Update: Privacy and Security Forum kicks off on Monday
Editor’s note: This second update to the article adds insights about cloud computing security from UPMC vice president and associate counsel.
The HIMSS and Healthcare IT News Privacy & Security Forum kicks off the first week of December in Boston.
Our team of reporters and editors interviewed nearly a dozen of the more than 50 speakers ahead of the conference to glean insights about today's most pressing security issues.
Experts will talk best practices for cybersecurity, tips for managing infosec budgets wisely and the surprising things that can be learned from the dark web. They'll also offer advice for securely offshoring data, storing it in the cloud and they'll posit an interesting theory about the roots of today’s security problems.
What with so many hospitals and health systems either consolidating multiple EHRs onto an enterprise platform or switching to an entirely new vendor, cloud-based services are become a serious option. UPMC vice president John Houston recommended that any provider looking at the cloud should dig deep under the hood of vendors.
“When evaluating a vendor, we find that some simply don’t have the wherewithal, the ability to develop a solution that is in fact appropriately secure,” Houston said. “We might try to get audit information and other kinds of substantive information about their security postures, but often those organizations – from a security perspective – are black box. We don’t know what goes on within those environments. And, often, those vendors aren’t willing to tell us either.”
Whether in the cloud or on-premise, healthcare organizations must customize a security strategy that best fits their particular needs, said Scott Borg, chief economist at the U.S. Cyber Consequences Unit.
“The first step in the economics of cybersecurity is paying attention to what your hospital or clinic is actually doing — and that is immediately illuminating if you do it right,” Borg explained. “Executives will immediately see that a lot of things they are protecting do not really deserve a lot of attention and are not things attackers are likely to go after. Meanwhile, they will also see that other systems are both totally important to their organization and are prime targets for the attackers of the near future.”
Former NSA Senior Counsel Joel Brenner, meanwhile, said the Internet itself is a big problem. The issue? It began as a network to serve a small number of trusted scientists and then somehow became the economy's backbone. Security? A mere afterthought.
That stark reality is all the more reason healthcare organizations must master the basic blocking and tackling of infosec. To that end, Aetna CISO Jim Routh, Clearwater Compliance CEO Bob Chaput and Check Point Software’s Dan Wiley laid out their best practice lists for threat intelligence sharing, safeguarding against attacks and crafting a cybersecurity strategy, respectively.
Routh also shed light on the distinct advantages of boldly delving into the dark web to learn more about the myriad dangers lurking there and, in turn, how best to share that intelligence with other organizations — call it a means to beat hackers using their own tactics.
A sound security plans also includes mastering the basics. CynergisTek CEO Mac McMillan and tw-security chief executive Tom Walsh shared tips for hack-proofing ID and access management, while cybersecurity author Mansur Hasib offered advice about successful authentication in a world of fraud.
Add anti-phishing techniques to that list of basics: Mayo Clinic associate dean of clinical practices Mark Parkulo, MD and his colleague JoEllen Frain, senior manager in Mayo’s office of information security, recommended that anti-phishing efforts must be routine, relevant and consistent. Ignore those three tips? Don't even bother expecting to be successful.
If this all sounds terrifically complex, Tony Sager, senior VP and chief evangelist for the Center for Internet Security, recommends simplifying health data security. How? Approach infosec like war. Because, after all, in many ways it is one. Sager advises taking the "defender’s dilemma" approach and figuring out what's happening. Get a budget to prepare yourself and then explain the results to other parties, regulators, auditors, supply chain partners and so on.
Back to those best practices. They're absolutely critical. Because even if CIOs and CISO are able to wrangle bigger security budgets, without implementing sound processes breaches are still likely to continue into the future.
And the second you start thinking you’ve mastered health data security, it’s time to ask the existential question: Are you really as prepared as you think?