Securing the perimeter: A national cyber security awareness month Q&A

Aaron Miri
Nov 01, 2016

In honor of National Cyber Security Awareness Month, Imprivata recently hosted a Facebook Livestream Q&A where I got the chance to answer some of the most pressing cybersecurity questions from healthcare IT professionals, including questions about security budgets, clinician adoption of security solutions, and the biggest threats facing healthcare today.

Below I’ve shared all of the questions and answers from the Livestream, as well as a recording of the live discussion.

What advice or tips can you give to healthcare organizations looking to make their users more accountable for security?

First and foremost, know what data is being accessed and by whom. Make sure that you have a good understanding of the landscape of applications, of who’s touching ePHI, and who’s touching PII and other types of protected data. And then make sure you’re layering in systems of two-factor authentication, secure communication, maybe palm vein biometric identification, and other layers to have a complete picture and protection net around you. No technology is 100%, but by layering in technology you’re able to mitigate the risk to almost nothing.

How should hospitals be balancing their budget when it comes to security measures?

When it comes to budgeting for security, there is no right answer. My default has been to always add an extra zero to that line item, even if it’s zero already. But really what you have to look at is what is the risk to the business? If you as an organization, especially as a healthcare provider, lose patient records, you’re talking about your brand name, you’re talking about your image, you’re talking about your trust with the community, you’re talking about the patients coming to you at their time of greatest need, needing you. So if you have a breach and all of those horrible things happen that could happen, what is that worth to you? So as you’re going through and budgeting, play those scenarios out with your compliance department, your finance department, others, and go hey look, I realize that I’m weighing buying this piece of gear against buying a brand new bed, perhaps buying a bicycle, perhaps buying something for a pediatric hospital. But you have to weigh the risk of doing nothing. So there’s always a middle ground somewhere in there. So like I said, if they gave you a dollar, maybe add a zero at the end of it and make it ten dollars.

Aside from phishing attacks, what other major security threats are hospitals facing today?

Hospitals are under constant attack. I think what’s important to understand is that healthcare is a critical infrastructure and it’s under attack every single day. So hospitals have to layer in protections as if they were under attack from say a foreign nation state, because that’s exactly what’s happening today. Hospitals are facing a number of different types of vectors. One is social engineering, calling your employees directly, calling the clinicians pretending to be the IT department. Two is insider threats. As much as we like to believe in the good in everybody, unfortunately there is a bad apple amongst the parties. So you have to be able to have protections in place to take care of that bad apple when they’re trying to take data out of the organization. Are they doing something inadvertently? Perhaps you’re using a personal service like Box.com or Dropbox and they’re uploading patient records to that unbeknownst to the IT team and hospital professional. Those are the kinds of challenges you have to work through and mitigate and keep an open mind.

Security, unfortunately, isn’t always something maliciously coming after you. A breach can happen by me innocently typing in the wrong email address, by sending something unencrypted, by maybe perhaps putting it on my mobile phone that doesn’t have a pin on it and I lose my mobile phone. That’s a breach. The office of civil rights and the ONC recently clarified that any type of ransomware on a computer is inadvertent access of information - it’s a breach. So now knowing that the bar is set incredibly high, you have to look at everything, the entire panacea of potential threat factors.

Can you talk about some of the hurdles that hospitals are facing when it comes to clinician adoption and how they are overcoming those hurdles?

I’ll give you some personal examples. It’s always difficult to tell a clinician who is already busy and stretched beyond their means that, hey, you have to suddenly log in securely using another type of token. So something that Imprivata does really well in the community, and why they’ve really become a leader, is two-factor authentication that’s quick and easy. Getting a physician or clinician to buy into that idea without them actually seeing it is difficult. So what I would do is road shows. I would actually take various products to them and say try this out doctor or nurse. Let me know what you think. Let me get some buy in here. Once they understand you’re trying to protect them from nefarious harm, and you’re really trying to help them and speed them up, they suddenly realize okay this isn’t so bad.

Another adoption curve obstacle is really the high cost of technology sometimes. IT systems, unfortunately, aren’t cheap. As I said earlier, it’s what the risk of doing nothing? You have to ask yourself, is a breach and having to notify say the OCR and use outlets if you have more than 500 patients breached, really worth it to you financially versus buying the system that maybe costs one dollar? Those are the kinds of tradeoffs you have to make. So, from a clinician perspective, it’s partnership, it’s working together as a community, and selecting technologies that end up working for their benefit. Remember security doesn’t have to be something that just inhibits you; it can be something that speeds you up and gets you to goal.

Can you talk a little bit about what’s on the horizon for IT right now? What should they be concerned about? What should they be planning for?

I happen to sit on the ONC’s HIT policy committee as the security and privacy representative for the country. Something that’s being talked about very heavily right now within health and human services is how do we empower the patients to have choice? To have choice in what information is shared, to have choice in understanding that if I want to have my lab results shared but if you want to ask me my blood type or some specific stuff about my lab results, I want to hold that back. I don’t want to share the entire lab result. Those kinds of things to empower the consumer.

I would stress to hospitals and organizations to get to know your patients coming in the door. Understand what their preferences are. Understand if they want their smoking status revealed, or their pregnancy status. People have a right to their own information. People have a right to exclude certain types of information. Start getting ahead of that now because it’s very clear that consumer empowerment is on the horizon and those are the kinds of things that we need to be thinking as healthcare professionals more about. Ultimately it comes down to technology, it comes down to the choices that we make as healthcare professionals, and it comes down to protecting our patients to the best of our ability. Together we can make that happen and I look forward to working with all of you in helping to make that happen.