Four Health Information Security Questions Answered

Health information security breaches occur daily. Cyberattackers are becoming increasingly sophisticated in their tactics to acquire and leverage this information.

To help identify and implement strategies that mitigate risk and foster trust within your organization, we asked healthcare security leaders the following four questions. Here’s what they had to say.

Jump to each perspective via the links below.

• Question #1: As a security leader, what are some practical steps one can take to achieve a safe and secure culture while, at the same time, adopting bleeding edge technology?

DECKER | FRENZ | DUNKLE

• Question #2: How can security leaders and clinicians partner to ensure health information is secure without sacrificing clinical workflow?

DECKER | FRENZ | DUNKLE

• Question #3: How do you manage vulnerabilities when there are so many and you are in a live production environment 24x7?

DECKER | BOWDEN | FRENZ

• Question #4: Will the application of machine learning and artificial intelligence (AI) technologies be constrained to serve only an individual organization’s needs? Or is there value in sharing security information in order to make these systems even better for the entire healthcare ecosystem?

BOWDEN | FRENZ

 

Information Security Culture

As a security leader, what are some practical steps one can take to achieve a safe and secure culture while, at the same time, adopting bleeding edge technology?

Erik Decker, Chief Security and Privacy Officer, University of Chicago Medicine; a HIMSS Healthcare Security Contributor

First, it is best to be tied in with your procurement, governance and business operational processes. One of the biggest challenges for the security organization is to have a pulse on the business so it can help guide and secure the technology. After you have your intelligence, build out a structured set of questions and toolkits for evaluation. Be as objective as you can.

Christopher Frenz, Associate Vice President of Information Security, Interfaith Medical Center; a HIMSS Healthcare Security Contributor

I am a big fan of making security and privacy risk assessments part of the procurement process for any new information system or service. Assessing risk as part of the acquisition process helps organizations to better understand the impact on security the new technology may have, as well as helps the organization determine what controls may need to be implemented in order to securely deploy the new technology. It is critical that those in clinical leadership also a play a role in such risk assessments as security flaws in some clinical systems or medical devices can pose a life safety issue. In order to facilitate this involvement, I like to tell those involved in the risk assessment process to ‘remember to take their PILLS.’ PILLS is a simple risk assessment framework that asks participants to consider the potential risks surrounding:

• Privacy of Data: What ways can personal health information possibly be obtained from the information the device collects, processes, stores or transmits?
• Integrity of Data: In what ways could information collected, processed, stored, or transmitted by the device be altered in an inappropriate way?
• Loss of Availability: In what ways can a loss of access to the device, a loss of access to the devices data, or a loss of device function result?
• Life Safety: In what ways can a cyberattack contribute to a life safety issue?

Stephen Dunkle, Chief Information Security Officer, Geisinger; a HIMSS Healthcare Security Contributor

I see three components needed to succeed at this—partnership, risk management and design.

• Partnership: Maintaining a strong sense of partnership with other departments and business units within your organization helps cohorts and others see your perspective, and you to see theirs.
• Risk management is a common business language, where security is not. It enables you to effectively communicate your concerns and gain support.
• Design: Security in design is much easier to sell than an afterthought. It is more efficient, less expensive to purchase and to maintain. It also portrays a security organization focused on enabling versus serving as a roadblock.

Clinician Collaboration

How can security leaders and clinicians partner to ensure health information is secure without sacrificing clinical workflow?

Decker

Ultimately, it comes down to a risk discussion. Clinicians understand risk intrinsically, it’s part of their responsibilities as caregivers. It is important for the clinician to understand the true impacts of cyberthreats and how that interfaces with the clinical workflow. Once these are understood, you can adopt the right level of ‘ease of practice’ balanced with security needs.

Frenz

Clinicians need to be key stakeholders and are going to be critical to the success of many security initiatives within healthcare. As such, it is important to gain the support of clinical leaders within the organization and this is often best accomplished by demonstrating to clinical leadership that ultimately you have the same goal in mind—patient safety.

WannaCry, NotPetya and other recent attacks against hospitals provide clear evidence that it is not just patient information that cyberattacks put at risk, but also the patients themselves. Not only do such attacks impact hospital operations, but in many hospitals these attacks led to the encryption of medical devices. A great way to get clinical leaders to better understand the importance of good information security as a means of promoting patient safety is to:

• Get them to participate in table top exercises and other simulations of a cyberattack
• Get them thinking about the role clinicians would have to play in incident response and the possible impact an incident would have on patient care

The better they understand the risks a cyberattack poses to patient care, the more likely they are to partner with you on solutions that will work to mitigate those risks.

Dunkle

Education is an important part of the security leader’s role. I often share the idea with our clinicians that security plays an important role in overall patient care—both from an information protection and from a safety side. I have a clinician privacy and security council that meets monthly to discuss usability concerns encountered due to our security solutions. We work together to solve problems—they work to understand our perspective, we work to understand theirs, and we seek compromise to move forward.

Staying Diligent

How do you manage vulnerabilities when there are so many and you are in a live production environment 24x7?

Decker

You need a robust vulnerability management process. This includes the technology, of course, but more importantly, it’s the process, procedures and discipline of the team to manage those vulnerabilities according to their risk. Look at the U.S. Department of Health and Human Service’s Cybersecurity Practice #7 within the Healthcare Industry Cybersecurity Practices for more detailed instructions.

Dan Bowden, Vice President and Chief Information Security Officer, Sentara Healthcare; a HIMSS Healthcare Security Forum Speaker

The key is managing the right vulnerabilities at the right time. Cybersecurity researchers are better than ever at discovering vulnerabilities. The problem is we were never keeping up on them before.

To manage the right vulnerabilities at the right time, you need to utilize platforms that map common vulnerabilities and exposures information with information about actual exploitation activity and known threat intelligence about active campaigns against the vulnerabilities in question.

There may be 10,000 critical rated vulnerabilities in your environment. However, getting the additional information about which ones have actually been exploited and which are targeted in known campaigns tells you where to start. With this additional context, the number you should quickly act on is likely about 3-5% of the 10,000. As a chief information security officer, you can have a reasonable conversation about that number.

Further, the right platforms and intelligence feeds will tell you quickly when a critical vulnerability that wasn’t being exploited yesterday, is now today.

Frenz

Network and security architectures need to be designed with the mindset that any device has the potential to be compromised at any time. No system can ever be made 100% secure and there will be the eventual compromise of an endpoint or other system on your network.

If we examine a lot of the operationally disastrous ransomware attacks that have occurred against hospitals, the success of these attacks is largely because every device inside their perimeter was considered trusted and a flat network architecture, whereby every device could communicate with every other device, was implemented. With a flat network architecture, a threat is able to move laterally through a network and turn a single compromised endpoint into a network of compromised endpoints with often catastrophic results.

I’m a firm believer in taking a zero trust approach to security, whereby no system on my network is considered trusted and communications between systems is only possible where explicitly needed. For example, PCs on my network can communicate with our EHR system and other systems they require access to, but no two PCs can communicate with each other. This works to heavily restrict lateral movement across the network and works to ensure that when a system is compromised that the threat remains isolated to just a small segment of the overall network.

I’m also a firm believer in extending such a zero trust model to the application level and have increasingly been rolling out application whitelisting technologies to ensure that only trusted applications are capable of running on critical systems.

For legacy medical devices and other systems where patching may not feasible, I also make use of and advise that organizations consider a virtual patching approach by routing traffic to the device through a firewall or other system with up-to-date intrusion protection functionality.

Role of Artificial Intelligence

Will the application of machine learning and artificial intelligence (AI) technologies be constrained to serve only an individual organization’s needs? Or is there value in sharing security information in order to make these systems even better for the entire healthcare ecosystem?

Bowden

AI has promise. The issue I’ve always seen with it is bias. Many people don’t understand this. They hear AI and assume absolute neutral analysis of right and wrong decisions. AI learns from all the data of people’s decisions that the AI observes and takes action on.

I heard of an example where a company used AI to analyze and rout job applicants to open positions. They learned the AI engine was routing more male applicants to higher paying jobs than female applicants. At first, they though the AI was broken—but no, the AI was taught this decision process based on all the previous hiring decision data in that organization.

There is always value in sharing and using the automation features in AI—it is way faster than humans. However, we must realize that every contributing source to teaching the AI must be accurate and we should audit its decisions frequently, along with the data feeding the AI.

Frenz

The key with any machine-learning-based system is that it needs to be trained using a robust and high-quality data set so the function approximations it learns to make for a given set of inputs are accurate. While for some cases using data only from within a given organization may be optimal, there are many cases where data sharing would be highly beneficial to improving the accuracy and the ability to detect threats of machine learning based systems. Cloud-based antivirus services that utilize machine learning are one such area where this is the case. Cloud-based antivirus systems are able to pool the data they collect from their entire customer base to predict the outbreaks of new threats and rapidly roll out protection to their customers.

The increased sharing of threat intelligence is overall a great thing. As with any security control, however, one needs to keep in mind that machine learning and AI are not a panaceas for all security needs. Machine-learning-based systems are not infallible in their predictions. They are a great addition to any security arsenal, but need to be used in conjunction with a robust set of security controls as part of a layered defense in depth strategy.

Have some best practices or questions of your own to share? Tweet them to @HIMSS with #HITsecurity.

Originally published November 7, 2019