CIOs and CISOs working together as attack threats grow
As cyberattacks against hospitals intensify, healthcare organizations are looking to boost security practices, and more are turning to chief information security officers to bolster defenses.
Healthcare IT executives say it’s crucial for them to work closely and in coordination with CISOs to ensure cybersecurity strategies mesh effectively with an organization’s IT initiatives.
Providers are realizing that the risks to their operations couldn’t be higher, particularly as healthcare organizations have become dependent on electronic clinical records for continuity of care and operations.
That point was exemplified in January, when Hancock Health, a regional hospital in Indiana, paid a $55,000 ransom after a ransomware attack that infected the hospital’s systems and hindered its operations. Attackers deployed SamSam ransomware that encrypted files, quickly affecting operations and forcing the hospital’s IT staff to shut down the network and resort to pen and paper.
Even though the hospital had backed up its data, it opted to pay the ransom of four bitcoin, or $55,000. Hancock Health CEO Steve Long said that the files could have been recovered but restoring them would have taken days or weeks.
The same variation of SamSam crippled information systems at Allscripts in January, knocking 1,500 healthcare providers off their cloud-based electronic health records systems and other applications for at least a week. Allscripts executives acknowledged the incursion and said services to all customers were restored about eight days after the attack at two of its data centers.
Security challenges have intensified because most facilities’ “attack surface” has increased exponentially in the past couple of years; BI Intelligence, a research service, forecasts that the installed base of healthcare IoT devices (not including wearable devices such as fitness trackers) will grow from approximately 95 million in 2015 to 646 million in 2020. These medical devices are increasingly connected to hospital systems via the Internet, giving hackers more entryways to hospital networks.
In addition, providers are facing rising pressure to facilitate data sharing with other providers. Data exchange capabilities require a fine balancing act—systems must be open enough to share data with others, but that also provide more opportunities for hackers to break in, security experts note.
Because CISOs are focused on securing systems, they can pay all their attention to thwarting potential threats, and CIOs are giving them increased latitude in boosting security efforts. That’s stimulating the move to close cooperation between CIOs and CISOs.
Attack surface expands
An organizationwide approach to security is crucial because vulnerabilities are not limited to—and not under the control of—systems that IT departments oversee, CISOs say. For example, various hospital departments have been buying “smart” or Internet-connected medical devices, with little or no input from IT departments, and many of them are poorly protected from a data security standpoint, says Kevin Charest, CISO at Health Care Service Corp., which operates Blue Cross and Blue Shield plans in five states.
Increasingly, CIOs are looking for help with the broadening scope of security, and CISOs can bring a different view of the intersection of information technology and information security, Charest says. Because data and vulnerabilities are everywhere, CISOs tend to bring extreme caution to IT efforts because “our approach is zero trust. We have to assume folks we interact with may be compromised, so we need a mind-set for that challenge.”
CISOs face rising security challenges at healthcare organizations, which in general lag far behind the sophistication of the cyber criminals that are trying to access their systems. The allure for hackers is twofold—hacked medical records have more black market value than financial records. Secondly, ransomware attacks are proving successful against healthcare organizations, because they’re easily breached and often incentivized by operational pressures to get patient data and systems restored as quickly as possible.
Filling security gaps
While some provider organizations have robust and proactive data security programs in place, there’s much room for improved security leadership at most organizations. A December 2017 survey of 323 providers and insurance payers conducted by Black Book, a research company serving the healthcare industry, found progress but also high levels of unpreparedness for growing cyber threats.
Some 84 percent of respondents from providers said their organizations did not have an enterprise leader for cybersecurity, and only 11 percent planned to install such a leader in 2018. Among surveyed payers, 31 percent had an established manager for cybersecurity, and another 44 percent were planning to have that position filled this year.
The survey also found that 54 percent of respondents from all organizations do not regularly conduct data security risk assessments, and 39 percent do not regularly conduct penetration testing on firewalls. Further, nearly all C-suite officers participating in the survey acknowledged that cybersecurity and the threat of breaches are still not major talking points with their boards of directors.
CISOs at provider organizations believe the trend for investing money and resources in security is likely to grow as ransomware attacks and other cyber incidents gain notoriety, both within the industry and in the popular press. New security approaches must constantly be developed to counter not only new threats, but also discovered weaknesses in security, and evolving computing and device trends.
Data security is very much a “people process,” and that can put CISOs and other security personnel in high-pressure positions, says Shari Lewison, chief information security officer at University of Iowa Hospitals and Clinics, an 811-bed public teaching facility.
A year ago, the organization started seeing malicious emails coming in at a rate not previously seen, and it created additional training mechanisms for employees to enable them to identify internal versus external emails.
In addition, the university extended the email subject line to highlight emails that were coming from external sources and quickly found that employee awareness of potential phishing emails increased dramatically. In December, University of Iowa Hospital and Clinics employees reported 8,000 suspicious emails to data security personnel. “Email cyber awareness rose, phishing incidents dropped by 75 percent, and the program costs were very low,” Lewison says.
The organization also put in place a protection strategy of highly segmenting its networks, including creating a separate wireless guest network so patients or visitors with their own computing devices could use them without jeopardizing hospital medical devices, information systems and networks. The hospital has tens of thousands of connected medical devices, including more than 1,500 IV pumps.
During 2015 and 2016, the university also implemented a security governance plan that included a device management approach to determine which devices could be brought into the hospital, as well as an annual review of device patching, according to Maia Hightower, MD, chief medical information officer at University of Iowa Hospitals and a clinical assistant professor. By 2017, University of Iowa Hospitals felt comfortable enough with its integration program and security posture to offer a bring-your-own-device program to employees.
New security initiatives at the organization this year will include next-generation firewalls on network borders to provide more visibility into what is going on in the networks and further determination of what devices can be allowed on networks, Lewison adds.
CISOs and CIOs increasingly will need to work together to raise security awareness, as well as dollar amounts organizations spend to protect themselves.
For CISOs it is important to have a good relationship with the CIO because that’s who fights for funds for the CISO, says Charest of Health Care Service Corp.
Kris Kusche, vice president of information services and chief information security officer and a biomedical engineer at Albany (N.Y.) Medical Center, reports not just to the CIO but to the chief compliance officer as well, and that gives him clout to a degree that other CISOs may not have in their organizations.
“I have the best of both worlds to have this wide portfolio and executive authority,” he says. Other reporting relationships he’s seen elsewhere include the quality assurance or legal departments. “The CISO has to be able to play across many roles and acquire a level of understanding of all clinical and business aspects of the organization.”
University of Iowa Health Care recently completed an annual risk assessment that found 20 percent improvement in the organization’s overall security score compared with the previous year, and that increase was achieved largely with little new financial investment and with staff using existing security tools and processes. This underscores how tight relationships among the CIO, CISO and CMIO align the resources and messaging that deliver services in accordance with policies across the enterprise, she says.