BOSTON — There's no one right way to set up a robust and workable cybersecurity program. But at the HIMSS and Healthcare IT News Health Privacy & Security Forum in Boston on Monday, two security experts offered some tips – and an ethical hacker shared hair-raising anecdotes to remind everyone just why such a program is necessary.
Shenny Sheth, information security manager at Texas Children's Hospital, said a changing regulatory environment, an evolving threat landscape and a changing IT market demanded a new approach to cybersecurity.
Texas Children's, with its 13,000 employees, 3 million patient records, 1 million credit card transactions, offers a sizable case study on the value of keeping data safe. As the landscape grows ever more complex – hacktivism, state-sponsored cyber crime, IoT, biomedical devices, the cloud – it's critical to have "a heightened sense of cyber threat awareness."
Sheth said "leveraging a relevant framework" such as HITRUST CSF is one key way to help focus the mind, enabling an actionable approach to safeguarding patient information.
He also stressed the value of a laser-like focus on key risk indicators to help monitor cyber threats and facilitate risk reporting. Such an organized and methodical strategy is essential, said Sheth, to realizing a "return on security investment."
Scott Alldridge, CEO of the IT Process Institute, meanwhile, discussed the value of "Visible Ops Security," which aims to move healthcare from a reactive stance to a proactive one.
Even as healthcare is spending more money on security, it's still playing catch-up, he said. That's largely because it's spending money on the wrong things. The healthcare industry is still enamored with point-based solutions for security — which will always have gaps.
[Live coverage: Here's what happening at the Privacy & Security Forum right now]
Such gaps necessarily exist between security point solutions, and can only be addressed with comprehensive security controls that govern how work is performed by staff and end users, said Alldridge.
Security, he emphasized, is not a "feature" that can be "bolted on" to IT work to compensate for an underlying insecure environment.
Too many providers still think that way, however – often leading to a false sense of security, he said.
Healthcare has no shortage of frameworks aiming to help show providers the way forward. One of Alldridge's slides showed a dizzying array of choices: "HIPAA - COBIT - ISO 27001/27002 – HITRUST - COSO Enterprise Risk Management - SANS Critical Security Controls - PCI Data Security Standard - NIST Cybersecurity Framework – ITIL – CMMI – LEAN IT."
But Alldridge argued that many best practice frameworks and advisory services "aren’t based on factual data" Instead, he pointed to ITPI’s 14-plus years of research, which shows that focus on three core process areas – release management, configuration management and change management – can lead to significant security ROI.
As providers develop security and compliance programs to comply with HIPAA and and other regulatory bodies, they need to keep a close eye on those three areas, as well as what Alldridge calls Security Incident and Event Management and System Integrity Management, focusing on vulnerability assessment and baselining; risk analysis, security alerts and system activity reporting; and continuous compliance reporting.
The essential takeaway, he said, is to "focus on the right things."
Because, rest assured, the bad guys are focused on healthcare more than ever, and are notching more and more victories against weakly-defended providers.
Chris Crowley, an ethical hacker and consultant with Montance, put it plainly: "Everything you're buying – software or hardware – is broken," he said.
Take the example of Apple. It has the "the most restrictive information system ever," he said: iOS. Cupertino designs the hardware, designs the operating system, whitelists the apps that can run on it. But still "every new version of iOS has flaws," he said. "And people find them."
If Apple, which, perhaps more than any country on earth, has the "largest incentive and greatest degree of control can't do it," he said, it's safe to say that the IT systems running in most hospitals are a good deal even further behind.
"Work on the assumption that everything's broken," said Crowley.
So then what to do? Penetration testing like he does can help find flaws. But a pen test is nothing to skimp on. He pointed to a data clearinghouse that opted for the lowest bidder – and was essentially told that they only had minor flaws to fix. That test neglected to show that organization had already been infected with cryptolocker ransomware.
So one piece of advice is to follow "standard practice in most scenarios: get a second opinion," said Crowley. Another piece is to not simply rely on external white-hat hackers such as himself. "Have someone within the organization who's challenging (your) defensive posture," he said.
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
