing into their orgs over the next 3-5 years,” said keynote speaker Dr. John Halamka, newly minted president of Mayo Clinic Platform.
But, he added: “Try innovating in a zero-risk environment. You can’t.”
The key is to find an acceptable balance between innovation and risk management, based on mitigation, organizational benefits and strategic urgency, he said.
“Healthcare is moving forward and transforming, and it’s going to do it with or without us,” Santiago said. “And it’s great to see more and more folks talking about the fact that not only do we have a seat at the table but we’re engaged in discussions that are helping with that transformation.
“We’re moving in the right direction,” she added. “We’re maturing. There’s still a lot of work to do. But at least there are some answers out there.”
Security strategies need not be as complex as they seem
“No one is going to do the hard thing to breach your organization when the easy thing is going to work every single time,” said keynoter Michael Coates, CEO and cofounder of Altitude Networks, who previously served as CISO at Twitter and head of security for Mozilla.
Similarly, perhaps, some professionals who may feel overwhelmed by the dizzying array of cybersecurity threats and compliance imperatives may consider taking some cues from the KISS principle.
“It’s easy for folks to get lost in the most esoteric and complicated vulnerabilities and not manage the basic stuff,” says Johns Hopkins CISO Darren Lacey.
Erik Decker, chief security and privacy officer at University of Chicago Medicine, was on hand in Boston to describe the value of HHS’ Health Industry Cybersecurity Practices framework, which he helped spearhead.
As Decker explained recently, the guide can be viewed as something like “a cookbook,” he said, “a series of recipes that will help you mitigate and manage the most prevalent threats we face in healthcare.”
In a world where basic mistakes like missing patch notifications are far, far more common than targeted cyber attacks on patient-connected infusion pumps, ensuring that attention is paid, piece by piece, to low-hanging fruit, will offer much more protection than many realize.
Healthcare is moving to the cloud – and quickly
At the Boston conference, there was a panel discussion entitled “Security in the Cloud Era.” And the fact that healthcare finds itself in a “cloud era” when security and the cloud used to – not that long ago – be considered mutually exclusive by many healthcare security pros, is remarkable.
Over the past 12 months, providers have doubled the share of workloads deployed to the public cloud to 25%, according to HIMSS research.
“I am all about trying to secure her information as it goes to the cloud,” said John Houston, vice president, privacy and information security, and associate counsel at UPMC, who manages “hundreds” of different cloud vendors of all shapes and sizes and estimates that some 70% of his compute workload is now remote hosted.
“We all need to be concerned about that reality: We’re moving very quickly to the cloud,” he said. “Risk follows information. And we’d better figure out a way to get our arms around it.”
That’s going to be a challenge, and will depend on a fundamental rethinking of some longstanding security practices.
“Perhaps 80% of what a traditional IT or cybersecurity person knows today is irrelevant when moving to the cloud,” Halamka said. “It’s effectively an entirely new job.”
Cybersecurity is a patient safety issue
Lee Kim, HIMSS director of privacy and security, was at the Healthcare Security Forum in part to discuss a new report on the intersection of patient safety and cybersecurity.
Dispiritingly, but perhaps unsurprisingly, “we found that patient safety and cybersecurity professionals at hospital organizations simply don’t speak to each other too much,” said Kim.
“What is healthcare about? At the end of the day it’s about patients and patient safety,” she said. In the era of IoT and networked medical devices, many without adequate logging mechanisms and forensic data to investigate the reason for aberrational events, “this should be the goal of all healthcare organizations.”
But too often, whether in purchasing decisions or simply where their offices are, safety and security teams are siloed from each other.
Too often, IT security labor “deep down in the bowels of the hospital, never seeing the light of day,” said Kim. “That’s symbolic.”
But as Dr. Saif Abded, healthcare cybersecurity expert and co-founder of AbedGraham, explained: “Cybersecurity is patient safety. If you’re thinking of it in some other way, like something that sits in a back room somewhere, you’re missing the point.”
“I think about patients a lot,” said Geisinger CISO Stephen Dunkle. “And when I stop doing that, it’s probably time to retire.”
Policies and regulations need some changes
At the Healthcare Security Forum, attendees were able to ask questions during the panel discussion via the online app Slido. A sampling of some of their questions suggests a trend:
- “HIPAA is nearly 25 years old. Can HIPAA be updated w/out legislation? Or does HIPAA need to be replaced by a GDPR- like legislative update?”
- “Do we need an international privacy standard? Should the U.S. just override HIPAA w/ a GDPR-like approach?”
- “Is the HIPAA privacy and security regulation outdated when it comes to these new models of data sharing and healthcare consumerism?”
They’re good questions. And ones that have been asked before. (Many times, by many different stakeholders.)
What happens with regard to a wider rethink of the law is ultimately up to Congress and other federal policymakers. In the meantime, other HIPAA changes are coming.
But Houston, speaking, one presumes, for many other security and compliance pros buckling under the weight of many overlapping, often contradictory, state, federal and international laws, said a new and more streamlined approach was needed.
“We need uniformity,” he said. “My organization has hospitals in three countries and four or five states. We operate in a lot of different jurisdictions. It’s very difficult to operate when you really have such a disparity in how information security has to be delivered.”
The risks continue to evolve, but so do the efforts to combat them
“If we’re now dependent on machine learning and AI, what happens when the AI is corrupted?” asked Halamka. “What if an adversary wants to pollute my data set, and I end up with an algorithm that’s not set for purpose? These are things we have to start to consider.”
And that’s just in the near term. Further out – in 15-20 years, as Brian Cady, principal security architect at Providence St. Joseph Health, estimated – revolutions such as quantum computing could have major and transformative implications for cyber offense and defense.
In the meantime, Greg Singleton, director of the Health Sector Cybersecurity Coordination Center at HHS, said healthcare organizations should be on guard against more quotidian cyber risks: VPN vulnerabilities, outdated Windows versions, networked PACS systems.
“Understand your environment and make sure you don’t have something that’s inadvertently exposed that could pose a risk,” said Singleton.
Also, he highlighted the value of information sharing with groups such as HC3. “It’s important that people reach out,” he said. “We can do good stuff together.”