Beverly Hills Security Summit


  • What is it that keeps your CEO and Board up at night?

  • How do you communicate cybersecurity risk to the Executive Leadership Team and the board, and do you talk to enterprise risk or just technology security risk?

  • In planning to address ELT and board risk concerns, how are you going about the development of a security risk remediation plan?

  • Have you considered the development and maintenance of a multi-year enterprise Security Roadmap and do you have anyone to help you in its development?

  • What approaches work best at other healthcare entities and what can we all learn from one another?
These were just some of the discussion points between the assembled Chief Information Security Officers and other senior healthcare leaders during a Leadership Roundtable at the Beverly Hills Health IT Summit and Security Forum today.

The event was held at the Sofitel Los Angeles at Beverly Hills, and attracted several hundred CISOs, CIOs, COOs,  along with various Directors of Technology, Cybersecurity and Health Information Management.

The lunch was arranged and sponsored by Optum Security Solutions, part of Optum under the UnitedHealth Group umbrella, and was hosted by Optum's Tina Kitchen.

Mark Hagland, Editor and Chief at Healthcare Informatics, and Richard Staynings of the HIMSS Privacy and Security Committee led the discussion.

Institutional reputation remains one of the biggest concerns, particularly at high profile clinics attended by celebrities, but is the patient population becoming sufficiently jaded and numb to all of the breaches of health information to walk elsewhere? And if most other healthcare delivery outlets are impacted by security breaches then where do patients go? At the end of the day, law suits and restitution notwithstanding, we heard that patients want the best possible treatment they can afford, and will suffer through the diminished reputation of a clinic in order to receive that care and attention.

The complexity of large health systems, particularly as mergers and acquisitions drive even larger conglomerates, creates political and technological barriers to the implementation of enterprise-wide holistic security controls and causes duplication of effort and expense. Where management of these systems has not been consolidated and centralized, the Enterprise Chief Information Security Officer will have an especially hard time. Numerous divisional leaders including CIOs and COOs need to be consulted before new security controls can be implemented, and this task becomes even more daunting for the CISO in research or academic health where conflicting business drivers can seriously compound problems in access to PHI.

The frequency and magnitude of attacks against healthcare continues to climb, as well-funded and highly motivated attackers, be they nation states or criminal gangs, ply their craft at healthcare's expense. This is keeping all of us on our toes and stretching security in many hospitals to the limit. Understanding where threats are coming from and quickly identifying potential indicators of compromise is increasingly becoming a challenge and one where for healthcare, the need for help from specialist partners becomes increasingly evident.

Risk remediation needs to be targeted to the areas of greatest potential impact for each institution. Available resources simply don't allow for the remediation of all areas of weakness. The number of security resources available to security leaders is also a constraining factor and is leading to a dramatic increase in the consumption of managed security services from partners like Optum and others. This trend is set to continue as the availability of security resources becomes even more competitive and better-funded financial services organizations attract more and more healthcare security professionals.

Taking all these factors into account, we heard that the importance of an Enterprise Security Roadmap is becoming critical in not only security planning, but also for communication upwards of that plan to senior executives and the board. We also heard that Optum Security Solutions has had great success in helping healthcare customers to develop and maintain security roadmaps for a wide range of healthcare entities, and these have greatly helped reduce security risk and to stave off attacks.

Overall the lunchtime session resulted in a full and frank exchange of ideas from assembled guests along with a better understanding of what seems to work best in a healthcare environment, where compliance, institutional reputation and patient safety all play a critical role.

Attendees included:
  • Sriram Bharadwa, CISO, UC Irvine Health
  • Carl Cammarata, CISO, Northwestern University - Feinberg School of Medicine
  • Cris Ewel, CISO, UW Medicine
  • Mark Hagland, Editor and Chief, Healthcare Informatics
  • Norman Hibble, County of San Luis Obispo - Health Agency
  • Chris Joerg, CISO, Cedars-Sinai
  • Tina Kitchen, Sr. Solutions Executive, Optum
  • Surya Mishra, IT Director, Blue Cross Blue Shield Association
  • Olaf Neumann, CIO, Inland Behavioral and Health Services, Inc.
  • Casie Phillips, Regional Manager, Healthcare Informatics
  • Richard Staynings, HIMSS Privacy and Security Committee
Thanks to everyone for their participation and a great exchange of ideas.



4 comments:

  1. The other threat is the insider threat. Healthcare organizations are often too preoccupied with defending the integrity of their company and network from external threats to address the very real and dangerous risk that may lie within their own walls.

    ReplyDelete
    Replies
    1. Agreed. Although in healthcare, the insider threat tends to manifest itself not so much as intentional malicious actions by staff, but more likely as a security awareness issue brought about by highly distracted over-worked clinical staff who are more focused on patient care than on cybersecurity.

      The need in healthcare therefore, is for comprehensive and ongoing multi-channel security awareness programming, reinforced by quarterly or greater formal and informal training.

      Healthcare typically employs a lot of people. If they can all be employed as part of their work to help secure the institution then the CISO's resource shortage problem is reduced.

      Delete
  2. Good thoughts Richard, getting the right skills internally and keeping them is paramount. People within healthcare are aware of privacy to an extent, but not necessarily how to securely manage confidential data. These are not necessarily malicious insiders, but there could be, where a high profile personality and access to their records can be very profitable for someone.
    Systems not integrated properly especially when a merger happens or no security due diligence done before a merger can impact the healthcare providers as well.

    ReplyDelete
  3. Staff retention for security personnel is tough everywhere but perhaps none more so than in healthcare and perhaps government where salary constraints make it attractive to pick up and move to more lucrative industries. With a 12x demand over supply for security professionals that appears to be getting worse each and every year this trend is not going away anytime soon. I suspect that's one of the reasons why healthcare in particular is looking to partners and outsource providers to fill in the gaps.

    The importance of security awareness training coupled with good auditing of who accesses what in a healthcare environment is of course very important. If you access something that you shouldn't then expect to be caught!

    Of course the massive level of mergers and other consolidations across the healthcare industry is another huge problem that compounds security issues and requires expertise typically beyond that found in the merging parties. This security issue however from what I have seen, is misunderstood by CEOs and boards who underestimate the level of effort to integrate SECURELY, multiple healthcare entities each with their own systems, processes and staff, and to do so in such a away that it doesn’t introduce huge new risks.

    ReplyDelete