Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

A Pattern of Complacency


A recent story which ran on CBS News entitled “How medical devices like pacemakers and insulin pumps can be hacked” highlighted deficient plans and processes by the US Food and Drug Administration for addressing medical device cybersecurity compromises. The report issued by the Inspector General has been disputed by the FDA which says that it has worked proactively on the issue with security researchers and ethical hackers to identity and fix many of the problems.

This may be the case, but the fact remains that the industry as a whole has been largely in a state of denial over the breadth of depth of cybersecurity vulnerabilities in medical devices and has been very slow to inventory and remediate risks – even when researchers have shown evidence that many security vulnerabilities pose a significant patient safety risk.

The FDAs close working relationship with manufacturers and its preference for constructive ‘guidance’ rather than ‘enforcement’ has been criticized many times before. Despite a growing body of evidence of medical devices being hacked in research lab environments and live on stage at security conferences around the world dating back nearly 10 years, it is only within the last couple of years that new devices were forced to undergo any sort of cybersecurity risk assessment prior to being approved for use on patients. Some say the FDA acted too slowly to bring about change and that nobody yet has really dealt with the legacy device problem. Medical devices have long expected life-cycles and more expensive systems like X-ray, CT and PET scanners are often depreciated over 15+ years, meaning that near-term replacement of insecure legacy devices is not a feasible option.


Whatever the case, the fact remains that most manufacturers have not taken any sort of proactive role to risk assess the security of their legacy devices in use today, even when informed of security vulnerabilities long before public disclosure. The onus for risk assessment of these devices seems to be currently placed squarely on the shoulders of providers, who in turn are ill-equipped to assess or remediate problems. Solving this problem will take a strong and concerted effort on all sides with robust leadership and oversight provided by the FDA.

The case highlighted in the CBS report is remarkably similar to another one that I wrote about – in 2016 on St Jude Medical, (now owned by Abbott Labs) who despite being informed of major patient safety risks to its implanted Cardiac Rhythm Devices (pacemakers) chose not to do anything about these risks till Muddy Waters Capital made an example of St Jude by trading on futures while engaging a security firm to hack and disclose significant weaknesses in the St Jude devices, thus gaining from a downward adjustment of the St Jude stock price.

The St Jude disclosure caused the first ever FDA intervention in medical device security after mass public concern. The fact however remains that security vulnerabilities in medical devices are likely not limited to only a few manufacturers, but common across the thousands of vendors and hundreds of thousands of medical devices that are in circulation globally, and in many cases keeping patients alive. The trouble is that we don’t really know.

Manufacturers do not have programs to risk-assess and penetration test their legacy devices and only the most recently approved devices were even tested at all from a cyber risk perspective – all other testing being primarily functional in nature in order to obtain FDA approval.

Hospitals and other healthcare delivery organizations that use or surgically implant medical devices in people’s chests rarely if ever test medical devices either. Even devices that remain in hospitals like network attached morphine and insulin pumps, X-Ray and CT scanners are rarely tested for their cybersecurity vulnerabilities, let alone devices that leave with patients and may not be seen again.

Without testing and without performing a thorough and bone-fide risk assessment in line with HIPAA, OCR and NIST standards, we will probably never really know just how big a problem this is across the entire industry.

Until such times as a full forensic examination of implanted medical device takes place, rather than simply being burned or buried with the patient, we will probably never know the true number of deaths caused by device failure, how these devices failed exactly and whether a cyber-attack against the device caused its failure.

The United States does a great job of evaluating and under-writing all kinds of risks – everything from crop yields, to natural disasters, to the likelihood of flood, fire or theft, yet as a country we really are rolling the dice when it comes to medical risk, and particularly medical device risk. In short, we as a nation, are gambling on the security of the medical devices that keep many of our citizens alive each day.

To learn about how you can evaluate medical device risks in your hospital environment ask Clearwater about its leading Medical Device Security Program or contact us to schedule a conversation.

VAHIMSS18

Richard Staynings addresses the need for better Third Party Risk Management @VAHIMSS18
Thanks to everyone who attended my presentation today on the need for improved Third Party Vendor Risk Management. Thanks also to the many other great speakers and sponsors of the VA HIMSS Annual Conference in Williamsburg, and the VAHIMSS Chapter leadership for putting on such a well run event.

As promised my slides can be found here.




Strategic Cybersecurity | Making Intelligent Cybersecurity Investment Decisions

Studies show that in the face of cyber-crime costing the global economy ~$450 billion per year, organizations are investing in cyber security safeguards on an unprecedented scale. A 2017 Accenture / Ponemon study indicated that current spending priorities are often misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness. The quality of cyber security decision making can be improved dramatically with some basic initial focus on a true risk-based approach.

This was the subject of my webinar today with members of the College of Healthcare Information Executives (CHIME).

Listen to the recorded session below to learn what Boards and Executive Teams are demanding from their privacy, security, compliance, risk management and procurement teams to improve their return on security investments (ROSI).

https://bit.ly/2PQP2LQ


Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 3

Is there a more challenging position anywhere in information security than that of a healthcare organization’s cyber risk management leader? If there is, I can’t think of what it would be. Whether your title is CISO, CSO, CTO, CIO or some variation thereof, the task is daunting.

As we mentioned in Part 1 of this series, healthcare as an industry has a huge target on its back. Cyber attackers focus on healthcare not only because patient information is valuable, but also because patient lives are at stake. That can make threats such as ransomware attacks more effective. Cyber attacks in other industries – banking, for example – can have devastating financial consequences, but people’s lives aren’t generally at risk, as they are in healthcare.

At the same time, healthcare IT environments are exceedingly complex, which makes managing information security that much more complicated. The healthcare IT ecosystem typically includes dozens – if not hundreds – of applications, including the electronic health record (EHR) system, administrative and operational applications (scheduling, patient tracking, billing, claims, insurance and payer systems and interfaces), clinical applications (patient monitoring systems, radiology information systems, lab results reporting, clinical decision support, patient portals, etc.) and others too numerous to mention.

On top of this, add the countless devices that connect to a healthcare organization’s network, from the desktop computer at the registration desk, to the tablet the physician or nurse uses, to the smart infusion pump at the patient’s bedside, to BYOD devices like the smartphone a patient uses to access lab results through a patient portal.

Enterprise-wide Cyber Risk Assessment

Because of this complexity, no single “shiny object” or new security tool will be sufficient to mitigate all of the critical information security risks in a healthcare environment. As we discussed in Part 2 of this series, the only way to approach cyber risk management in a complex healthcare organization is to begin with a comprehensive, OCR-quality, security risk assessment and analysis.

Healthcare organizations must conduct this type of analysis in order to be HIPAA-compliant. But just as important is the fact that healthcare organizations cannot begin to develop a meaningful and effective cyber risk management program without first gathering the information that a comprehensive risk analysis provides.

As mentioned in the previous post, a security risk analysis essentially boils down to three tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
The HIPAA Security Rule, OCR Guidance, and resources developed by NIST provide plenty of details on how to properly conduct a risk assessment and complete these tasks. These resources are freely accessible on the internet. In theory, any healthcare organization could use these resources to conduct and complete an OCR-quality risk analysis without any outside support. However, that’s easier said than done.

Task 1: Identifying Risk

Risk identification begins with creating an information asset inventory that documents each asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI). This includes not just the obvious choices, such as laptops, servers, and enterprise applications, but also less obvious choices, including medical devices, backup media, and nonclinical, internet-connected assets such as building management applications and networks.

A typical healthcare provider has hundreds – if not thousands – of individual information assets that need to be documented.

One way to accomplish this is to create an enormous spreadsheet, starting from scratch. A simpler way is to leverage a solution such as Clearwater’s IRM|AnalysisTM. Clearwater’s IRM|Analysis TM includes an easy-to-use ePHI inventory system that uses data upload and guided data entry to help healthcare organizations rapidly develop a comprehensive, customized information asset inventory.

As noted in my previous post, creating an asset inventory is only the first step in risk identification. Risk has three components: an asset, a threat and a vulnerability. OCR guidance specifies that healthcare organizations must identify and document threats and vulnerabilities to each asset, in addition to creating an inventory of information assets.

If you are creating your asset inventory in a spreadsheet, you would need to start with a minimum of three columns for each asset in order to document the asset, each potential threat to the asset, and the vulnerabilities associated with each threat. Clearwater’s IRM|AnalysisTM speeds up this process by using a proprietary algorithm to suggest vulnerability and threat scenarios associated with each type of information asset. This takes the guesswork out of the process and ensures a more comprehensive assessment of risk.

Task 2: Rating Risk

Once you have exhaustively inventoried every aspect of risk – including every asset, and each of the threats and vulnerabilities associated with each asset – the HIPAA Security Rule and subsequent OCR guidance specifies that you must also estimate the likelihood (probability) and impact (magnitude of loss) of potential harm from each asset/threat/vulnerability combination. This is the risk rating.

NIST provides guidance for these tasks. NIST SP 800-30, Appendix G, includes several examples of assessment scales related to threat event likelihood. Appendix H, in the same publication, offers examples of scales for measuring impacts.

Clearwater’s IRM|AnalysisTM includes a risk register based on best practices and on specifications in HIPAA regulations, OCR guidance and NIST resources. The solution’s built-in risk register simplifies the process of assigning a risk rating to each asset/threat/vulnerability scenario and facilitates consistency in rating risk across the enterprise.

Task 3: Prioritizing Risk

After all information assets have been identified; after all potential threats and vulnerabilities have been documented; and after the likelihood and impact of each asset/threat/vulnerability combo has been calculated, each asset/threat/vulnerability combination will have an assigned risk rating. As illustrated in the table above, Clearwater’s IRM|AnalysisTM uses a 25-point scale to rate risk. The higher the rating, the higher the risk.

As part of the cyber risk assessment/analysis process, every healthcare organization should establish a risk threshold. Establishing a risk threshold is part of the information security governance process. The risk threshold will be unique to the organization and will take into account the organization’s unique risks and resources. For example, using the 25-point scale from the figure above, one organization might establish 15 as their threshold, meaning that any risk with a rating of 15 or below falls into the acceptable risk category, and will not be a priority with respect to mitigation.

A comprehensive information security risk analysis, combined with the organization’s established risk threshold, enables a healthcare organization to make informed, strategic decisions about which cyber security risks require urgent mitigation versus those that can be put on the “back burner” until more resources are available.

The Bottom Line

Conducting a comprehensive risk assessment is necessary for both HIPAA compliance and for establishing the foundation for a healthcare organization’s enterprise cyber risk management system (ECRMS). It is challenging, but not impossible, for a healthcare organization to conduct this analysis using only internal resources and guidance that is available on the internet.

Alternatively, healthcare organizations can use the specialized solutions and professional expertise offered by Clearwater Compliance to quickly and efficiently conduct a comprehensive cyber risk analysis. Because ultimately, completion of the analysis is only the first step.

The sooner a comprehensive security risk analysis is completed, the sooner a healthcare organization can begin addressing vulnerabilities and mitigating high priority risks. That is why it can make sense for a healthcare organization to leverage the solutions and services offered by Clearwater Compliance to assess risk, prior to establishing an enterprise cyber risk management program.

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Read more in this series:


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link.

Medical Device Security and CIO Insomnia




During a conversation over drinks with a number of CIOs at a recent healthcare conference, I discovered that the number one concern that keeps most healthcare executives up at night is the security of their medical devices. That was somewhat unexpected, especially following press-grabbing headlines last year about ‘WannaCry’ and other ransomware attacks rendering a large part of the British NHS and other health systems useless for several weeks or months.

Reason 1: Management

Part of their concern is that medical devices are not typically managed by hospital IT (overseen in most cases by the CIO) but by clinical / biomedical engineering staff who power on and attach devices to hospital networks but have little understanding of the cybersecurity risks that are created by connecting an unprotected medical device to the hospital business clinical network. Connected medical devices can by-and-large be compromised easily, used as a foothold on hospital networks, or re-programed to execute patients or hold them to ransom.

This is not fiction! It has been demonstrated numerous times at security conferences most recently by McAfee at BlackHat and Defcon in Las Vegas last month. New Zealand ethical hacker Barnaby Jack started the trend of exposing medical devices vulnerabilities, when in 2011 at the MacAfee Focus Conference he demonstrated a hack of a wireless insulin pump causing the pump to deliver its entire reservoir of insulin into a mock patient. In 2012 he followed this performance up with a hack of a Pacemaker causing the device to administer an 815 volt shock directly to the heart of the mock patient. Both demonstrations would have been fatal to a real patient and that might explain why in 2007 Vice President Dick Cheney had the wireless interface disabled to his own pacemaker at the insistence of Doctors and the US Secret Service. Jack demonstrated the ease at which a patient could be harmed or executed once their Implantable Medical Device or IMD had been hacked. Others followed at subsequent security conferences with hacks of network-attached infusion pumps, reprogramming the device to give a continuous maximum dose of Morphine till the reservoir was empty and the patient likely dead.

Reason 2: Lack of Security

The CIOs second concern is that medical devices have almost no built-in security found on a typical workstation or laptop and cannot readily be patched or upgraded. Nor can security tools and supplicants like anti-malware or a host firewall be installed as the limited capacity of devices will not support the additional memory or processing requirements needed.

To compound these issues, medical device manufacturers are notoriously reluctant and slow to release patches for their devices even when known security vulnerabilities have been discovered. This has resulted in some high profile shaming of manufactures as in the case of Muddy Waters Capital, an Options Trader, against St Jude Medical and the first ever FDA recall of a medical device as a result of the public disclosure. Would the Food and Drug Administration (FDA) have acted if it weren’t for the very public disclosure? It’s hard to tell. Would St Jude Medical have spent any time fixing known security vulnerabilities in some of its pumps? Based upon past performance, it’s highly unlikely. In fact, that was the reason for Muddy Waters penetration test in the first place, thus driving down the share price of St Jude Medical stock, allowing Muddy Waters to profit from its options trades.

The fact of the matter is that most medical devices unless afforded extra layers of protection and defense-in-depth security, are extremely vulnerable to cyberattack. Especially if connected to the main hospital network, let alone allowed to talk to the Internet.

Why are Medical Devices so Vulnerable to Attack and Compromise?

Medical devices take 5 to 6 years to go through testing and clinical trials before they receive FDA approval. The same is true in most other countries. That means that brand new devices arriving in hospitals today were designed at least 5 or 6 years ago using technology that was available at the time. Anyone connecting their 2012 era Windows computer to the Internet tomorrow without any security software or updates would more than likely be compromised inside 10 minutes, yet that’s what we do with medical devices. Only with medical devices, we use them not to surf the web or check email, but to monitor and treat patients - and in some cases keep them alive. That’s where unmitigated risks surface that results in CIO insomnia.

The HIPAA Security Rule (45 CFR (§164.308(a)(1)(ii)(A)&(B) requires a Risk Analysis and ongoing Risk Management be conducted of any and all devices that create, maintain, transmit, or receive ePHI or other sensitive data. Yet most hospitals don’t even have an accurate inventory of their medical device assets so how can they possibly assess their risks? The identification and profiling of medical devices has not been easy for hospitals, most of which have had to rely upon labor-intensive ad-hoc manual discovery processes. New tools and services from CyberMDX and others in the space that can identify and profile medical devices is beginning to change this however. A full asset inventory and medical device profile can now be exported from CyberMDX and entered into an enterprise risk analysis tool such as Clearwater’s IRM|Analysis platform to perform compressive risk analysis to meet the very strict requirements of OCR and HIPAA.

The concern however is a lot deeper than mere HIPAA Compliance and the protection of PHI. Patient safety has become a major worry for healthcare providers where changes to the integrity and programming of medical devices can have far reaching effects. Hackers have already demonstrated the removal of safety limits and have over-written calibration data and dosages and changed drug libraries. Not only is the integrity of medical devices a growing concern but also their resiliency. Most devices will crash or blue screen when a simple virus or multi-cast traffic appears on the subnet. In particular, device availability for patient telemetry systems is critical to alert care staff to patient Codes or other conditions where speedy action on their behalf is required to save a life. Integrity and availability attacks are far more concerning than confidentiality attacks against PHI, and is where the real damage can be done. To date, the OCR has only issued written guidance on the risk analysis of medical devices containing PHI, although audits show that they are beginning to take a broader look at all medical devices regardless of whether they create, receive, store or transmit PHI. The FDA continues to issue guidance, NCCoE and NIST have written a guide to secure medical infusion pumps resulting in NIST Special Publication 1800-8, and the Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) recently joined forced to publish a revised Medical Device Deployment Guide. The fact remains however, that numerous medical devices are extremely vulnerable and are not being adequately managed from a risk perspective.

The average cost of a data breach according to Ponemon is $3.8 million. The damage and impact to a hospital’s reputation following a medical device attack resulting in patient death is pretty much unlimited. This may sound a little far-fetched but a recent study by the University of California Cyber Team found that several hospitals had self-reported adverse events from compromised healthcare infrastructure cybersecurity events, like ransomware, malware, or compromised EHRs. The study found that adverse events impacted between 100 and 1,000 patients. Furthermore, the 80 percent of survey respondents that reported risks in medical devices is way higher than what the FDA reports.

Risk Management

Once identified, risks to critical systems should be addressed immediately. When remediation or retirement of a medical device is not possible, effective compensating security controls should be implemented to isolate and protect the device from attack and compromise. Many of the larger hospital systems are turning to micro-segmentation of their medical device network assets using Cisco TrustSec or other tools to essentially white-list network communications to and from each medical device and drop all other traffic. GE Health and Unisys do this by routing all medical device traffic through proxy servers. Others have segmented their medical device VLANs by use of internal firewalls. These solutions all increase the complexity of networks and leave many smaller hospital systems with tight budgets and limited capabilities out in the cold.

What’s being done to harden medical devices and prevent them from being hacked?

Guidance (and its only guidance to date) has been published by the FDA, NIST, NCCoE, CSA/OWASP and others to improve the deployment and security of medical devices. The onus however is squarely being placed upon healthcare providers to secure the medical devices they procure and utilize. At the same time manufacturers are being pressured to improve the security design of their devices and now have to perform a risk analysis of medical devices before FDA approval. But with a 5 to 6-year development cycle, the results of ‘improved security by design’ may take many years to reach hospitals and patients. With a 15 to 20-year lifespan for many medical devices, the security problem is not about to go away any time soon. That means hospitals need to implement compensating security controls immediately and keep them there for the foreseeable future.

Somewhat alarmingly however, a recent Ponemon Report on Medical Device Security showed that despite known vulnerabilities “roughly one third of device makers and healthcare delivery organizations (HDOs) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.”


Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.


**************************
Medical device security keeping you up at night?

Clearwater offers healthcare delivery organizations the most comprehensive solution available for improving the security of biomedical devices connected to their networks.Much more than just a traditional vulnerability assessment, Clearwater strengthens its end-to-end, enterprise approach to reducing risks, by automatically identifying, assessing, and managing risk of all wired as well as wireless medical devices.


Discover how our Comprehensive Medical Device Cybersecurity and Risk Management Program can support the unique needs of your organization.

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link.

Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 2

Healthcare CIOs, CISOs, and other information risk management leaders face daunting challenges when it comes to deciding where to apply their limited resources to make the biggest difference in their organization’s cyber risk posture. As I mentioned in my previous post, healthcare security leaders can be tempted by shiny new objects – i.e., new security tools – that promise to be the panacea to their most pressing security problems.

Cyber security leaders can also be distracted by Executive Board members and other stakeholders who prioritize the cyber threat of the day. They may respond to cyber attack headlines by button-holing the CISO and asking, “What are we doing about THIS???”

The solution to a scattershot, reactive approach to cyber security is to develop an enterprise cyber risk management system (ECRMS). And the first step in developing an ECRMS, is conducting a HIPAA-compliant risk assessment and analysis.

HIPAA Compliance and Risk Assessment

HIPAA’s Security, Privacy and Breach Notification Rules are designed to ensure the confidentiality, integrity and availability (CIA) of protected health information (PHI). HIPAA’s Security and Privacy Rules apply to any entity that “creates, receives, maintains or transmits protected health information” per 45 C.F.R. § 160.103. This means that whether you are a healthcare provider, a health plan, a healthcare clearinghouse or a business associate of any of this entities, HIPAA applies to you.

The HIPAA Security Rule actually defines three different types of assessments that organizations must conduct in order to be compliant. Those three types of assessments include:
  • HIPAA Security Non-Technical Evaluation, a.k.a. Compliance Gap Assessment
  • HIPAA Security Technical Evaluation, a.k.a. Technical Testing
  • HIPAA Security Risk Assessment/Analysis
The difference between these three types of assessments is a topic for another blog post. What’s important to understand for our purposes is that organizations must conduct all three types of security assessments in order to be HIPAA compliant. One type of assessment (for example, Technical Testing or Compliance Gap Assessment) cannot be substituted for another type of assessment (Risk Assessment/Risk Analysis).

The first step – the foundational step – in developing an enterprise cyber risk management system, is to conduct a security risk assessment and analysis as defined within the HIPAA Security Rule. Two other information sources help to provide a comprehensive and detailed definition of what a HIPAA-compliant risk assessment looks like: first, OCR guidance – including the results of OCR enforcement actions and audits – gives a clear picture of what a comprehensive risk analysis includes. Second, NIST standards around information security provide a model for how to properly conduct a risk assessment – and how to start developing a strategic framework once you have the assessment results.

What an OCR-Quality Risk Analysis Entails

At its most basic level, risk analysis includes three primary tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
Identifying risk starts with identifying and documenting every information asset in your organization. Information assets include all electronic equipment, data systems, programs and applications that are controlled, administered, owned or shared by an organization and which contain, transmit or store ePHI. This includes traditional forms of assets, such as IT systems and applications (e.g., EHR systems, clinical information applications, lab applications, medical billing and claims processing applications, email applications, etc.).

Information assets also include biomedical assets, such as patient monitoring devices, implantable devices, and remote chronic disease management applications. Internet of Things (IoT) assets must also be included in your asset inventory. (Incidentally, a key challenge for hospitals and health systems in conducting a comprehensive information asset inventory has been their capability to identify and document electronic medical devices. New technology from companies such as CyberMDX, CloudPost, Zingbox and others identifies medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device.)

Risk analysis does not stop with a simple inventory of information assets, however. Risk has three components: an asset, a threat, and a vulnerability. Adequately identifying risk means addressing each of these components for each information asset. For example, an information asset might be a tablet computer used by staff or clinicians. One threat to that tablet could be theft. Vulnerabilities that create risk when that table is stolen include a lack of encryption, weak passwords, and a lack of data backup. In other words, each information asset can be compromised by many different types of threats. In turn, those threats become real due to the vulnerabilities associated with them.



A comprehensive, HIPAA-compliant risk assessment requires documentation of a considerable amount of detail. It’s easy to see how healthcare organizations who attempt to conduct an inventory of information assets, with their associated threats and vulnerabilities, are quickly overwhelmed with pages and pages of spreadsheets.

Rating and Prioritizing Risk

And yet there is more.

Because a bona fide, OCR-compliant risk analysis includes not only identifying information assets, threats and vulnerabilities, but also rating risk. This involves estimating the likelihood (probability) and impact (degree of harm or loss) on the organization of each possible asset/threat/vulnerability combination.

Which makes our spreadsheet even more complex:



After all information assets have been inventoried, all asset/threat/vulnerability combinations have been documented, and the likelihood and impact of each potential risk calculated, the result is a “risk rating” for each potential threat.

The beauty of the risk rating is that it allows each healthcare organization to identify, rate and prioritize the particular risks associated with that organization’s unique information asset inventory, threat/vulnerability combinations, and calculated risks.

Each organization is able to establish their own risk threshold. For example, an organization might specify a risk rating of “20” as their threshold. That means that information risk management strategic priorities would center on mitigating risks for those items that rated 20 or higher. In the example above, security leadership would be able to use this information to make a persuasive case for security tools that enabled encryption of ePHI contained on tablet computers, as the “25” risk rating indicates this risk is a high priority for this organization.

The Value of a Comprehensive Risk Analysis

Conducting an OCR-quality, security risk assessment and analysis has value for healthcare organizations beyond assuring compliance with HIPAA guidelines. As the example above illustrates, a comprehensive risk analysis helps security leaders not only identify, but also rate and prioritize enterprise-wide cyber security threats.

The information uncovered by the risk analysis can help security leaders develop relevant and meaningful cyber risk management systems by providing a framework for making decisions. With an accurate and updated security risk assessment in place, security leaders no longer have to make purchasing decisions based on the strength of a vendor’s demo, or in reaction to cyber threat headlines. With a security risk assessment and analysis in place, healthcare security leaders are empowered to make proactive and strategic decisions about the tools and strategies that will mitigate their highest priority risks.

It’s probably also become clear that conducting an OCR-quality, security risk assessment is not a simple undertaking. Fortunately, it is not necessary to “reinvent the wheel” in order to conduct a comprehensive security risk assessment.

In addition to the language of the HIPAA Privacy, Security and Breach Notification Rules, OCR Guidance, and NIST resources, Clearwater Compliance has developed resources, solutions and services that help healthcare organizations quickly conduct an OCR-quality security assessment.

In the third part of this 3-part series, Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment, I will explore some of the resources, solutions and services that can not only help security leaders efficiently conduct a security risk analysis, but also help healthcare security leaders leverage the completed security risk analysis to develop an enterprise cyber risk management system.

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Check out the first blog in this series here: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment–Part 1


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Patient Safety and Cyber Risk







Healthcare CEOs know all about patient safety – at least that’s what they’ll tell you. Joint Commission and others have been all over the subject for years. Ask them what patient safety really means and most will probably start talking about how healthcare organizations protect their patients from errors, injuries, accidents, and infections. It’s a big issue. As many as 440,000 people die every year from preventable errors in hospitals alone. However, only a few healthcare CEOs will include cybersecurity in their list of top risks, but that is slowly beginning to change.

Today’s US healthcare payers, providers and pharmaceuticals are under attack – from state sponsored theft of healthcare IP, clinical formulations, procedures and treatment regimens, to the PII of patients including 78.8 million customers of Anthem Health, to the commercial theft and sale of PHI and PII by cyber-criminal gangs intent on the monetization of stolen data.

What many don’t realize is that cyber risk in a healthcare setting is not just about attacks against the confidentiality of information but also the availability and integrity of health IT systems and data. Healthcare is a prime target for extortion and has been disproportionately impacted by bouts of ransomware impacting the availability of health IT systems to render care to patients.

Just look at the UK NHS when it succumbed to the global WannaCry ransomware attack last year. Nearly two thirds of NHS Hospital Trusts were impacted and had to cancel appointments and divert all but the most critical of emergency patients elsewhere. Had the NHS understood the true magnitude of its cybersecurity risks and acted accordingly to patch and replace out of date systems, then the negative impact to the lives of many of its patients could have been avoided.

I’m sorry, the Doctor can’t see you at the moment – our IT systems are down!


So what happens to patient care when critical Health IT systems aren’t available to diagnose or treat patients? Their surgeries get cancelled, or they get put in an ambulance to an unaffected hospital 40 or 50 miles away. That’s where the patient safety question comes into play.

What is the impact to a sick patient when he or she has to be transported an hour or so to a functional hospital?

What if that patient happens to be many hours’ drive or flight away from the nearest unimpacted and available facility and expires en-route?

What is the level of culpability for healthcare providers when they fail to properly evaluate and protect against availability risks to their IT systems?

There is a fairly obvious duty of care for patient safety so shouldn’t that extend to the availability of health IT systems needed to treat patients?
Should hospitals be held accountable in the same way that we hold retailers accountable when they fail to protect their credit card payment systems?

Modern healthcare is highly dependent upon the clinical IT systems we use to diagnose and treat patients. What happens when a medication cabinet won’t open to dispense critical medications? What happens when a pharmaceutical robot dispenses the wrong medications for a patient and the mistake is not noticed by overworked staff? Our reliance today upon IT and IoT systems is perhaps more than most physicians would willingly admit.

Primum non nocere. (First do no harm)

Making cyber-risk a critical part of enterprise risk across the healthcare industry should be a must, given the potential risks to patient safety, just as evaluating and assessing all assets on the clinical-business should be too. The rising number of non-IT devices plugged in, or connected wirelessly, to hospital networks far overshadows the number of PCs, laptops and workstations in most facilities. What is more, most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and Security teams. No wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one of these devices being compromised by a malicious hacker.

Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies from many miles away – often out of State, or out of Country, who manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend the hospital attack surface into the outsource company complete with all of their security vulnerabilities. Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution and credit monitoring, as well as the jobs of everyone in leadership.

The repercussions of third-party vendor breach in healthcare could however, be far more nefarious and impactful given what is connected to the typical hospital network. That is, unless networks are properly and securely segmented to isolate BMS, medical devices and business IT systems. However very few hospitals have so far even started to securely segment their large flat networks.

The need therefore to evaluate third party risk is critical, yet most hospitals currently don’t do this well if at all. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.

As healthcare leaders continue to monitor and evaluate what is meant by patient safety in their operations, it’s clear that today, patient safety means so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.

The author addresses these and other subjects at the South Dakota HIMSS annual Conference today 
in Sioux Falls, SD.


Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 1



You’re the CISO of a healthcare organization and you just sat through an amazing sales presentation by one of your security vendors. You are considering cutting a PO to purchase that new security tool. You’ve been thinking for some time about purchasing tools to close security gaps that you’re aware of and this particular tool appears to address a critical area of weakness in your information security program.

At the same time, you’ve got limited resources for addressing your healthcare organization’s cybersecurity risk. You experience ongoing challenges around finding and retaining IT staff with expertise in information risk management. You know you’ll need staff resources to implement that new security tool, but your IT budget never stretches quite far enough to cover all of your organization’s technology needs, let alone managing cybersecurity risk.

Sound familiar?

Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability


Healthcare security leaders are often tempted to buy the “shiny new object” that promises to be the panacea to their most pressing security problems. Perhaps an audit or assessment highlighted the gap and executive management jumped all over it. Perhaps a breach or security incident became a compelling event, and the vendor’s new tool looks like a silver bullet. Vendors often encourage this line of thinking, being only too happy to make another sale.

Though new security tools can be tempting, their purchase is sometimes the result of a myopic focus on a single critical area of weakness or vulnerability. Yet the vast majority of healthcare organizations have many security gaps, spread over a wide range of areas. This is true regardless of the size of an organization’s dedicated IT staff or their information risk management budget.

When a shiny new security tool attracts your attention, how do you determine whether or not this is the best use of your resources? How do you make the case to your Board that purchasing this particular tool should be your organization’s number one priority?

The Changing Cyber Risk Landscape

All too often, healthcare security leaders are put in the position of simply reacting to the latest, headline-grabbing cyber security threats. A short time ago, cyber attackers seemed mostly intent on hacking into healthcare networks in order to steal patient data and sell it on the black market. The consequences of a data breach are far-reaching, including a loss of customer trust, penalties and settlement fees imposed by the Office for Civil Rights (OCR) for HIPAA violations, and the cost of remediation measures. A recent Ponemon Institute report estimates the average total cost of a data breach at $3.86 million. As a result, stakeholders including Board of Trustees members and consumers clamor for assurance that their healthcare providers have tools and strategies in place to prevent data breaches.

But even as data breaches continue to pose a real threat to healthcare organizations, new threats have emerged. Ransomware attacks on healthcare organizations have turned out to be just as lucrative for cyber criminals, if not more so, than selling healthcare records on the black market. The impacts of last year’s WannaCry ransomware attacks have continued to play out in healthcare organizations in the U.S. and in the U.K.

WannaCry compromised IT system availability in order to shake down healthcare providers for ransom money. But other types of emerging malware attacks – such as NotPetya – pretend to be ransomware while actually destroying critical systems and data. The increase in cyberattacks that target system availability have made IT system availability and resiliency the new cybersecurity mantra.

At the same time, new attack surfaces in healthcare organizations are attracting the attention of hackers. Network-attached medical devices – think Internet of Things (IoT) – are just as susceptible to malware and ransomware attacks as other, more traditional targets, such as the enterprise data center.

All this means that cyber risk management in a healthcare organization is a continually moving target. Cyber attackers’ motives, strategies and targets evolve quickly. By the time a new security tool comes on the market, a different threat has emerged, requiring a different approach to risk mitigation.

Given the constantly changing cyber security threat landscape, how is a CISO to respond? Is there a better way to protect your organization than being swayed by the latest, greatest vendor presentation? Is there a better way to protect your organization than yielding to Board pressure to respond to the cyber threat du jour currently making headlines?

The Big Picture: Enterprise Cyber Risk Assessment

The good news is that there actually is a better way.

And the better news is that this “better way” not only helps your organization meet HIPAA compliance requirements, it also helps your organization develop a strategic approach to enterprise-wide information risk management. It’s a deliberate and considered approach that can help guide your organization’s information risk management purchasing decisions and will strengthen your organization’s cybersecurity posture.

It begins with an enterprise-wide cyber risk assessment.

By an enterprise-wide cyber risk assessment, I’m not referring to marking off boxes on a controls checklist. I am also not referring to your latest technical testing, security gap assessment, or pen test. I’m talking about conducting a bona fide, enterprise-wide, HIPAA-compliant, security risk assessment and analysis.

What does a HIPAA-compliant security risk assessment look like?

Stay tuned. I will explore that topic in Part 2 of this three-part blog series: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment.

Learn more about Clearwater Compliance and the Company’s innovative cyber risk management solutions for healthcare organizations.


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link.


Security Tools and SaaS



With between 45 and 65 different security vendors' tools in the average hospital CISO's tool box, healthcare providers need to make sure that third-party tools work well together and do not create unwanted complexity or introduce their own vulnerabilities.

Smaller providers in particular should look to partner with service providers to procure and consume expert security services rather than continue to pour money into the management of in-house tools. Most simply can no longer afford to attract and retain the levels of cybersecurity staff needed to defend against sophisticated attacks or to maintain an adequate level of risk management and compliance.

Security-as-a-Service (SaaS) is helping to reset the imbalance between attacker and defender, and when healthcare security teams are outnumbered 5 to 1, they need all the help they can get!

This was the subject of my recent video interview with HIMSS.






2018 Annual Cybersecurity Report

http://reports.cyberthoughts.org/cisco-acr-2018.pdf

Cisco today released it's 2018 Annual Cybersecurity Report providing a freshly updated view into the current techniques that adversaries use to elude defenses and evade detection, along with insights and recommendations designed to help organizations and users defend against attacks.

The report is based upon a study conducted by Cisco of 3600 Chief Information Security Officers (CISOs) and security industry leaders from 26 countries.

This year’s report findings show a maturing, more sophisticated tradecraft by attackers. Case in point: adversaries are increasingly embracing encryption – meant to enhance security – to conceal command-and-control activity. The Cisco Talos threat research team reports that 50 percent of global web traffic was encrypted as of October 2017, a 12 percent volume increase from November 2016. Cisco also observed a more than threefold increase in encrypted network communication used by inspected malware samples during that time. As the volume of encrypted global web traffic grows, adversaries are broadening their use of encryption as a way to mask command-and-control activity, providing them more time to operate and inflict damage sight-unseen.

The evolution of ransomware was another of the most significant threat developments in 2017. By introducing network-based ransomware worms, attackers have eliminated the need for human interaction in launching ransomware campaigns. They also changed the game from pursuing ransom to the outright destruction of systems, data and operations. We all saw these rapid-moving, network-based attacks with WannaCry and Nyetya, and Cisco expects more automated crypto-worm activity in the year ahead.

The report report spotlights how adversaries are evolving their approaches to exploit new technology security gaps, particularly in IoT devices which are often exposed because they were deployed improperly or left open intentionally for convenience. This includes the growing number of medical devices in hospitals and other healthcare delivery sites, which are often not patched or maintained once purchased.

See the full report for additional perspectives and what defenders can do to to set the security bar higher.

New Zealand Healthcare - Just Keeping its Head Above Water!

New Zealand Healthcare - Just keeping its head above water.
New Zealand Healthcare - Just keeping its head above water.  Photo: Hamish Clark.

Securing the delivery of healthcare services in New Zealand faces many of the same challenges as in other mixed public / private health systems. Chronic underfunding of the public health system by government austerity measures is putting pressure on a system already overloaded. Net immigration to New Zealand is combining with a rapidly aging population that is living longer, and contributing to increased patient numbers and demand for services. Hospital administrators have been forced to make tough decisions to prioritize what little resources are available to only the most critical of patients. The result is that many elective surgeries especially for the elderly are in decline and little funding remains to secure and defend hospitals from cyber attack.

As a result of the crisis in the public health system and waitlists approaching a year for patients requiring surgery, those who can afford it, are switching to private healthcare delivery and health insurance. The overall percentage of healthcare services delivered via the New Zealand public system has consequently dropped to roughly 75%. A growth in private care is picking up the rest.

Could New Zealand's Health System come crashing down?
Could New Zealand's Health System come crashing down?  Photo: Lindsey Costa.

New Zealand spends roughly a third of the per-capita expenditure on health compared with the United States. Despite this, healthcare in the country is still quite inefficient and heavily reliant upon legacy models of care, including more expensive hospital treatment. A fragmented and decentralized system of twenty District Health Boards results in repetition and duplication with wasted spending on "unique solutions to common problems", disparate "stovepipe systems", and "widely different care paths for common conditions" according to a report by Deloitte.

A lack of national uniform IT and security strategy combines with moribund health IT computer systems across DHBs, and manual labour-intensive work practices by doctors and nurses to compound inefficiencies.

The reality is that much of the national health budget appears to be squandered on administrative overhead. In fact, according to the Deloitte study, "some OECD researchers have estimated that well over 2% of New Zealand’s GDP is wasted on administrative inefficiencies."

With budget deficits and almost no money to spend on security, an increasing number of people are concerned that the whole system could come crashing down. Cyber attacks on hospitals and primary care facilities in other countries have massively damaged already fragile health systems. Attacks have caused further delays to patients awaiting treatment and life sustaining operations. If nothing changes, then the same fate may befall New Zealand one day soon.

"Its not a matter of IF but WHEN a major cyber-attack will cause massive disruption to the country’s health sector" claims Scott Arrol, Chief Executive of NZ HealthIT (NZHIT).

But the security problem is not just one of sufficient funding, its also a one of prioritization and implementation of recommendations. The British National Health Service has many similarities to the New Zealand health model and is also chronically starved of resources. Out of date and out of support computer systems, combine with fragmented NHS Trusts to result in security vulnerabilities left unremediated, leaving much of the system open to attack when WannaCry struck in May last year.

According to the UK National Audit Office (NAO) more than a third of trusts in England were disrupted by the WannaCry ransomware, and at least 6,900 NHS appointments were cancelled as a result of the attack, 139 of which were considered urgent. NHS England data shows that at least 80 out of 236 trusts were affected – with 34 infected and locked out of devices. A further 603 primary care and other NHS organisations were infected by WannaCry, including 8 per cent of GP practices (595 out of 7,454).  No information has been published on the larger impact of the NHS outage including reduced patient outcomes or increased mortality, but one can only surmise that despite the best efforts of care givers, some patients were significantly impacted by the NHS's lack of security preparations.

The attack breached NHS Digital via open SMB holes in NHS firewalls and then spread quickly through thousands of unpatched Windows machines. Most infected systems ran Windows 7, but some 18% of systems were still running the no-longer supported Windows XP operating system, which went End of Life in April 2014, some 3 years earlier!

Securing healthcare delivery is not something that can be left on the side lines till next year, to a new budget, or a new administration. The potential impact on the population of a major cyber attack is too great. With the British NHS debacle as a recent example of what can happen if security is ignored, the New Zealand Ministry of Health needs to act now - before its too late!

New Zealand Healthcare steams forward with minimal security.
New Zealand Healthcare steams forward with minimal security.  Photo: Stephen Crowley.


2017: A Milestone Year for UAE

The American Hospital Dubai.
The American Hospital Dubai. 

2017 was a watershed year for healthcare providers in the United Arab Emirates. Joint ventures with US, UK, European and other healthcare partners saw the start or completion of a number of large hospital construction projects, vastly expanding the number of beds and types of procedures that can be conducted throughout the emirate.

Partnerships with US-based Childrens' National Medical Center, The Cleveland Clinic, Johns Hopkins, MD Anderson, and the Mayo Clinic, have greatly helped improve care for UAE citizens, resident workers, and health tourists coming to the UAE for medical procedures.

Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.

In fact health tourism is a major area of growth for both Dubai and Abu Dhabi. During a recent visit to the emirate, I was told that health tourism is on track to seeing 500,000 overseas medical tourists by 2021.

A number of successful organ transplants took place this year including the first full heart transplant at the Cleveland Clinic Abu Dhabi, the Basmah free cancer treatment initiative got underway and Dubai achieved mandatory health insurance for all its residents, as part of a UAE-wide initiative underway to insure the entire country.

New Medcare Women and Children's Hospital in Dubai.
New Medcare Women and Children's Hospital in Dubai.
New hospital facilities ready to go.
UAE is a major Health Tourism destination.
UAE is a major Health Tourism destination.

Health Tourism. Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.
The deployment of UAE's electronic medical record system continues to help improve patient outcomes and some 1.4m Dubai residents now have ‘smart’ medical records. On top of all this, plans were agreed for 2,000 more nurses, midwives and allied health professionals to be recruited by the Department of Health, Abu Dhabi.


Saudi German Hospital, Dubai.
Saudi German Hospital, Dubai.

But all is not well in paradise. 2016 and 2017 were also watershed years for cyber crime in the United Arab Emirates. Studies suggest that compared to the rest of the world, UAE and its larger neighbour Saudi Arabia, are being targeted for attack and that this is beginning to impact both oil-rich nations.

A recent study by the Ponemon Institute shows that the average cost of a data breach in Saudi Arabia and the UAE in 2017 was $4.94 million (Dh18.1 million), up 6.9 per cent since 2016. These breaches on average cost organisations $154.70 per lost or stolen record on average. On top of that, Saudi Arabia and the UAE are amongst the top spenders ($1.43 million) on post-data breach response.

The 2017 Cost of Data Breach report also revealed that malicious or criminal attacks are the most frequent cause of data breach in Saudi Arabia and the UAE. Fifty-nine per cent of incidents involved data theft or criminal misuse. These types of incidents cost companies $171.70 per compromised record, compared to $130.70 and $128.50 per compromised record as a result of a breach caused by system glitch or employee negligence, respectively.

The average cost of a data breach in Saudi Arabia and the UAE in 2017 was $4.94 million (Dh18.1 million)
Average cost of a data breach in UAE in 2017 was $4.94 million (Dh18.1 million)


Top factors that contributed to the increased cost of a data breach in Saudi Arabia and the UAE include compliance failures and the extensive use of mobile platforms.

Scott Manson, cybersecurity leader for the Middle East and Turkey at Cisco, said: "Cybersecurity is finally becoming a top-of-mind business objective for many with many organisations making the board hold accountability, which makes sense considering a large security breach/incident doesn't only affect finances and productivity, but can severely damage customers' trust towards the brand."

According to the study, how quickly an organisation can contain data breach incidents has a direct impact on financial consequences. Globally, the cost of a data breach was nearly $1 million lower on average for organisations that were able to contain a data breach in less than 30 days compared to those that took longer than that. On average, organisations in Saudi Arabia and the UAE took 245 days to identify a breach, and 80 additional days to contain a breach once discovered.

Most of the large recent security breaches in UAE have targeted financial institutions, but as banks continue to invest rapidly and heavily in security, so other UAE industries are becoming the focus of cyber criminals. That includes healthcare. With patient safety directly impacted by cybersecurity and system availability of critical treatment systems, hospitals have much more to lose in the event of a successful cyber attack. While none of the hospitals I recently visited had knowledge of a security breach, many executives acknowledged that it was only a question of time before their institution could be hit. While investment in UAE hospitals and clinics has been huge, most of the money to date, has been targeted at the direct delivery of clinical services to patients. Security and privacy have yet to catch up.

Health Tourism. Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.
Health Tourism. Cleveland Clinic Abu Dhabi.


As the healthcare industry in the UAE continues to develop and expand to a global provider of services to international patients, the emirate needs to invest heavily in cybersecurity and privacy capabilities to protect patient information and critical clinical information technology from cyber attack. Otherwise the huge investments in buildings, equipment and highly-skilled medical staff will all be for nothing.

Once those investments in cybersecurity controls and staff are in place, UAE will surely be on the top of many people's lists for elective medical procedures. After-all, who wouldn't want to recuperate in a luxury desert oasis!



Beverly Hills Security Summit

What keeps your CEO up at night?
Beverly Hills Security Summit CISO Forum. Photo: Tina Kitchen.
  • What is it that keeps your CEO and Board up at night?

  • How do you communicate cybersecurity risk to the Executive Leadership Team and the board, and do you talk to enterprise risk or just technology security risk?

  • In planning to address ELT and board risk concerns, how are you going about the development of a security risk remediation plan?

  • Have you considered the development and maintenance of a multi-year enterprise Security Roadmap and do you have anyone to help you in its development?

  • What approaches work best at other healthcare entities and what can we all learn from one another?
Richard Staynings hosts the cybersecurity forum
Richard Staynings. Photo: Tina Kitchen.
These were just some of the discussion points between the assembled Chief Information Security Officers and other senior healthcare leaders during a Leadership Roundtable at the Beverly Hills Health IT Summit and Security Forum today.

The event was held at the Sofitel Los Angeles at Beverly Hills, and attracted several hundred CISOs, CIOs, COOs,  along with various Directors of Technology, Cybersecurity and Health Information Management.

The lunch was arranged and sponsored by Optum Security Solutions, part of Optum under the UnitedHealth Group umbrella, and was hosted by Optum's Tina Kitchen.

Mark Hagland, Editor and Chief at Healthcare Informatics, and Richard Staynings of the HIMSS Privacy and Security Committee led the discussion.

Institutional reputation remains one of the biggest concerns, particularly at high profile clinics attended by celebrities, but is the patient population becoming sufficiently jaded and numb to all of the breaches of health information to walk elsewhere? And if most other healthcare delivery outlets are impacted by security breaches then where do patients go? At the end of the day, law suits and restitution notwithstanding, we heard that patients want the best possible treatment they can afford, and will suffer through the diminished reputation of a clinic in order to receive that care and attention.

The complexity of large health systems, particularly as mergers and acquisitions drive even larger conglomerates, creates political and technological barriers to the implementation of enterprise-wide holistic security controls and causes duplication of effort and expense. Where management of these systems has not been consolidated and centralized, the Enterprise Chief Information Security Officer will have an especially hard time. Numerous divisional leaders including CIOs and COOs need to be consulted before new security controls can be implemented, and this task becomes even more daunting for the CISO in research or academic health where conflicting business drivers can seriously compound problems in access to PHI.

The frequency and magnitude of attacks against healthcare continues to climb, as well-funded and highly motivated attackers, be they nation states or criminal gangs, ply their craft at healthcare's expense. This is keeping all of us on our toes and stretching security in many hospitals to the limit. Understanding where threats are coming from and quickly identifying potential indicators of compromise is increasingly becoming a challenge and one where for healthcare, the need for help from specialist partners becomes increasingly evident.

Risk remediation needs to be targeted to the areas of greatest potential impact for each institution. Available resources simply don't allow for the remediation of all areas of weakness. The number of security resources available to security leaders is also a constraining factor and is leading to a dramatic increase in the consumption of managed security services from partners like Optum and others. This trend is set to continue as the availability of security resources becomes even more competitive and better-funded financial services organizations attract more and more healthcare security professionals.

Taking all these factors into account, we heard that the importance of an Enterprise Security Roadmap is becoming critical in not only security planning, but also for communication upwards of that plan to senior executives and the board. We also heard that Optum Security Solutions has had great success in helping healthcare customers to develop and maintain security roadmaps for a wide range of healthcare entities, and these have greatly helped reduce security risk and to stave off attacks.

Overall the lunchtime session resulted in a full and frank exchange of ideas from assembled guests along with a better understanding of what seems to work best in a healthcare environment, where compliance, institutional reputation and patient safety all play a critical role.

Attendees included:
  • Sriram Bharadwa, CISO, UC Irvine Health
  • Carl Cammarata, CISO, Northwestern University - Feinberg School of Medicine
  • Cris Ewel, CISO, UW Medicine
  • Mark Hagland, Editor and Chief, Healthcare Informatics
  • Norman Hibble, County of San Luis Obispo - Health Agency
  • Chris Joerg, CISO, Cedars-Sinai
  • Tina Kitchen, Sr. Solutions Executive, Optum
  • Surya Mishra, IT Director, Blue Cross Blue Shield Association
  • Olaf Neumann, CIO, Inland Behavioral and Health Services, Inc.
  • Casie Phillips, Regional Manager, Healthcare Informatics
  • Richard Staynings, HIMSS Privacy and Security Committee
Thanks to everyone for their participation and a great exchange of ideas.

Photo: Tina Kitchen.