Follow the Leaders - Four areas of focus for Securing Your Healthcare System
Best Practices of the Nation’s Top Systems
First Cyber Health Solutions was fortunate to have the opportunity to learn recently what some of the nation’s leading healthcare systems are focused on in order to reduce their organization’s risk of incurring a security breach. We all know how daunting the task is of protecting our organization’s infrastructure from attack. It can be so overwhelming and complex that you don’t even know where to start. Why not follow the lead of some of our nation’s leading providers and focus first on the four areas listed below.
Old software vulnerabilities:
Just as with the attacks on other industries, attacks on healthcare systems are still primarily coming in through the tried and true techniques that malicious actors have used for many, many years. It is cost effective for the bad actors to stick with what works, until it stops working. While most healthcare facilities practice good hygiene to combat biological viruses, few practice good hygiene when it comes to computer viruses. Major healthcare systems have now begun to recognize the major vector for computer virus infection: poor software updating practices. With up to a 1,000 different applications running in a major healthcare system, the current focus is on identifying applications that have not been updated and making the proper patches. Once a system has been patched to eliminate vulnerabilities, CISOs are having automatic patch management software installed so that new holes are not opened up in the application layer of their networks.Even if you only have 100 applications running and not 1,000, it only takes one application with a vulnerability to allow malicious activity into your system where is can proliferate, establishing command and control, internal storage capability to collect a copy of your valuable data, and exfiltration techniques to run off with your crown jewels.
One of the major challenges that healthcare IT systems face relative to IT systems in other industries is the degree to which their systems are open to the public, and open to the constant addition of new computer-enabled devices. Endpoint device management has risen to become a major initiative in healthcare facilities of all sizes. The installation of anti-virus software has been judged as “necessary, but insufficient” to protect endpoints that are interacting with the world-wide-web. It is too easy for a bad actor to slightly alter the signature of their virus attack and evade anti-virus programs. Healthcare systems are now turning to detection forensics and response techniques.Since detection forensics typically relies on some form of anomaly detection, it is important for a healthcare facility to first determine what is “normal” for their IT system’s operation. The top systems in the nation have already created a baseline of activity that they deem as normal information flow within their networks. With a baseline established, efforts have now turned to anomalous event logging for follow-up forensic investigations.
Vendor and other trusted system vulnerabilities:
One of the more infamous breaches in recent history, the breach of Target, was initiated through a trusted intranet connection from their HVAC vendor. One of the more recent breaches in a healthcare system was initiated through the cafeteria system’s operations. To provide access to information for doctors, nurses and other healthcare providers, healthcare systems have evolved to a collection of trusted networked systems, trust being the operative word to increase the speed of information flow. The trust in the network means that there are no guards between the borders from one system to the next to slow down the flow of information, and no need to stop and re-authenticate your identity as you ask for more information.Healthcare systems have recognized that this responsiveness to information flow has also exposed systems to significantly increased risks. Should a bad actor breach a system at any entry point, they can them move freely throughout the system to “smash and grab” information as they see fit. In response to this increased risk, healthcare facilities are developing segmented networks, and even micro-segmentation techniques as a layer of protection around their most critical information. Segmentation sets up artificial “border crossings” within a network that can be used to tailor authentication and identification requirements for access to particular information. Segmentation is an important feature in large healthcare systems when it comes to mitigating damage from a potential ransomware attack. When access to critical information is more tightly controlled, there is less of a chance that malware can travel throughout the system, encrypting data.
Staff cybersecurity awareness:
The behavior of a computer virus in an organization is much like the behavior of a biological virus in a population. It spreads on contact from one person to another. Healthcare personnel have been identified as the single largest source of malware introduction into an organization. So just like proper hand washing hygiene is important to control the vector of a biological virus in an organization, proper cyber-hygiene is important to control the spread of computer viruses and other malware. Large healthcare facilities are undertaking major efforts in cybersecurity awareness just as they successfully undertook major efforts on hand washing efforts to mitigate HAIs.Once per year training on cybersecurity is no longer enough. Smaller monthly training initiatives are being implemented by the top healthcare systems. This monthly training is accompanied by “inoculation tests” otherwise known as phishing tests to see if cybersecurity awareness training is effective. Remediation activities are then implemented depending on the outcome of the phishing tests.
The Internet of Things
Reasonable Security for the Internet of Things
Whether you know it or not, your hospitals are being inundated on a daily basis with devices that want to communicate over your networks and the Internet. As you bring in and install new equipment (medical devices, payment processing machines, etc.), many of these devices have the ability to send and receive data over your network and outside of it, as they are part of this “Internet of Things”. This represents a point of vulnerability for your network. You need to take action to make sure that these devices are not going to be an entry point for a breach at your organization.
While this is an important question for all devices on your network, it is of particular importance with regard to IoT. With the varying levels of information security maturity contained in these devices, organizations must deploy technology that tracks the entirety of IoT devices deployed in order to gain a good assessment of the risk level that they present, and to gauge how that risk level changes as devices are added or replaced.
Do you have baseline information on, and control over, the version of software and firmware running on your IoT devices?
Identifying secure baselines for the software and firmware that are running your facility’s IoT devices is critical to both creating a safe operating environment and to detecting when malicious activity violates that safe environment. Oftentimes, IoT software/firmware is fully updated with a new version rather than simply being patched. Knowing whether command and control systems can be used to administer these updates or whether the updates are delivered manually, can help keep track of versioning. Where possible, digital signatures should be evaluated by the IoT devices before loading to ensure that images are secure.
Do you regularly schedule vulnerability assessments and follow-on remediation activities?
Vulnerability assessments on operational systems are likely to be risky endeavors. Where possible, test environments or sandboxes should be established. IoT vendors or collaborative communities such as an Infor-mation Sharing and Analysis Center may also have test laboratories that can be accessed to look for vulnerabilities in IoT devices.
Do you control the use of Administrative Privileges on IoT devices?
Some IoT devices include administrative accounts for management and maintenance of the device. For these devices, account assess should be extremely limited, and protected with strong authentication. For devices without administrative access, additional physical security measures are recommended to prevent localized tampering.
Do you generate, monitor and analyze audit logs from your IoT devices?
Since IoT devices are typically designed for high reliability, the often have sufficient logging capability. The challenge here is to capture this log data and integrate it into the enterprise’s Security Information Event Management (SIEM) system.
Protecting PHI In Motion
Personal Healthcare Information Becomes Most Vulnerable Moving Throughout the Ecosystem
Healthcare system networks consist of multiple sources of data from multiple enterprise-level systems communicating in real time. This presents the healthcare cybersecurity professional with varying protection requirements. As these multiple types of data come together and transfer over to other systems, the data is accessed by many different users with varying analytics needs. Due to the urgent nature of information transfer in a healthcare environment, much of the data is transferred in clear text. Health care organizations face even greater risks if any part of a system is deployed in a cloud environment. When viewed from a patient perspective, speed of information flow is paramount. When viewed from an enterprise perspective, the importance of security becomes paramount. Organizations must protect sensitive customer, partner, and internal information and adhere to an ever-increasing set of compliance requirements.
There are a number of traditional IT security controls that should be put in place as the basis for securing PHI, such as standard perimeter protection of the computing environment and monitoring user and network activity with log management. But even in the most tightly controlled computing environments, infrastructure protection by itself cannot protect an organization from cyberattacks and data breaches. PHI in motion is too open to be able to fully protect. Further exacerbating the risk is that the aggregation of PHI as it makes it an even more alluring target for hackers and data thieves.
First is able to offer the right consultant with the perfect crossover of healthcare IT and cybersecurity to address the ever increasing threat surface facing providers today.
The HIT Cybersecurity Battleground
Using Education, Training and Certification to Help Healthcare Entities Fight Back
The Office for Civil Rights website reports that data breaches in healthcare totaled over 112 million records in 2015. As if this were not enough to keep Healthcare Executives up at night, a new attack vector has now arrived on the scene: Ransomware. CEO Allen Stefanek recently reported that Hollywood Presbyterian Medical Center paid hackers $17,000 to restore operation of their computer networks after a ransomware attack shut down their computers. As banks and retailers have shored up their security, hackers have turned to the less-secure healthcare sector.
When it comes to information technology, there is a saying: “The only constant is change.” With Moore’s Law describing the doubling of computing power every two years, and Rock’s law stating that the cost to keep up with increased computing power increases exponentially; it is no wonder that organizations struggle to stay current without breaking the bank. Within the information security domain of IT, this struggle to keep up is exacerbated by the half-life of information security knowledge. According to G. Mark’s law, “half of what you know about information security will be obsolete in 18 months.” Most healthcare IT departments have begun to organize themselves and are investing heavily in hardware appliances and software, with the understanding that the only way to truly catch up, and stay caught up, is to invest in the continuing education of all employees and the staff employed to operate the cyber-defense tools they have invested in.
The human element has caused the need for cybersecurity, and the human element is required to combat it. As computers and computer networking hardware were first being built, little thought was given to the need to keep information safe. One day a curious human decided to see what information they could dig up on a system and computer hacking was born. For a long time hacking was the realm of the intellectually curious human or the “script kiddies” who just wanted to see what pranks they could pull off. Then the world of computing and hacking changed forever in 1988 when Cornell graduate student, Robert Morris, created and launched his worm from MIT’s campus on November 2nd.
After Morris’ unintended demonstration, the practice of hacking grew out of humanity’s dark side and malicious behavior took center stage with website defacements, posting of obscenities, and denials of service running rampant. Soon organized crime and nation-states joined in on the dark side changing what started as a game for script kiddies to full scale economic warfare. In a recent interview, Marc Goodman confirmed this assertion: “The old image of a hacker was 17-year-old kids living in their parents’ basements. Today, the average age of a cybercriminal is 35, and 80% of black-hat (e.g., criminal) hackers are affiliated with organized crime.”
Download The HIT Cybersecurity Battleground white paper.While some may dispute the statement that 80% of hackers are associated with organized crime, there is no disputing the fact that black-hat hacking is a sophisticated and organized industry today. Jim Anderson, at BAE systems has stated, “There are websites where a new thief can essentially buy a ‘starter kit’ that includes malicious code that rookies can use in their first attempts at criminal behavior.” He goes on to state that there is “no disorganized digital crime. Because of the way criminals have organized, the threat landscape is ever evolving and more importantly, ever growing.” There are black markets for a wide variety of malicious services and value-added resellers at every step in the chain to take economic advantage of hacking activities. Most importantly Anderson states that part of the evolution of organization is information sharing. “The rate at which information is shared among the criminal element means that an attack at, for example, one bank, could be replicated by multiple bad actors at financial institutions globally within moments.”
It is the ever-evolving, information-sharing nature of the dark side that is of utmost concern to the informed healthcare firms that are best protecting their operations. They recognize that investments in information security infrastructure are necessary but insufficient. Quoting Dr. Eric Cole, “prevention is ideal, but detection is a must.” Take the case of antivirus software as a simple example. Most every laptop in the world runs antivirus programming, yet antivirus software vendors are taking it on the chin these days. All a malicious attacker has to do is change the “signature” of their virus slightly to make it unrecognizable to the library of signatures on file with the antivirus firm, and their new virus easily slips through defenses. Vendors are spending a fortune to keep up and at times are forced to send out daily updates to keep their products relevant in the struggle to defend against attacks. If you asked a group of security experts today whether they use antivirus or not, a significant portion of them would answer that they do not.
While Gartner analyst Ruggero Contu feels that antivirus has some value, he points a direction towards today’s new required investment: “Not to have malware protection would be foolish,” he says, “but spending money on learning how attackers are working, and changing your business to thwart common attack techniques may be a better investment.”
First Health Advisory Solutions recognizes the fact that continuing education of the workforce employed in HIT cybersecurity is the only way to organize a defense against evolving malicious activity. First’s team of advisors and employees have access to the latest learning in both offensive and defensive information security practices and are better equipped to advise their healthcare clients facing ever increasing security demands.
The Ideal Workforce Partner
Clients and Consultants are Looking for Three Flavors of Workforce Options
Now more than ever, healthcare providers need support from outside health delivery experts to meet the time sensitive and high visibility initiatives assigned to their IT, clinical or revenue departments. While hiring a regular, full-time employee might be the preferred model for your open Informaticist position, the availability of qualified local resources may prohibit you from hiring in a timely manner.
Not All IT Consultants Are Equal
There are two primary classifications of IT consultants depending upon their level of engagement and personal interest in the project. The most desired consultant is focused on the client’s success and is motivated to perform well on a personal level. The highly engaged consultant will also interact and lead the current team, train and teach others and help ease pressure. A disengaged consultant is only available when asked for assistance, little or no involvement with teaching and training. First has developed a stable of senior consultants who take pride in delivering high value for their client.
Meeting Today’s Workforce Needs
To address our clients ever evolving workforce requirements, First developed a flexible model called FirstFLEX allowing providers to move between three different staffing scenarios with ease. First will place an experienced advisor into the position quickly, providing the advisor with the option to transition into regular employment after you and the advisor gauge the fit.
FirstADVISE is our premium consulting services solution, offering you an immediate return on investment by placing a highly experienced advisor that provides value from day one.
FirstTEMP is a highly flexible solution, allowing you to immediately fill your vacancy with an exceptional advisor who is well versed in the domain where you need to bolster experience and efficiency without delay.
FirstEMPLOY is the solution that will solve your employee vacancy challenges. With one of the most extensive networks of healthcare IT, clinical and revenue professionals, First will help you fill those analyst, informatics, project management, director, and leadership vacancies that stagnate your enterprise IT initiatives and impact your budget.
EHR Value Realization
The sociology of maximizing EHR performance
As healthcare providers begin to transition from a fee for service approach to a “shared risk” or fee for quality model, hospitals will find ways to adapt or they will cease to exist. Promoting evidence based best practice, efficient knowledge transfer, solid structural support and effective information flow are factors that can positively impact outcome change. However, with so many competing initiatives most organizations are so focused on project completion they often overlook or undervalue one of the largest and lasting outcome influencers, social change.
A major health system CIO recently told me that they have embarked on numerous strategic, optimization, and outcome enhancing initiatives with much ado, energy and executive buy in. Unfortunately the intentions, performance indicators and achievement goals fell flat not long after project leadership and outside subject matter expertise moved on to the next regulatory requirement or EHR deployment.
Knowledge transfer is, or should be, a large part of any EHR project where subject expertise and 3rd party support are common. Optimization, workflow, and value re-engineering engagements provide solid case studies and good examples of where shortcomings can occur. For example, Lean Six Sigma programs can absolutely lead to lower cost and improved quality measures, but lasting improvements and change must involve more personal learning and cultural collaboration as even minor project and change is initiated.
I refer to many of our engagements that address EHR optimization as “Dynamic Maximization” initiatives. As an advisor to our healthcare clients, we must enter all engagements with a strong understanding that the socio-cultural influencers are a major factor in project outcomes. That “Dynamic” part of healthcare is what really differentiates an organization and leaves their patients (or clients) more satisfied as a result. Our idea of “Maximization” occurs when those organizations meet key indicators of structural, human workflow, information flow, and in-house personnel optimization. In the early stages of fee for quality, such outcome improvements can and should be addressed in smaller, more controlled initiatives where cultural change does not overwhelm and the opportunity to succeed is greater.
I’ll discuss social change approaches and examples during EHR optimization in my next post.