Why many cybersecurity programs fall short on protection
Health IT leaders at a recent CHIME roundtable discuss their take on recent findings from the Most Wired Survey.
Healthcare leaders representing high-scoring 2018 Most Wired recipient organizations and supporting CHIME Foundation firms joined CHIME President and CEO Russell Branzell in an executive roundtable discussion about key findings in a report based on the Most Wired survey results. Only 29 percent of survey respondents reported having a comprehensive security program in place, something Branzell described in his role as moderator as “a serious surprise.”
Several roundtable participants shared their thoughts on why this could be. They also offered strategies to grow a cybersecurity-savvy talent pool. The responses have been edited for brevity.
Ken Bradbury, senior vice president and chief technology officer at The HCI Group, said he was not surprised by the result and noted that there is a varying degree maturity for security programs across the industry: “Cybersecurity within healthcare is a high priority but I don’t think there is a clear understanding of all of the prerequisites of achieving security compliance and having a strong security program. That means you need a stable infrastructure; you need governance and leadership that are aligned with the executive team but also with IT. Your CISO (chief information security officer) needs to be really integrated into the organization – not just a pillar but integrated into IT so it becomes a cultural compliance.”
How compliance is structured within the organization can also affect the comprehensiveness of the program, observed Dana Moore, senior vice president and chief information officer at Children’s Hospital Colorado. A program overseen by the legal department may meet the regulatory standard for compliance but not develop the robust functionality of an IT-led program.
The board can play an important role in ensuring that no such silos occur. Julie Hull, vice president of operations, Cerner KC One Health innovation Alliance at Truman Medical Centers, said her board takes security seriously and encourages communication across departments: “Our board comes in asking questions about (security) because of how prevalent breaches and (incidents) like that are in the news. It is something they think about. For some time, we have had to have (processes) in place where we have someone in IT but also in compliance that we work with and who leads our reviews. I was shocked when I read the numbers, and candidly, they probably were sweating when they answered that question.”
Pamela Arora, senior vice president and CIO at Children’s Medical Center of Dallas, said her board is engaged and supportive but the IT community needs to better articulate the value proposition: “When we buy a new piece of medical equipment, it is clear what we just purchased. But when we talk about security, not everyone understands where the investments are going. In many cases, the cybersecurity automation we need to implement to protect our environment comes at a cost, and it is not always clear to the organization what they are getting for this investment. That’ why it’s important for CIOs and security professionals to clearly explain where those investments are going.”
While the benefits should be made clear to the healthcare organization, to be effective the technology should be seamless, said Gus Malezis, president and CEO at Imprivata: “You should all challenge the vendors to make the technology as invisible as possible, as nonintrusive as possible. Traditionally, the cybersecurity market has probably not delivered there. You should challenge the vendors, me included, to make (technology) simple so it doesn’t inconvenience the user, otherwise the clinicians will not adopt it.”
Marc Probst, CIO at Intermountain Healthcare, noted that the adoption of standards has been piecemeal although it has improved. Yet advancing to a comprehensive security program may be difficult for many organizations: “Getting to a standard and managing that standard is an overhead that most organizations are not going to initiate. They will look at ways of putting in multifactor (authentication); they will look at ways of putting in encryption; they will look at how to segment their networks, and all these pieces that probably apply to the standard. But they are not in a position to manage to that standard. That requires significant resource (money and skills) and will take time and discipline.”
It also will take finances and resources. Those demands may be even more challenging in the healthcare sector, where there is a shortage of cybersecurity talent. An unrelated survey-based report released jointly by CHIME and KLAS in 2018 had found many healthcare organizations were struggling to hire and retain staff with experience in both cybersecurity and healthcare. Branzell asked the roundtable participants how they deal with that issue.
Omer Awan, senior vice president and CIO at Navicent Health, said that the health system’s location about 75 miles south of Atlanta puts it in a competitive job market. To counter that, Navicent Health has tried to grow talent locally: “What we are doing is working with the academic institutions, the local universities, to get started in not just MIS (management information systems) programs but cybersecurity. We try to invest in those and offer internships with the hope that when the graduates come out they will stay because of their local roots in that area.”
Don Kleoppel, chief security officer at Cerner, said cybersecurity education institutions need to revise their programs to reflect contemporary challenges. He cited a collaboration with the University of Central Missouri as one model: “It is not about understanding how to set up a firewall, or IPS (intrusion prevention system). We have to start forcing it into engineering and application development. The University of Central Missouri has a set of cybersecurity modules that all of their engineers have to go through to get their engineering degree. They are pushing it to that level because we all know code is infrastructure and if your security folks don’t know how to code, if your coders don’t know how to write secure code, that is a big challenge.”
Arora and Hull emphasized that education can take place within the healthcare organization, too.
For Arora, that includes educating all staff about cybersecurity dangers and best practices: “Not only is it awareness around the technical side but also having to ensure that they are trained all the way down to staff members that their role is critically important.”
Hull pointed to medical devices as especially challenging because they require staff with knowledge about the devices in addition to understanding security and healthcare: “Today the market is woefully lacking in those types of skills. In that case we have organically grown it with multidisciplinary teams that have formed and organized around it.”
Following the roundtable, Steve Cagle, chief executive officer at Clearwater, added that while he was not surprised that only 29 percent of the companies surveyed had a comprehensive cybersecurity program in place, he wondered if this low percentage would finally serve as a “wake-up call” to healthcare providers, especially given the growing number of internal and external security threats: “Many large healthcare organizations are struggling to provide their leadership teams and boards with the cyber risk information they need, as they don’t have the proper tools in place to perform a comprehensive, enterprise-wide risk analysis of all of their ePHI (electronic protected health information) assets. Several top 10 Most Wired award winners have addressed this need and matured their cyber risk programs and report on cyber risk on an on-going basis.
The Most Wired report defined a comprehensive security program as having a process for security deficiencies to be reported to the board; security progress reported to the board; a dedicated CISO; at least annual security reports provided to the board; and security program oversight from a board-level committee. The CHIME HealthCare’s Most Wired Trends Report is available here.
Several roundtable participants shared their thoughts on why this could be. They also offered strategies to grow a cybersecurity-savvy talent pool. The responses have been edited for brevity.
Ken Bradbury, senior vice president and chief technology officer at The HCI Group, said he was not surprised by the result and noted that there is a varying degree maturity for security programs across the industry: “Cybersecurity within healthcare is a high priority but I don’t think there is a clear understanding of all of the prerequisites of achieving security compliance and having a strong security program. That means you need a stable infrastructure; you need governance and leadership that are aligned with the executive team but also with IT. Your CISO (chief information security officer) needs to be really integrated into the organization – not just a pillar but integrated into IT so it becomes a cultural compliance.”
How compliance is structured within the organization can also affect the comprehensiveness of the program, observed Dana Moore, senior vice president and chief information officer at Children’s Hospital Colorado. A program overseen by the legal department may meet the regulatory standard for compliance but not develop the robust functionality of an IT-led program.
The board can play an important role in ensuring that no such silos occur. Julie Hull, vice president of operations, Cerner KC One Health innovation Alliance at Truman Medical Centers, said her board takes security seriously and encourages communication across departments: “Our board comes in asking questions about (security) because of how prevalent breaches and (incidents) like that are in the news. It is something they think about. For some time, we have had to have (processes) in place where we have someone in IT but also in compliance that we work with and who leads our reviews. I was shocked when I read the numbers, and candidly, they probably were sweating when they answered that question.”
Pamela Arora, senior vice president and CIO at Children’s Medical Center of Dallas, said her board is engaged and supportive but the IT community needs to better articulate the value proposition: “When we buy a new piece of medical equipment, it is clear what we just purchased. But when we talk about security, not everyone understands where the investments are going. In many cases, the cybersecurity automation we need to implement to protect our environment comes at a cost, and it is not always clear to the organization what they are getting for this investment. That’ why it’s important for CIOs and security professionals to clearly explain where those investments are going.”
While the benefits should be made clear to the healthcare organization, to be effective the technology should be seamless, said Gus Malezis, president and CEO at Imprivata: “You should all challenge the vendors to make the technology as invisible as possible, as nonintrusive as possible. Traditionally, the cybersecurity market has probably not delivered there. You should challenge the vendors, me included, to make (technology) simple so it doesn’t inconvenience the user, otherwise the clinicians will not adopt it.”
Marc Probst, CIO at Intermountain Healthcare, noted that the adoption of standards has been piecemeal although it has improved. Yet advancing to a comprehensive security program may be difficult for many organizations: “Getting to a standard and managing that standard is an overhead that most organizations are not going to initiate. They will look at ways of putting in multifactor (authentication); they will look at ways of putting in encryption; they will look at how to segment their networks, and all these pieces that probably apply to the standard. But they are not in a position to manage to that standard. That requires significant resource (money and skills) and will take time and discipline.”
It also will take finances and resources. Those demands may be even more challenging in the healthcare sector, where there is a shortage of cybersecurity talent. An unrelated survey-based report released jointly by CHIME and KLAS in 2018 had found many healthcare organizations were struggling to hire and retain staff with experience in both cybersecurity and healthcare. Branzell asked the roundtable participants how they deal with that issue.
Omer Awan, senior vice president and CIO at Navicent Health, said that the health system’s location about 75 miles south of Atlanta puts it in a competitive job market. To counter that, Navicent Health has tried to grow talent locally: “What we are doing is working with the academic institutions, the local universities, to get started in not just MIS (management information systems) programs but cybersecurity. We try to invest in those and offer internships with the hope that when the graduates come out they will stay because of their local roots in that area.”
Don Kleoppel, chief security officer at Cerner, said cybersecurity education institutions need to revise their programs to reflect contemporary challenges. He cited a collaboration with the University of Central Missouri as one model: “It is not about understanding how to set up a firewall, or IPS (intrusion prevention system). We have to start forcing it into engineering and application development. The University of Central Missouri has a set of cybersecurity modules that all of their engineers have to go through to get their engineering degree. They are pushing it to that level because we all know code is infrastructure and if your security folks don’t know how to code, if your coders don’t know how to write secure code, that is a big challenge.”
Arora and Hull emphasized that education can take place within the healthcare organization, too.
For Arora, that includes educating all staff about cybersecurity dangers and best practices: “Not only is it awareness around the technical side but also having to ensure that they are trained all the way down to staff members that their role is critically important.”
Hull pointed to medical devices as especially challenging because they require staff with knowledge about the devices in addition to understanding security and healthcare: “Today the market is woefully lacking in those types of skills. In that case we have organically grown it with multidisciplinary teams that have formed and organized around it.”
Following the roundtable, Steve Cagle, chief executive officer at Clearwater, added that while he was not surprised that only 29 percent of the companies surveyed had a comprehensive cybersecurity program in place, he wondered if this low percentage would finally serve as a “wake-up call” to healthcare providers, especially given the growing number of internal and external security threats: “Many large healthcare organizations are struggling to provide their leadership teams and boards with the cyber risk information they need, as they don’t have the proper tools in place to perform a comprehensive, enterprise-wide risk analysis of all of their ePHI (electronic protected health information) assets. Several top 10 Most Wired award winners have addressed this need and matured their cyber risk programs and report on cyber risk on an on-going basis.
The Most Wired report defined a comprehensive security program as having a process for security deficiencies to be reported to the board; security progress reported to the board; a dedicated CISO; at least annual security reports provided to the board; and security program oversight from a board-level committee. The CHIME HealthCare’s Most Wired Trends Report is available here.
More for you
Loading data for hdm_tax_topic #better-outcomes...