Healthcare infosec leaders rank security posture, maturity just 'average'
BOSTON - When asked to rank the cybersecurity posture of the healthcare sector, four healthcare infosec leaders found that while the industry has improved, there’s still a long way to go.
At the HIMSS Media Security Forum here on Monday, Anahi Santiago, chief information security offer of Christiana Care Health System, said that the industry is at about a four or five -- as the larger organizations are much more secure -- “but too many small to mid-size hospitals are struggling.”
“The fact that leadership is understanding it’s a real problem and investing in people, processes and technology is a good thing,” Santiago said. “But the threats are evolving too fast to keep up. And as consumerism takes hold, we’re going to struggle to keep pace.”
Chad Wilson, director of IT security for Children’s National Medical Center agreed that the industry has come a long way in 12 years and there’s been a lot of “progress with recognizing that we need help.”
But while awareness has exponentially grown, there are still a lot of things holding back the industry. To Sonia Arista, national healthcare practice director of Fortinet, the industry is at a solid three in maturity due to its dependency on third parties and “a false sense of cloud” -- giving up all of the security controls.
The increase in mergers and acquisitions are also creating significant business model challenges, she added.
“But it’s important to not only think of where we are today, but where we came from -- a zero or a one,” Wilson said. “A lot of work has gone into security in the last few years.”
As a result, we’re in a transition from awareness to action.
“A lot of us tried to solve problems with a lot of products,” Munya Kanaventi, senior director of information security for Everbridge. “The next phase, as we mature, will be security as identification: understanding where you are and what the tools are telling you.”
“Let the data drive the decision making,” he added. “We’re reaching this point in the industry that we recognize there’s a problem. We’ve purchase all of the tools… The next step is how we use the tools and mature in recognition of the problem.”
To Matt Sickles, the director of cybersecurity for Sirius, as we’ve moved from no tech to too much technology, the organization needs to better understand the data to know not only if the hackers are taking the data -- but if they’re manipulating it.
“Manipulating data will be the next threat,” Sickles said.
Arista explained that process deficiencies can make it a challenge to see those threats. An organization should recognize that all of the multiple endpoint solutions give various reads on intelligence, and “to evaluate those is very, very challenging.”
While we’re moving toward an agile segmentation strategy, it needs to be revisited more than four times a year, she added.
“So I think, to shake things up, our second act is really still our first act,” said Wilson. “We’re still focused on incident response, scrambling, talent shortage -- there’s too much happening. We’re still well within incident response.”
“Policies and procedures are the second,” he continued. “Why not click in on phishing email labeled external? Don’t do that -- and this is why. We have to continue with education, processes -- the second act that will get us to maturity that we need.”
Kanaventi added that maturity will improve by looking at other industries. In the next five years, healthcare will be the biggest target, and “adversaries will be able to quantify how they can monetize the data. It’s going to swing as we mature, the landscape and adversaries will get worse.”
In the end, healthcare will only be successful when infosec leaders have a seat at the table when it comes to strategy, explained Santiago.
Focus on Cybersecurity
In October, we take a deep dive into security strategy and pressing threats.