Every day, there are countless cyberattacks by malicious actors on healthcare provider organizations. The goal is to either shut down access to critical systems for a ransom or get ahold of valuable protected health information.
This is why healthcare CIOs and CISOs need to have their cybersecurity defenses running at peak performance. One slip, and there go the systems or the data – or both.
In this latest installment of the Technology Optimization Best Practices Special Report, Healthcare IT News talked with four cybersecurity technology experts, who share their combined decades of experience to offer CIOs and CISOs practices and tips for making sure security tech is running optimally.
Assessing the state of technology
To begin with, CIOs and CISOs should assess the current state of their security technology, both strategically and tactically, said Gerry Blass, president and CEO of ComplyAssistant.
“The strategic review should identify high-, medium- and low-risk areas of the current state of their security technology, including documented policies and procedures, workflow, budget, internal and external resources and technology gaps,” Blass said. “The strategic outlook should also include a thorough review of vendor contracts and terms to determine if service level agreements (SLAs) are being achieved and if there are auto-renew provisions that should be removed.”
“The strategic review should identify high-, medium- and low-risk areas of the current state of their security technology, including documented policies and procedures, workflow, budget, internal and external resources, and technology gaps.”
Gerry Blass, ComplyAssistant
The tactical review, he continued, should rate each security technology tool on a variety of criteria, such as impact on resource time, effectiveness, implementation status, integrations, redundancies, results, challenges and obstacles for use, and vendor support. These ratings should correspond with the control or controls that each security technology tool is intended to fulfill, along with National Institute of Standards in Technology (NIST) categories, he said.
“Such controls include Compliance, Encryption, Honey Pot, Medical Device Protection, Mobile Device Management, Patch Management, Network Monitoring and Protection, SIEM, SOC, VPN Remote Access, Web Filtering, Identity Access Management, Training and Awareness, Vulnerability Scanning, Penetration Testing, Wireless Management and more,” he explained. “The five NIST categories are Identify, Protect, Detect, Respond and Recover.”
The results of the tactical review will provide key metrics and ratings that feed into and support the development of the overall strategic plan. The end result, he said, is a multiyear road map of strategic and tactical action items and time frames for completion.
A cultural shift to boost change
Another cybersecurity tech optimization best practice concerns the cultural shift it may take to adopt change, said Neelkamal Agarwal, managing director, health and public sector cybersecurity lead, at Accenture.
“When integrating solutions that take away previous, elevated access; using a new technology that requires an expanded or new skillset; or simply enforcing a new security policy, this is change for the users,” she said. “Best practice is to bring change management and communications at the onset of an engagement that will vastly uplift the daily routine of users.”
Sean Atkinson, chief information security officer at the Center for Internet Security, said that as the healthcare industry is becoming more reliant on technology, it is critical to establish baselines.
“Commonly found within any industry is the increase in network connectivity with a variety of devices and applications that are not necessarily updated and patched in a timely manner, if at all,” he noted. “In addition, there is an increase in patient connectivity as well.”
“Commonly found within any industry is the increase in network connectivity with a variety of devices and applications that are not necessarily updated and patched in a timely manner, if at all.”
Sean Atkinson, Center for Internet Security
Baselining can help the healthcare industry align its IT and cybersecurity programs with compliance requirements, such as HIPAA, he said.
“Define and utilize policies that address the minimum baseline requirements from configurations, to network settings, to identity access management,” he advised. “This helps to mitigate inadvertent and unauthorized access and usage of systems and data on the network – bringing us to the next best practice of analytics.”
Atkinson of the Center for Internet Security offers another cybersecurity technology optimization best practice, this one revolving around analytics.
“Analytics can assist a healthcare organization from simply functioning, to a level of holistic understanding and insight to identify future needs and trends,” he said. “This can be useful throughout your organization from patient analytics, unifying capabilities, to daily operations.”
This provides for greater visibility into what records, applications and other resources are being accessed by whom, when and where. Using this information can help with compliance and audit alignment through log generation, enabling the organization to ensure protective baselining is appropriate, he said.
“Specifically, an analytics environment that can ingest the requisite information for analysis and automated alerting for a scripted event,” he added. “Security Incident and Event Management (SIEM) platforms have become a staple tool within the cybersecurity unit. Optimizing the system and the data being ingested is a key function of visibility and analytical capability.”
Governance, risk and compliance
Blass of ComplyAssistant said that healthcare CIOs, CISOs and other leaders should develop a governance, risk and compliance report card that evaluates the overall security and compliance program, including data around the use and effectiveness of security technology.
“The report card provides metrics for review by an oversight/steering committee [composed] of multidisciplinary organizational leadership,” he said. “The objectives of the report card are to create a culture of awareness, transparency, accountability and trending that can be easily understood by leadership, and to make the organization more functional in regard to information security risk management and compliance.”
The report card, he advised, should include:
- The current top five high-risk gaps and costs to mitigate.
- The results of ePHI vulnerability assessments.
- Physical security findings and trends.
- Status of medical device security.
- Status of business associates (BAs) and their downstream BAs.
- Disaster Recovery/Business Continuity test date(s) and results.
- Cybersecurity simulation test date(s) and results.
- Workforce phishing test date(s) and results.
- Policy and procedure operations audit results.
- Cloud host audit (SOC1 and 2) results.
- The latest industry breaches and reasons.
- Change management/business plan impact.
- The latest information from Information Sharing and Analytics Organizations (ISAOs) and Information Systems Audit and Control Associations (ISACAs).
“Increasing awareness, transparency, accountability and trending will elevate the level of multidisciplinary organizational due diligence and compliance and provide a smoother path to properly funding the annual budget for their information security technology,” Blass stated.
On-demand data from any location
When optimizing security technology in healthcare provider organizations, CIOs and CISOs should consider the changing landscape requiring accessing on-demand data securely from any location, said Agarwal of Accenture.
“This leads to the need for housing data, applications and other resources in the cloud that is enabled by a strong cloud strategy with input from across the business, inclusive of IT and security,” she said. “The requirement of secure data anywhere brings in the need to account for work-from-home, work-from-anywhere capabilities while maintaining data integrity and specific security access of the organization. Best practice here incorporates usage of core technologies to enable remote capabilities augmented by digital identity platforms and tools while integrating accepted policies and procedures that enforce security protocols.”
Dashboards and reporting
Nitzan Miron, vice president of application security services at Barracuda Networks, chimes in with a cybersecurity optimization best practice: Do not underestimate consolidated reporting and dashboards.
“Any large enterprise will have multiple security vendors providing different kinds of security – network firewalls, web application firewalls, API gateways, endpoint security, data loss prevention, et cetera,” he noted. “Each of those vendors will have their own dashboards and reporting engine, but will your team actually log in to every single vendor’s system every day? Unlikely.”
“All too often, it’s a lot of hand-waving, and the references you talk to may tell you they love the product, but they’ve never even turned on any of the AI or big data features.”
Nitzan Miron, Barracuda Networks
Piping all data from all vendors into one single system gives a healthcare organization the ability to get the status of all security systems at a glance in a single dashboard – a dashboard staff hopefully will find valuable enough to run on a dedicated monitor in their offices, he advised. When issues arise, staff can always open the source system to get full information.
“As a bonus, you can also easily correlate data from multiple systems: Did that IP address that launched an attack against your application also try to DDoS your network?” he said. “SIEM systems may sound daunting, but many of the modern solutions are very easy to set up [and] affordable to run, and almost all vendors offer easy, real-time integration of logs into popular SIEMs. Best of all, your teams will start to get ROI the first day they open the new dashboards and customize them for their own needs.”
Go for proven technology
Miron said that healthcare provider organizations looking to optimize cybersecurity technology should go for tried, true and proven.
“As a CISO, you’re doubtless inundated with requests to talk to you about the latest technology,” he said. “Those conversations probably mention a lot of AI and machine learning and big data. Cut through the buzzwords with a simple question: Are customers using these buzzword technologies and extracting actual value from them? Can the vendor provide references to prove it? All too often, it’s a lot of hand-waving, and the references you talk to may tell you they love the product, but they’ve never even turned on any of the AI or big data features.”
A traditional firewall will never look as good on a resume as “API discovery with artificial intelligence,” Miron concluded, but there’s a reason those firewalls have been around for more than 10 years and are still a growing market: They work.