Gerald (Jerry) Fralick has more than 40 years of experience in the IT field and public sector management and operations. As Lenovo’s chief security officer (CSO) for the Corporate Standards and Quality Group, and a member of the Product Security Office, he has a multi-faceted role actively engaging with Federal/State agencies and commercial companies to further understand their IT security and procurement requirements, which he discusses here. Fralick works closely with Lenovo development and product engineers throughout the development lifecycle of software and products. He provides assistance and oversight ensuring that appropriate product development security controls are met in accordance with new U.S. Federal Government regulations, and that all Lenovo products meet the security control requirements for all low-, moderate- and high-risk information systems.
In considering the security concerns that you hear from healthcare administrators, do they tend to be more focused on the technology itself, or on the impact of employee/provider actions or inaction?
Most of the questions that I get are based on the technology and the product security. The reason being is that most of the C-level executives that I talk to are CIOs or CTOs and they’re more concerned about the impact of the product on the infrastructure; what happens when they bring a product into their infrastructure; how do they trust the products that they’re putting into their infrastructure.
Typically, the CIO will go through a procurement action and will evaluate certain manufacturers on products. You build a moat around the castle—firewalls, sniffers—to keep the “bad people” out that try to penetrate the network. What happens in a procurement action is you buy the equipment, but you don’t verify or test it. You don’t ask the questions about touch points, the software, the hardware itself. It’s all about internal security.
Through a procurement action, most CIOs will accept a level of risk, which is low. If they see an action as a high risk, you have your board, politicians and so on looking over your shoulder because if you do have a breach, you don’t have a way to go back and show that you validated the equipment.
At Lenovo, we focus on the product security and what goes into the supply chain. We pay attention to all of the HIPAA regulations—even on returned products—because we want to ensure that you can really trust your product.
In what ways do you feel healthcare organizations could be doing a better job of educating and informing STAFF/PROVIDERS about their roles in protecting data security?
Certainly training on the security of what they’re doing. Most companies have some kind of training that they provide to their employees. So, I would focus on having a security program package that they give to their employees that is perhaps expanded to a more focused look at the effects and impacts of cyber security breaches and the impact on the healthcare organization.
Another thing is just answering emails that come in. Are they suspicious? Don’t open an email if you don’t recognize a sender because that’s how hackers get in. All they need is one person to open an email with malware and the whole organization is infected. It’s incumbent upon the healthcare organizations to have some sort of security training for their employees.
Also, there is the importance of the data. Employees have to know what data they need to be cognizant of; whether it’s public info that could be shared, or whether it’s medical data that can’t be shared.
Do you feel that health organizations are fully considering the potential security risks related to medical devices?
No, I don’t think they are. I went into one doctor’s office recently that had laptops with cameras in them and I mentioned that they should cover up the camera because hackers can get in. Again, I think the IT shop within a health organization should be aware of these kinds of things being a security breach.
Are there gaps internally related to IT staff knowledge of security risks and how to address them? If so what should healthcare organizations be doing to close these gaps?
I do think that there are gaps. Most IT shops have IT people that are there with specific jobs to do and there is a lot going on. There are a lot of security issues with software, and I don’t think there are enough people who have expertise in these areas to know what to look for. Whether or not people are informed on a daily basis— those are the gaps.
One thing that could be done to help close these gaps is for the IT shop to be getting daily alerts, from IT ISAC, for example. It’s very helpful to understand and see what’s going on in the hacking industry and understand the impact on the organization.
I am working with governments now that want to establish a “circle of trust” so that when they get an alert, they contact us and want to know what impact that has on them and which agencies would be affected. The healthcare industry needs to be more focused on this. They’re getting alerts after the fact.
What do you see as the greatest security risks for health organizations in 2016, and what advice would you offer them in terms of how to avoid, or minimize, these risks?
The biggest risk is having a security breach that would compromise patient medical records. Healthcare organizations—even at the state level—need to have some kind of tabletop exercise and go through a dry run of what happens if they have a medical data breach. Medical data and records are going to be breached at some point in time, and each organization needs to have a response plan.
Related to this, a big challenge is how healthcare IT staff verify and validate the products and appliances they attach onto their medical and internal infrastructure. Do they do any evaluations or do they just accept the products as trusted? It’s important that technology providers specifically provide customers evidence of their security processes and practices so that the customer can trust our products to be “clean & safe” of any malware, spyware or backdoors.
Visit us at booth #2465
About Lenovo Health
Lenovo Health is a visionary voice and proactive health IT partner that brings a foundation of security, compatibility, mobility and reliability to the industry. Our focus lies in simplistic, seamless solutions that help you get ahead in an ever-changing health IT landscape. www.lenovohealth.com
