Roundtable: How To Protect Patient Data
Roundtable: How To Protect Patient Data
With data intrusions and theft of patient records costing the U.S. healthcare industry an estimated $5.6 billion a year, hospitals and other medical facilities are under enormous pressure to counter the growing onslaught of medical identity theft. February's hacker attack at Anthem, the nation's second largest health insurer, compromised the records of nearly 80 million customers and employees, is the most glaring example to date of the scope and severity of this threat.
On February 4 in New York, the same day the Anthem data breach was uncovered, Health Data Management hosted an executive roundtable on the measures hospitals and other institutions must take to cope with such attacks and, in particular, the role analytics can play in preventing them.
Moderated by HDM editor-at-large Elliot Kass, seven industry executives participated in the roundtable. They included George Dunn, manager of IT Security at South Nassau Communities Hospital; John Houston, vice president and associate counsel for privacy and information security at the University of Pittsburgh Medical Center; Kathy Hughes, assistant vice president and chief information security officer for the North Shore-LIJ Health System; John Mertz, vice president and chief information officer for South Nassau Communities Hospital; Michael Skvarenina, vice president and chief information officer for Holy Name Medical Center; Hussein Syed, chief information security officer at Barnabas Health; and Rob Rhodes, senior director for patient privacy solutions at Iatric Systems. Iatric, a comprehensive healthcare IT integration company that provides patient privacy monitoring, underwrote the event.
What follows is an edited version of the lively and informative discussion that took place.
ELLIOT KASS: What is the threat environment like on the ground at your institution right now? Could you give us a sense of what you're facing for security challenges.
MICHAEL SKVARENINA: We have seen denial-of-service and other kind of attacks hit our network from foreign origins-sometimes China, sometimes Russia-so I think it's probably happening everywhere. I am sure the bad people out there are just scanning these network, trying to find open ports and open IP addresses that they can try to hack into.
JOHN MERTZ: They are doorknob testers. They come in and knock at the door and see if it's locked, and it's happening all day long. We are seeing more of them all the time.
HUSSEIN SYED: You have multiple avenues of infiltration. Phishing attacks. Denial-of-service attacks to distract people while the infiltrators figure out a way into your network. We see all of these. Those who are trying to hack you are all usually looking for weak applications. Application security, if it's not there, allows them to get into the system. And once they get in that's game over for us.
JOHN HOUSTON: Even things like phishing are becoming much more sophisticated. We have found on numerous occasions that somebody will go out and build a web site using our branding, our look and feel, to try to get one of our users to provide credentials.
SYED: The bad guys have no rules and they have unlimited resources. It's a business for them. They are paying very small amounts of money but larger bonuses for people who can bring in data that they can sell. Medical records sell for much more than credit card numbers; it's like 20 to 30 times more. So there's a lot more incentive for them to steal hospital data, whereas we have limited resources to invest in this area because our business is not security, it's healthcare. Meanwhile, doctors and clinicians need to be able to rapidly get to the information they need to provide patient care, and overlaying all these access control authorizations goes against that. So we have to find that happy balance somewhere.
HOUSTON: Physicians will tell you that if it is too difficult for them to get data or to use a system, they simply won't. So that balance is incredibly important, but it's often difficult to achieve.
GEORGE DUNN: We shoot ourselves in the foot frequently. Someone will put a sensitive database on their laptop and they lose it, or they lose their cell phone, which has access to the EMR. There might be some malicious intent, but a lot is just lack of awareness. So security awareness, demanding that all our laptops and USBs are encrypted, and restricting their use-these are the things that I have been focusing on.
ROB RHODES: But a lot of times, doctors have said they will not use systems if it's too difficult for them to use, and that is very true. Users, too, don't necessarily mean to do these things, but again, if you make things too difficult, they will find ways around the controls that may be in place. That is the challenge for security people.
DUNN: We have an e-mail filter, and we look for certain formats like Social Security or patient numbers, and it catches people mailing stuff out that they shouldn't be sending by e-mail . It's an educational process. People will say, 'How come it didn't go?' or 'Why did it come back?' and then they realize, 'Oh! I'm not supposed to send an Excel spreadsheet to an external practice.'
MERTZ: We use a product that feeds from our EMR registration system and then searches through all of our logs. It looks for employees who are looking at their own records, looking at employees' records, looking at family members, looking at the VIPs or just looking around too much. And we caught an employee just yesterday, and that person said, 'What, do you mean I am not allowed to look at employee records? I was checking to see if she was still in the hospital.' So, we just educate them constantly, and it just seems like it goes in one ear and out the other.
KATHY HUGHES: Phishing is a real struggle for us. I think the statistics suggest that 20 percent to 40 percent of people succumb to phishing attempts, which is a staggering percentage, and as fast as you block access to a web site, a variation comes up. So we are looking at technologies right now that can identify the behaviors and proactively block those, so that we don't have to rely on human intervention for that.
Traditionally, there has been a focus on protecting a perimeter and building an in-depth defense strategy, which up to this point has been very effective. But now that healthcare data is what people are after, the applications have become the key vulnerability. Developers are quick to market, quick to get the next release out, and they aren't really focusing on security controls, and that leaves everybody vulnerable. Especially now, with the advent of analytics, we are pooling data from various sources and porting it into a central repository, which makes it more attractive to hackers. And we have to realize that we have 54,000 employees, and the bad guys aren't always on the outside. So there has to be this continued emphasis on protecting the data and the whole concept of least privilege, making sure that people have access only to the data that they need, and that you can track what they are doing, and that they are doing only what they are supposed to be doing.
HOUSTON: I have hundreds of information systems that manage different types of data. Many of them are hosted by somebody else. I may have 20 or more providers host or house my data. And then I'm also going to be delivering data to iPads, phones, laptops-so where is my perimeter? It doesn't exist anymore. You almost have to take inventory of where your data is to understand how to best protect it. That is why things like SIEM [security information event management] tools are so important. They can give you a view into someone who is trying to do something that might result in a breach.
DUNN: We have the new omnibus rule that's supposed to provide reasonable assurances that our providers and business associates have to live up to the same standards that we do at the hospital. But part of my frustration is that I know a lot about security, and in dealing with a lot of firms, perhaps they don't. Perhaps you are acquiring a practice or have a new business associate, and they've never done a risk assessment, even though it's been required for a decade. Then at what point do we decide what is their responsibility and what is our responsibility? If I held them to my very high standards, we wouldn't do business with anybody.
HOUSTON: I have a whole team of people whose entire job is to test applications. We were testing an application from a vendor. We were about to go into production on a project that was very high priority, and then we found that we could circumvent all of their security very easily. So we went to the vendor and said, 'We just circumvented your security,' and they came back to us and said, 'We are a small vendor. We only have three programmers.' And my response was that if you are not prepared to do what you need to do from a security perspective, why are you in business?
SYED: That is pretty much the 90 percent space in the software development market today. They know what the problem is, and they are bringing a solution to a problem. But they don't think of security as a part of their design process. To them, implementing security controls will delay the launch of that application and that affects the dollars coming into their business.
MERTZ: In some of our environments there are people who want us to buy the app, and they don't even want to give us a chance to look at it or test it. You want to be able to at least look at the app before you install it.
SYED: You can work with your legal department to put in contract language that says if a vendor does not meet security requirements, then we have an out of the contract.
MERTZ: There was a survey that (Dunn) was reading the other day from HIMSS, and it said that 40 percent of healthcare institutions have security under the guidance of a part-timer.
HOUSTON: That part-time person may dabble with the firewall or might be doing account management. By the way, account hygiene is the biggest issue we have today. Very few organizations do true identity management. One of the most basic and fundamental things is to have a robust identity management capability-to manage who has access to your system and ensure that that access is appropriate.
SKVARENINA: Even if we get risk assessments from our business partners, I still don't always feel confident that the data is safe. Even if we talk about a data exchange patient portal-I don't even feel comfortable that my patient portal vendor really has my data as secure as it should be. And to me, that's really a scary thing.
KASS: Do you think most hospitals have a good feel for what data they are sending where?
RHODES: For a lot of organizations that I worked in, it was very challenging, especially with people coming and going. You may have vendors that were doing business with the organization for 15 years, collection agencies, etc. People have rotated through and nobody knows it.
HUGHES: That's why things like encryption are so important. We require every laptop, every mobile device, every USB port to be encrypted-and the desktops, too.
KASS: Let's talk a little bit about the intrusion and detection tools and the methods that you are using. How effective have they been for you?
SYED: I feel they've been very effective. For the last two years since we implemented our DDOS [distributed denial-of-service] mitigation tool, we see on average 10 to 15 larger campaigns a week, where we can actually see the amount of data that has been sent to our DDOS appliances. We haven't reached the threshold of having to use scuffing services, where the data would be rerouted and all the attacked data would be cleaned, but we monitor it. Healthcare providers are probably going to be the biggest targets in the next couple of years. Anybody that's doing $3 billion or more in revenue is a prime target for hackers.
SKVARENINA: A challenge is that these security tools are very expensive. Sometimes, it's hard to explain to the CEO why we need to spend that much money. When you ask for $100,000 for a tool to help detect some problems, they really second-guess it. It's hard to make the sale.
SYED: You have to provide some business cases and justifications, so they know that if they are going to give you a million dollars, it will be better spent protecting the environment as opposed to investing in IV pumps or MRI machines.
MERTZ: George (Dunn) said to me the life expectancy of a CISO is three years. After three years, you either get tired of telling them that there is going to be a problem and them not doing anything about it, or something bad happens and you get blamed and fired.
HUGHES: What we've done is establish a risk governance committee that consists of people from legal, corporate compliance and from IT, as well as physical security and HR. We have this group of senior-level people from different areas of the organization, and we work together in collaboration, it's not just an IT thing. I only have a small team of security people, but in essence every employee in the organization is a security employee. So we need to have them be accountable for what they do. I am not the police. I think there is this misnomer that security is the police. We set framework; we set standards; we set policies. But then, it's up to the organization to enforce them.
HOUSTON: Every alert that gets triggered for an employee gets sent to the employee's manager automatically. If you look at your husband's record, and he has the same last name, it's going to trigger the same last name alert and that goes straight to the manager. I think we have 62,000 employees, and we have hundreds of facilities. The only practical way we can make it work is simply say 'Manager, you are in the best position to know what your staff should be looking at.'
RHODES: When I was CIO at this system in Georgia, we had security audit management, and IT managed it. We ran the reports, but we worked not only with the department managers but also with HR. Our security team would look at it, and if they found something they didn't understand, they would go to the department manager and said, 'Hey, you need to look at this.' But, quite frankly, you run into managers who don't want to do anything. They will not sanction their people; they just want the problem to go away. We would deal with that by going to HR and saying, 'We have a manager who is not doing something,' and then we left it in HR's hands. The sanction was up to HR, not to us. I think that helps to bring the rest of the organization to the understanding that this isn't IT with the hammer; this is an organization share.
MERTZ: When we did our risk assessment, we actually had somebody with no identification saying he was from IT and was there to fix your machine, and he needed your password and ID. I will not tell you what percent of people gave it to him but it was more than you would have hoped.
SYED: It's generally about 20 to 30 percent.
HOUSTON: It is. But through tools and good education, you can actually drop that number dramatically.
KASS: Do you get overwhelmed by the false positives from your monitoring tools? Are you applying any analytics against those hits to try and reduce the number?
HOUSTON: Our biggest issue is trying to reduce the false positives. We are not perfect by any means, but even if the manager misses five and catches only one, the effect of catching that person acts as a deterrent. It's sort of like when they used to chop someone's head off in England and put it on a spike on London Bridge. People see that somebody just got suspended or terminated, and they say I can't afford to lose my job over this.
MERTZ: There is an old joke where a guy goes to a small town and they had a sign posted that read: 'Speed monitored by aircraft.' And he says to the sheriff, 'Well, how much did the plane cost?' And the sheriff says, 'We didn't buy a plane, we just put up a sign.'
HUGHES: We have a managed service provider that parses through our alerts-I think we get 670 million hits per month. But by the time it goes through their analysis, and they tune and tweak it, and it gets escalated to us, it's down to a couple of hundred. Then it takes someone on our team with institutional knowledge to determine if they're real or not real. By the time the real incidents get paired down, it's very minimal. But you need to have those multiple levels that are going to sift through the data and try to weed out the noise.
KASS: Earlier, you touched on the question of permissions and how you are making use of role-based user authorizations. How important is that in terms of trying to limit access to inappropriate data and identifying potential internal threats?
HUGHES: For our major EMR applications, we implement role-based security, which helps standardize roles across the applications. Although they are not always exactly the same, it does help facilitate that from an administrative point of view as well as from a user point of view. Users get a little upset-'You gave me a nurse access but I am really the head nurse, and I am insulted by the fact you are calling me a nurse.' Once you get past that people seem to be okay with it. It helps, but it's not the answer. What we struggle a lot with are transfers between departments. I've been with North Shore-LIJ for about seven years in various roles. I started on the outsourcing side, working in development for Allscripts, and I still have rights from when I was there.
HOUSTON: We have an automated management solution. Every day we get a feed from our HR system when somebody changes a job. The new manager gets an e-mail that says you must validate his or her access. The manager also has to do an annual review of access. When the person leaves, it's automatically terminated, but it's an automated process and not just for our employees but our sponsors and for non-employees. If you are a vendor and you come into our environment, somebody who has the authority to use the identity management solution has to sponsor your access, and that person is now accountable.
SYED: We do some of those things, but where I find it really hard is access recertification. How do you implement that whole piece where every quarter somebody has to sign off on that?
HOUSTON: Here's what we do. It's a very simple way to approach it. Every year, every employee must have a review, and we link that to our identity management solution. And we also make it part of the review process that, literally, the manager has to sign that he or she has reviewed their access. Within our data management solution, we do reporting so that if a review is submitted and there is no corresponding identity review, it's flagged.
SYED: But you still have that issue of a nurse accessing patient records she shouldn't be accessing.
SKVARENINA: At Holy Name, we use a little artificial intelligence for that piece. When you go to access a record, the system looks to see if you are a physician or nurse of record, or if you are a nurse that's on the same floor that the patient is currently on. If you are not any of those, then it pops up an alert and asks you why you are going to access the record. And there are some choices: 'I am actually involved in taking care of the patient; I'm doing a chart audit,' etc. When we put in that alert, it significantly reduced the amount of wandering or casual access of the records.
KASS: What do you think the next couple of critical steps are to try to bring this situation under control?
SYED: All processes fail when humans don't apply them. Our processes have to be repeatable and adaptable with no exceptions. I think where we fail is when we apply a process here and then somewhere else they don't apply that process. And then we have a failure, and we go back to reinventing everything all over again.
DUNN: I think the biggest challenge moving forward is that as healthcare has become more digitized, the attacks have grown exponentially. The wild card is what we're doing with our phones, tablets and bring your own device to work. How do we standardize mobile access to our systems? How do we control and yet give full access where it's necessary, where it will improve healthcare? How do we balance the benefits of mobile access against the risks of securing that access? In the long term, this is huge.
MERTZ: Security needs to be right at the fore when you start to develop software. You can't develop a product and then try to figure out how to lock it. I think the government should get involved. They give us grants for all kinds of things; there should be grants for security. They want us to protect people's records. But on the other side of the fence, we are in healthcare. The job is to treat patients. We can't make it so cumbersome that the physician can't use it. We tested encrypting our desktops, and we ran virus protection and scan software, and it takes two and a half minutes to log on, and the doctor says, 'This is crazy.' We have to come up with a happy medium. But security, George constantly pounds me, is a function; it's not a project. It's not something you do for two months and then move onto something else. It needs to be fundamentally embedded into the software, into the network, into all of the products, and then there need to be standards that everyone has to follow.
SKVARENINA: We are talking about HITRUST certification to help create that standard framework. The other thing is better tools that can really weed out all of the noise and reduce the false positives. The more accurate the tools, the less time and effort we spend chasing down things that aren't a real threat.
HUGHES: It's really a constant balancing act. You are balancing security with compliance and with risk. There is a new risk emerging every day, new vulnerabilities being exploited. And you are balancing that against funding and priorities, because you can't solve everything at once, and there aren't unlimited funds. And the best way to achieve that balance is with data and analytics.
HOUSTON: If we look two to five years out, healthcare delivery is going to dramatically change. The vendors are building killer apps for the tablet and smart-phone formats. Within just a few years, this notion of a PC on a cart or at a nursing station will be gone. Instead, every staff member who is involved in the healthcare process is going to be carrying around something like an iPad mini that will tell him or her what to do next. It's going to know who they are, what patient they are with and what care that patient needs. Couple that with the ability to deliver very rich, high-fidelity aid to a physician anywhere in the world, at any time, and the fact that we are going to have data spread throughout the world via the cloud. So our data is going to be distributed everywhere, and we will be accessing it in ways that we have never accessed it in the past. Most of us are ill-prepared to support that paradigm because our infrastructures are designed for this notion of accessing data from a PC. But we need security professionals to be prepared to embrace this new paradigm.
On February 4 in New York, the same day the Anthem data breach was uncovered, Health Data Management hosted an executive roundtable on the measures hospitals and other institutions must take to cope with such attacks and, in particular, the role analytics can play in preventing them.
Moderated by HDM editor-at-large Elliot Kass, seven industry executives participated in the roundtable. They included George Dunn, manager of IT Security at South Nassau Communities Hospital; John Houston, vice president and associate counsel for privacy and information security at the University of Pittsburgh Medical Center; Kathy Hughes, assistant vice president and chief information security officer for the North Shore-LIJ Health System; John Mertz, vice president and chief information officer for South Nassau Communities Hospital; Michael Skvarenina, vice president and chief information officer for Holy Name Medical Center; Hussein Syed, chief information security officer at Barnabas Health; and Rob Rhodes, senior director for patient privacy solutions at Iatric Systems. Iatric, a comprehensive healthcare IT integration company that provides patient privacy monitoring, underwrote the event.
What follows is an edited version of the lively and informative discussion that took place.
ELLIOT KASS: What is the threat environment like on the ground at your institution right now? Could you give us a sense of what you're facing for security challenges.
MICHAEL SKVARENINA: We have seen denial-of-service and other kind of attacks hit our network from foreign origins-sometimes China, sometimes Russia-so I think it's probably happening everywhere. I am sure the bad people out there are just scanning these network, trying to find open ports and open IP addresses that they can try to hack into.
JOHN MERTZ: They are doorknob testers. They come in and knock at the door and see if it's locked, and it's happening all day long. We are seeing more of them all the time.
HUSSEIN SYED: You have multiple avenues of infiltration. Phishing attacks. Denial-of-service attacks to distract people while the infiltrators figure out a way into your network. We see all of these. Those who are trying to hack you are all usually looking for weak applications. Application security, if it's not there, allows them to get into the system. And once they get in that's game over for us.
JOHN HOUSTON: Even things like phishing are becoming much more sophisticated. We have found on numerous occasions that somebody will go out and build a web site using our branding, our look and feel, to try to get one of our users to provide credentials.
SYED: The bad guys have no rules and they have unlimited resources. It's a business for them. They are paying very small amounts of money but larger bonuses for people who can bring in data that they can sell. Medical records sell for much more than credit card numbers; it's like 20 to 30 times more. So there's a lot more incentive for them to steal hospital data, whereas we have limited resources to invest in this area because our business is not security, it's healthcare. Meanwhile, doctors and clinicians need to be able to rapidly get to the information they need to provide patient care, and overlaying all these access control authorizations goes against that. So we have to find that happy balance somewhere.
HOUSTON: Physicians will tell you that if it is too difficult for them to get data or to use a system, they simply won't. So that balance is incredibly important, but it's often difficult to achieve.
GEORGE DUNN: We shoot ourselves in the foot frequently. Someone will put a sensitive database on their laptop and they lose it, or they lose their cell phone, which has access to the EMR. There might be some malicious intent, but a lot is just lack of awareness. So security awareness, demanding that all our laptops and USBs are encrypted, and restricting their use-these are the things that I have been focusing on.
ROB RHODES: But a lot of times, doctors have said they will not use systems if it's too difficult for them to use, and that is very true. Users, too, don't necessarily mean to do these things, but again, if you make things too difficult, they will find ways around the controls that may be in place. That is the challenge for security people.
DUNN: We have an e-mail filter, and we look for certain formats like Social Security or patient numbers, and it catches people mailing stuff out that they shouldn't be sending by e-mail . It's an educational process. People will say, 'How come it didn't go?' or 'Why did it come back?' and then they realize, 'Oh! I'm not supposed to send an Excel spreadsheet to an external practice.'
MERTZ: We use a product that feeds from our EMR registration system and then searches through all of our logs. It looks for employees who are looking at their own records, looking at employees' records, looking at family members, looking at the VIPs or just looking around too much. And we caught an employee just yesterday, and that person said, 'What, do you mean I am not allowed to look at employee records? I was checking to see if she was still in the hospital.' So, we just educate them constantly, and it just seems like it goes in one ear and out the other.
KATHY HUGHES: Phishing is a real struggle for us. I think the statistics suggest that 20 percent to 40 percent of people succumb to phishing attempts, which is a staggering percentage, and as fast as you block access to a web site, a variation comes up. So we are looking at technologies right now that can identify the behaviors and proactively block those, so that we don't have to rely on human intervention for that.
Traditionally, there has been a focus on protecting a perimeter and building an in-depth defense strategy, which up to this point has been very effective. But now that healthcare data is what people are after, the applications have become the key vulnerability. Developers are quick to market, quick to get the next release out, and they aren't really focusing on security controls, and that leaves everybody vulnerable. Especially now, with the advent of analytics, we are pooling data from various sources and porting it into a central repository, which makes it more attractive to hackers. And we have to realize that we have 54,000 employees, and the bad guys aren't always on the outside. So there has to be this continued emphasis on protecting the data and the whole concept of least privilege, making sure that people have access only to the data that they need, and that you can track what they are doing, and that they are doing only what they are supposed to be doing.
HOUSTON: I have hundreds of information systems that manage different types of data. Many of them are hosted by somebody else. I may have 20 or more providers host or house my data. And then I'm also going to be delivering data to iPads, phones, laptops-so where is my perimeter? It doesn't exist anymore. You almost have to take inventory of where your data is to understand how to best protect it. That is why things like SIEM [security information event management] tools are so important. They can give you a view into someone who is trying to do something that might result in a breach.
DUNN: We have the new omnibus rule that's supposed to provide reasonable assurances that our providers and business associates have to live up to the same standards that we do at the hospital. But part of my frustration is that I know a lot about security, and in dealing with a lot of firms, perhaps they don't. Perhaps you are acquiring a practice or have a new business associate, and they've never done a risk assessment, even though it's been required for a decade. Then at what point do we decide what is their responsibility and what is our responsibility? If I held them to my very high standards, we wouldn't do business with anybody.
HOUSTON: I have a whole team of people whose entire job is to test applications. We were testing an application from a vendor. We were about to go into production on a project that was very high priority, and then we found that we could circumvent all of their security very easily. So we went to the vendor and said, 'We just circumvented your security,' and they came back to us and said, 'We are a small vendor. We only have three programmers.' And my response was that if you are not prepared to do what you need to do from a security perspective, why are you in business?
SYED: That is pretty much the 90 percent space in the software development market today. They know what the problem is, and they are bringing a solution to a problem. But they don't think of security as a part of their design process. To them, implementing security controls will delay the launch of that application and that affects the dollars coming into their business.
MERTZ: In some of our environments there are people who want us to buy the app, and they don't even want to give us a chance to look at it or test it. You want to be able to at least look at the app before you install it.
SYED: You can work with your legal department to put in contract language that says if a vendor does not meet security requirements, then we have an out of the contract.
MERTZ: There was a survey that (Dunn) was reading the other day from HIMSS, and it said that 40 percent of healthcare institutions have security under the guidance of a part-timer.
HOUSTON: That part-time person may dabble with the firewall or might be doing account management. By the way, account hygiene is the biggest issue we have today. Very few organizations do true identity management. One of the most basic and fundamental things is to have a robust identity management capability-to manage who has access to your system and ensure that that access is appropriate.
SKVARENINA: Even if we get risk assessments from our business partners, I still don't always feel confident that the data is safe. Even if we talk about a data exchange patient portal-I don't even feel comfortable that my patient portal vendor really has my data as secure as it should be. And to me, that's really a scary thing.
KASS: Do you think most hospitals have a good feel for what data they are sending where?
RHODES: For a lot of organizations that I worked in, it was very challenging, especially with people coming and going. You may have vendors that were doing business with the organization for 15 years, collection agencies, etc. People have rotated through and nobody knows it.
HUGHES: That's why things like encryption are so important. We require every laptop, every mobile device, every USB port to be encrypted-and the desktops, too.
KASS: Let's talk a little bit about the intrusion and detection tools and the methods that you are using. How effective have they been for you?
SYED: I feel they've been very effective. For the last two years since we implemented our DDOS [distributed denial-of-service] mitigation tool, we see on average 10 to 15 larger campaigns a week, where we can actually see the amount of data that has been sent to our DDOS appliances. We haven't reached the threshold of having to use scuffing services, where the data would be rerouted and all the attacked data would be cleaned, but we monitor it. Healthcare providers are probably going to be the biggest targets in the next couple of years. Anybody that's doing $3 billion or more in revenue is a prime target for hackers.
SKVARENINA: A challenge is that these security tools are very expensive. Sometimes, it's hard to explain to the CEO why we need to spend that much money. When you ask for $100,000 for a tool to help detect some problems, they really second-guess it. It's hard to make the sale.
SYED: You have to provide some business cases and justifications, so they know that if they are going to give you a million dollars, it will be better spent protecting the environment as opposed to investing in IV pumps or MRI machines.
MERTZ: George (Dunn) said to me the life expectancy of a CISO is three years. After three years, you either get tired of telling them that there is going to be a problem and them not doing anything about it, or something bad happens and you get blamed and fired.
HUGHES: What we've done is establish a risk governance committee that consists of people from legal, corporate compliance and from IT, as well as physical security and HR. We have this group of senior-level people from different areas of the organization, and we work together in collaboration, it's not just an IT thing. I only have a small team of security people, but in essence every employee in the organization is a security employee. So we need to have them be accountable for what they do. I am not the police. I think there is this misnomer that security is the police. We set framework; we set standards; we set policies. But then, it's up to the organization to enforce them.
HOUSTON: Every alert that gets triggered for an employee gets sent to the employee's manager automatically. If you look at your husband's record, and he has the same last name, it's going to trigger the same last name alert and that goes straight to the manager. I think we have 62,000 employees, and we have hundreds of facilities. The only practical way we can make it work is simply say 'Manager, you are in the best position to know what your staff should be looking at.'
RHODES: When I was CIO at this system in Georgia, we had security audit management, and IT managed it. We ran the reports, but we worked not only with the department managers but also with HR. Our security team would look at it, and if they found something they didn't understand, they would go to the department manager and said, 'Hey, you need to look at this.' But, quite frankly, you run into managers who don't want to do anything. They will not sanction their people; they just want the problem to go away. We would deal with that by going to HR and saying, 'We have a manager who is not doing something,' and then we left it in HR's hands. The sanction was up to HR, not to us. I think that helps to bring the rest of the organization to the understanding that this isn't IT with the hammer; this is an organization share.
MERTZ: When we did our risk assessment, we actually had somebody with no identification saying he was from IT and was there to fix your machine, and he needed your password and ID. I will not tell you what percent of people gave it to him but it was more than you would have hoped.
SYED: It's generally about 20 to 30 percent.
HOUSTON: It is. But through tools and good education, you can actually drop that number dramatically.
KASS: Do you get overwhelmed by the false positives from your monitoring tools? Are you applying any analytics against those hits to try and reduce the number?
HOUSTON: Our biggest issue is trying to reduce the false positives. We are not perfect by any means, but even if the manager misses five and catches only one, the effect of catching that person acts as a deterrent. It's sort of like when they used to chop someone's head off in England and put it on a spike on London Bridge. People see that somebody just got suspended or terminated, and they say I can't afford to lose my job over this.
MERTZ: There is an old joke where a guy goes to a small town and they had a sign posted that read: 'Speed monitored by aircraft.' And he says to the sheriff, 'Well, how much did the plane cost?' And the sheriff says, 'We didn't buy a plane, we just put up a sign.'
HUGHES: We have a managed service provider that parses through our alerts-I think we get 670 million hits per month. But by the time it goes through their analysis, and they tune and tweak it, and it gets escalated to us, it's down to a couple of hundred. Then it takes someone on our team with institutional knowledge to determine if they're real or not real. By the time the real incidents get paired down, it's very minimal. But you need to have those multiple levels that are going to sift through the data and try to weed out the noise.
KASS: Earlier, you touched on the question of permissions and how you are making use of role-based user authorizations. How important is that in terms of trying to limit access to inappropriate data and identifying potential internal threats?
HUGHES: For our major EMR applications, we implement role-based security, which helps standardize roles across the applications. Although they are not always exactly the same, it does help facilitate that from an administrative point of view as well as from a user point of view. Users get a little upset-'You gave me a nurse access but I am really the head nurse, and I am insulted by the fact you are calling me a nurse.' Once you get past that people seem to be okay with it. It helps, but it's not the answer. What we struggle a lot with are transfers between departments. I've been with North Shore-LIJ for about seven years in various roles. I started on the outsourcing side, working in development for Allscripts, and I still have rights from when I was there.
HOUSTON: We have an automated management solution. Every day we get a feed from our HR system when somebody changes a job. The new manager gets an e-mail that says you must validate his or her access. The manager also has to do an annual review of access. When the person leaves, it's automatically terminated, but it's an automated process and not just for our employees but our sponsors and for non-employees. If you are a vendor and you come into our environment, somebody who has the authority to use the identity management solution has to sponsor your access, and that person is now accountable.
SYED: We do some of those things, but where I find it really hard is access recertification. How do you implement that whole piece where every quarter somebody has to sign off on that?
HOUSTON: Here's what we do. It's a very simple way to approach it. Every year, every employee must have a review, and we link that to our identity management solution. And we also make it part of the review process that, literally, the manager has to sign that he or she has reviewed their access. Within our data management solution, we do reporting so that if a review is submitted and there is no corresponding identity review, it's flagged.
SYED: But you still have that issue of a nurse accessing patient records she shouldn't be accessing.
SKVARENINA: At Holy Name, we use a little artificial intelligence for that piece. When you go to access a record, the system looks to see if you are a physician or nurse of record, or if you are a nurse that's on the same floor that the patient is currently on. If you are not any of those, then it pops up an alert and asks you why you are going to access the record. And there are some choices: 'I am actually involved in taking care of the patient; I'm doing a chart audit,' etc. When we put in that alert, it significantly reduced the amount of wandering or casual access of the records.
KASS: What do you think the next couple of critical steps are to try to bring this situation under control?
SYED: All processes fail when humans don't apply them. Our processes have to be repeatable and adaptable with no exceptions. I think where we fail is when we apply a process here and then somewhere else they don't apply that process. And then we have a failure, and we go back to reinventing everything all over again.
DUNN: I think the biggest challenge moving forward is that as healthcare has become more digitized, the attacks have grown exponentially. The wild card is what we're doing with our phones, tablets and bring your own device to work. How do we standardize mobile access to our systems? How do we control and yet give full access where it's necessary, where it will improve healthcare? How do we balance the benefits of mobile access against the risks of securing that access? In the long term, this is huge.
MERTZ: Security needs to be right at the fore when you start to develop software. You can't develop a product and then try to figure out how to lock it. I think the government should get involved. They give us grants for all kinds of things; there should be grants for security. They want us to protect people's records. But on the other side of the fence, we are in healthcare. The job is to treat patients. We can't make it so cumbersome that the physician can't use it. We tested encrypting our desktops, and we ran virus protection and scan software, and it takes two and a half minutes to log on, and the doctor says, 'This is crazy.' We have to come up with a happy medium. But security, George constantly pounds me, is a function; it's not a project. It's not something you do for two months and then move onto something else. It needs to be fundamentally embedded into the software, into the network, into all of the products, and then there need to be standards that everyone has to follow.
SKVARENINA: We are talking about HITRUST certification to help create that standard framework. The other thing is better tools that can really weed out all of the noise and reduce the false positives. The more accurate the tools, the less time and effort we spend chasing down things that aren't a real threat.
HUGHES: It's really a constant balancing act. You are balancing security with compliance and with risk. There is a new risk emerging every day, new vulnerabilities being exploited. And you are balancing that against funding and priorities, because you can't solve everything at once, and there aren't unlimited funds. And the best way to achieve that balance is with data and analytics.
HOUSTON: If we look two to five years out, healthcare delivery is going to dramatically change. The vendors are building killer apps for the tablet and smart-phone formats. Within just a few years, this notion of a PC on a cart or at a nursing station will be gone. Instead, every staff member who is involved in the healthcare process is going to be carrying around something like an iPad mini that will tell him or her what to do next. It's going to know who they are, what patient they are with and what care that patient needs. Couple that with the ability to deliver very rich, high-fidelity aid to a physician anywhere in the world, at any time, and the fact that we are going to have data spread throughout the world via the cloud. So our data is going to be distributed everywhere, and we will be accessing it in ways that we have never accessed it in the past. Most of us are ill-prepared to support that paradigm because our infrastructures are designed for this notion of accessing data from a PC. But we need security professionals to be prepared to embrace this new paradigm.
More for you
Loading data for hdm_tax_topic #better-outcomes...