CIO on security: 'You can't do it alone'
This past week, Healthcare IT News heard from Pamela Arora, senior vice president and chief information officer at Children's Medical Center Dallas, as she attended HITRUST Health Industry Third Party Assurance Summit.
Arora, a HITRUST board member, spoke about her health system's data security challenges and how partnering with organizations such as HITRUST can help keep pace with a "changing landscape."
Q: What is on your to-do list at the TPA Summit? What are you hoping to communicate to attendees and to learn yourself?
A: The goal of the Third Party Assurance Summit is to create awareness of and encourage third-party participation in the HITRUST common security framework program. Today, not all vendor partners are equal when it comes to data security - while all vendors sign business associate agreements, it doesn't necessarily mean the data is being secured in the same way or at the same level as our data is being secured. With the ever-changing cyber-threat landscape, now – more than ever – we must make sure that our data is protected across the continuum of care and that includes our vendor partners.
One of the primary focuses of this summit is opening the dialogue with third parties and encouraging CSF certification. We'll be talking about how partner companies can go about demonstrating they have controls in place for security and privacy, and we'll be talking about how CSF integrates with those standards. The summit is meant to be a "how-to" guide for meeting our organization's security requirements and meeting industry standards, both regulatory and consumer-based.
Q: How much of your job as CIO is spent focused on security concerns?
A: As a CIO, I would say focusing on security concerns is a constant part of the broad picture – all aspects of IS have to be talking about security and be sure it's being addressed at all levels.
Q: What is the security leadership structure at Children's Medical Center? Do you work with a CISO?
A: While all leaders are focused on security at Children's, in the IS group we work with a CISO who collaborates with leaders across the organization.
Q: What does HITRUST/CSF do for Children's? What assurances does it give you, how does it make your life easier?
A: HITRUST CSF helps strengthen our security program, and HITRUST evolves to meet the changing landscape. We opted to go beyond the CSF and obtain the SecureTexas certification. In 2013, THSA selected HITRUST to assist in development and maintenance of the SecureTexas Program. Texas is the first state to develop a formal approach to certification that incorporates state and federal privacy and security regulations. The Texas program leverages the HITRUST CSF and CSF Assurance programs. Organizations participating in the program are able to show they have met state and federal privacy and security standards in order to manage risk and increase confidence in how they protect health information. Children's was the first in Texas to receive the certification under the SecureTexas program last year. In 2015, BCBS-TX, Texas' largest health insurer is the second to receive SecureTexas certification.
Q: Is compliance with HIPAA and HITECH enough? Or do you see the need to take a much more proactive approach?
A: HIPAA and HITECH are part of the broad picture. Rather than taking an "either-or" position, we approach security from a compliance and a risk-based perspective, as we believe this will better position us to address threats.
I often relate to concepts through analogies, and in this case, a house comes to mind. We're all required by law to pay taxes on a home and that comes with some protections; but just because we're meeting the requirement to pay taxes (i.e. the regulatory requirement) doesn't necessarily mean the house is protected from all threats. For example, the roof may not be strong enough to withstand a hail storm or the home may not have an adequate security system to detect a burglary. To ensure I have the best protections available, I may opt to make additional investments in a more durable roof to protect against storms and a more advanced security system to detect and deter burglary. I may also seek to increase my insurance coverages against these threats.
The same is true for threats in the cyber world. To help address the risks, HITRUST is working with organizations with dissemination of threat intelligence (i.e. storm warnings). Additionally, HITRUST is able to score an organization's risk level. This risk level can then be shared with cybersecurity insurers to enable companies to get a better value on cyber insurance should they qualify as lower risk (i.e. burglar alarm installed). Through these means, we're able to add another layer of security to our organization's program at a better value.
Q: Talk about some recent security-focused projects you've been working on at Children's, and/or some you plan to pursue in the new year?
A: Recently, insurance leaders took the initiative to invite their partners to the third party summit – Children's Health followed their lead and invited more than 100 of its vendor partners to the summit to learn more about certification and ways bolster their security programs.
While we have a number of internal efforts ongoing, we're also working to extend security reach into the community, working with our HITRUST partners. Specifically, we're involved in three other programs that HITRUST is spearheading. The first is CyberRX; a series of no cost, breach response exercises coordinated in conjunction with HHS, DHS and FBI. CyberRX's mission is to improve the preparedness and response against cyber-attacks to healthcare organizations.
Second, the HITRUST CyberVision Program is the first real-time situational awareness and threat assessment tool tailored to the healthcare industry. It can automatically notify healthcare organizations and information security vendors of the emerging cyber-threats for which a counter measure is not available.
And third, the HITRUST Cyber Discovery Study, which was undertaken to enable a better understanding and accurately identify attack patterns and persistence, as well as the magnitude and sophistication of specific threats across enterprises. Participants will benefit from access to highly sophisticated collection and analysis tools and resources to provide detailed information regarding cyber-events and threats within their environment.
Q: What are the biggest security challenges, from your point of view? What threats keep you up at night?
A: When we consider hacktivists, cybercriminals and nation-state threats, it's critical to bolster your security program because the truth is, you're only as strong as your weakest link. Third-party partners have access to our environment; and while we know they have signed BAAs with us, we can't be certain what their risk environment looks like. If a partner goes through the third-party certification with HITRUST, we're able to be more confident our organization's security posture isn't eroded, since we know our partners also meet CSF security requirements.
With more healthcare entities obtaining HITRUST CSF certification, plentiful opportunities exist for third-parties to become involved – and we encourage this wholeheartedly. At the same time, we recognize that challenges exist. In some instances, an organization's culture may initially be resistant to pursuing certification; but with continued encouragement from the industry (and demonstration of the value in CSF certification), we're confident potential resistance will ultimately melt away.
Q: How do you get your employees to buy into the need to keep patient data safe, to create the "culture of security" we hear so much about?
A: We obtain buy-in from employees through multiple means. The first is through extensive training (both for new employees and recurrent training for existing employees). We have numerous policies and standards, attestations and other initiatives aimed at ensuring our employees understand the organization's expectations regarding the protection of data. We conduct tabletop exercises regularly to promote a culture of security awareness, and we regularly communicate with our team members about actions that can protect data. Recently, Children's developed a program to recognize employees who demonstrate an awareness and who actively promote data security.
Q: Any advice for other CIOs or CISOs daunted by this dangerous new security threat landscape?
A: My advice for other CIOs and CISOs is simple: You can't do it alone. Use the resources available to you and partner within your organization, outside your organization, with your peers, with governmental agencies, vendors, etc. It may sound cliché, but the truth is, it takes a village.
Q: The cybersecurity landscape has changed markedly since the CSF was developed. What are other ways HITRUST has evolved along with it?
A: Because the threat environment continues to change, it's crucial healthcare organizations be nimble and adaptive. HITRUST has evolved into an even more robust cybersecurity resource and partner for organizations such as Children's Health because they continually evaluate the environment and work to share threat information to the benefit of the industry. HITRUST offers cyber-threat intelligence briefings, comprehensive cybersecurity drills/tabletop exercises and assistance in evaluating an organization's level of cybersecurity risk, to name a few. The evolution of HITRUST has helped our organization prepare more thoroughly to counter the threat environment.