Data security leader urges colleagues to dig deeper
Chief information security officers are doing their organizations a disservice if they don’t conduct a complete diagnostic checkup of system networks, and aren’t collecting, tracking and sharing cyber threat information with their peers.
“If you don’t have a tracking system, that would be one of the first things I would urge you to have,” said Karl West, CISO and assistant vice president of information systems at Intermountain Healthcare, during the Cybersecurity Forum at HIMSS17.
West conceded that information security officers often are labeled as barriers to the free flow of data, and they need to become a partner in the business by transforming data security so it clearly supports medical treatment. “Physicians do need the data at the point of care, so while your effort would be to contain the data, the doctors need access outside the firewall.”
He also urged colleagues to take seriously the opportunity to participate in federal and state cyber threat sharing initiatives. “You need a management system to monitor threats. When was the first time you saw a particular type of ransomware, and how many times have you seen it?”
Cybersecurity starts with a good assessment program that many providers simply don’t have, West said. “Most of healthcare is self-assessment. You need a professional assessment and an attorney assessment. We all think our assessments are strong, giving a 4 or 5 score on a 1-5 scale when we really are a 1 or a 2, and that’s how the Department of Health and Human Services views us.”
West further urged investments in identity management technology that remains rare in the healthcare industry. Even when it’s used, most of time, that occurs in the human resources and clinical engineering departments. “You need to know where all identities are. It’s a political challenge to do, but it is critical.” He also counseled on the need for two-factor authentication.
Intermountain sends a report annually to employees on the organization’s security posture and threats in the industry to keep awareness high and inform them of the department’s security strategies. But CISOs also need to set up regular meetings with a group that should include the CIO, CFO, administration, HR and departmental vice presidents, West said.
Absent that, an organization won’t be able to change its security culture. “You need to know what systems and data are coming into departments across the enterprise,” he concludes. “Find out what are the risks and who are the business owners, then decide how much risk to accept.”