IT security leaders stress the need for layered defense, neutralizing the human element
At the Boston CHIME LEAD forum, held on Wednesday, June 22 at the Aloft Boston Seaport Hotel, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella), expert health IT security panelists discussed the key components of an effective healthcare cybersecurity strategy.
Throughout the day, program attendees listened to multiple engaging sessions about a myriad of cybersecurity issues, from essential factors on how patient care organizations can be better prepared, to strategies for defense, response, and recovery. A plethora of IT security leaders—many from the healthcare space, but some with years of experience in other sectors—hammered home several core points, including: 1) the healthcare industry has now clearly become an intentional target for hackers; 2) traditional defense strategies such as firewalls and defending the perimeter are outdated and inefficient; 3) some sort of human-related issue contributes to the overwhelming majority of attacks; and 4) establishing a culture in which end users are educated and trained, and IT security is a proactive priority rather than a reactive one, is a must.
So where does the industry stand today in terms of its level of preparedness and sophisticated defense strategies? To start, the security experts in Boston pointed out that despite a recent uptick in making cyber defense a priority, it will be a while before healthcare gets to a place that other industries, such as financial services, have gotten to. Indeed, multiple panelists throughout the day attested that they were either on a solo mission at his/her organization regarding IT security, or had to start a team upon being hired.
Heather Roszkowksi, CISO at University of Vermont Medical Center, for instance, said the organization's security department was essentially non-existent before she arrived four years ago. "The focus has been on building a program, a suite of tools, and changing the culture," she said. For the first couple years, Roszkowksi was a "solo show" and didn't have an IT security team. "So we started out with an email encryption tool and an endpoint tool. But we have worked our way up from there," she said, noting the incorporation of data analytics and assessment approaches such as testing users with phishing emails, that are present today.
But, the CISO said the biggest thing has been changing the culture. She told an anecdote of a physician at the medical center who called her and said that "time-out" functions that require a user to log back on after a period of inactivity were taking up too much time, and the physician couldn't pay as much attention to patients as a result. "So we went down to the hospital that the physician was in, saw the issue in person, and [fixed] it," Roszkowksi said. Indeed, the system that was requiring log-ins and log-outs was always in site of the physician, making it less necessary to devote contstant attention to it, she said. "Customers see that we're listening to them and helping. And, we're getting what we want too, which is a more secure environment."
Several panelists also noted how cyber defense strategies from yesterday, such as firewalls and anti-virus programs, are no longer efficient enough once 2015 came and represented the "year of the data breach," in which major data breaches spanning across the year resulted in the exposure of more than 100 million patient records. David Ting, founder and CTO at Lexington, Mass.-based Imprivata, said that the continuum of cybersecurity strategies has gone from defensive measures at the perimeter to technology solutions that monitor how people enter the network. "Some sort of human-related issue contributes to almost all attacks," said Ting, a 10-year healthcare veteran at Imprivata. "For the past 10 years here, it's been about how we neutralize that element of the human factor in which we introduce [a component that makes you] physically steal something rather than just take it from online," he said. Ting mentions two-factor authentication, which employs methods such as smart cards, one-time password tokens and biometric devices to ensure users are who they say they are, as an example of this.
Chris Williams, chief cybersecurity architect at Westfield, Ind.-based Leidos Health, agreed with Ting about monitoring how people enter the network. Williams, who is the security lead on the massive U.S. Department of Defense Healthcare Management Systems Modernization (DHMSM) electronic health record (EHR) contract that Leidos was awarded last year, along with Cerner, Accenture, and others, said that he cares more about knowing an attack took place rather than thwarting an attack. "If you know you are getting hit, you can measure that and adjust responses appropriately," said Williams.
He compared the situation to that of banking: "Knowing how many people were in my bank lobby at 2 a.m. is actionable information; how many people drove by and gave the bank a dirty look is not," he said. “So look at the metrics that measure real-world and actionable activity. The vault isn't the most important room in the bank; the lobby is. If I know someone is in my bank lobby before they should be, I can design my IT environment to get them when in the lobby. The same can be true in healthcare; what's the lobby of your organization? Is it a user's laptop? Figure that out and design your environment around it," Williams advised.
As far as overall axioms for modern cyber defense, Williams said: assume an intelligent attacker will eventually beat all defensive measures; design defenses to detect and delay attacks so defenders have time to respond; layer defenses to contain attacks and provide redundancy in protection; and use an active defense to catch and repel attacks after they start but before they can succeed.
Not to anyone's surprise, the panelists throughout the multiple sessions touched on the ransomware crisis that has plagued the healthcare industry for much of this year. Jon Fredrickson, CISO, MIS Information Security Group, Southcoast Health, a community-based health delivery system with three hospitals in southern Massachusetts, said that his organization has seen a 400 percent ransomware delivery attempt increase over the past three months. As such, Fredrickson and his team looked at who had access to those systems and did targeted education to them. That was successful, he said, and further noted that Southcoast Health was at the industry standard of an 11 to 12 percent click rate prior to targeted education, which went down to a 4 to 5 percent click rate afterwards.
Most ransomware attempts came through attachments, while others came through websites, Fredrickson said. But after the organization implemented sandboxing—a strategy to isolate malicious emails—the ransomware prevention rate went up to 98 percent, from 85 percent, he said. For those ransomware attacks that did sneak through, Fredrickson said they were mostly through HTTPS channels. "That's where user education is huge," he said. What does ransomware look like, what do you do when it presents itself? We unplug the asset immediately, we have a sound backup strategy, and we also work with directory services teams to disable the ID that was running on the machine at the time. Four [ransomware attacks] have made it through in the last 18 months," he said.
Another key strategy that the panelists pointed out was getting third-party help, as the magnitude and complexity of cybersecurity defense in healthcare is simply too much for any one organization to handle. Jeffrey Wilson, director of information services, and assurance and IT security information systems security officer at New York-based Albany Medical Center, said the medical center worked with technology research and advisory company Gartner to figure out where the organization was weak in terms of awareness and response. "That involved a lot of analysis. Some things were obvious off the top as far as technology changes [we needed to make]," said Wilson. Albany Medical Center also conducted a response readiness assessment with an outside organization. Wilson said after that valuation, the medical center realized "it was terrible there too."
Another point brought up during the day was the idea that healthcare, more so, than many other industries, has an environment of trust and openness. Typically, healthcare professionals are more worried about patient safety than they are about security of their IT systems. "Security is often diametrically opposed to the operational mission," Williams said. "So asking people to honor both missions can be an unrealistic request. That being said, you need to train folks so mistakes people make don't prove fatal."
To this end, Christopher Greico, HIT implementation specialist and CISO at Fort Drum Regional Health Planning Organization in northern New York, an agency that is responsible for a consortium of providers and entities, said that patient care organizations must take a "zero trust" approach. "Your partners could be a threat factor, and you have to assume that everyone you are interacting with is a potential threat," he said. You don't want to be called out on the HHS Wall of Shame and be all over the news. You don't want to be CIO who's leading the organization that it happened to. Healthcare has to realize that its in the crosshairs now, so we have to make this a priority, or we'll continue to be in the headlines," Greico said.