Embed Size (px)
Citation preview
Data Security in the Information-Sharing Age An annual FierceHealthIT event, healthcare execs discuss multi-layered strategies to defend against cyberthreats
FierceHealthITAn Executive Report from the editors ofApril 2016
share:
Thank you to our sponsors:
n3 Protect against email threats
n4 Sponsored Content: “Wearable Healthcare” – Let Data Drive Operations
n5 Invest in security, outside help
n5 Share safely with others
n5 Prepare for the worst
n6 Sponsored Content: Healthcare’s Cybersecurity Mandate
Data Security in the Information-Sharing Age // April 2016
An Executive Report from the editors ofshare: FierceHealthIT
The increasing emphasis on care coordination, population health, risk-sharing and accountable care payment models means data storage, collection and sharing is more important than ever. Good data at the right place and time can increase efficiency, improve care quality and outcomes and reduce costs.
But healthcare leaders must balance the demand for easy-to-access data with the imperative to keep it secure. It’s hard enough for healthcare organizations to protect their own data. It’s harder still to control the security of other providers, care settings and agencies such as state public health registries.
FierceHealthIT gathered more than 20 high-level executives during the 2016 HIMSS convention in Las Vegas for an invite-only discussion and networking event. The topic was one that’s been top-of-mind of late: securing sensitive IT systems and the data they contain from ransomware, malware, phishing attacks and other cyberthreats.
The general consensus: No one is immune. “If you don’t know you’ve been hacked, chances are it’s already happened,” one health IT executive who participated in the event said.
Ransomware will “wreak havoc on America’s critical infrastructure community,” one recent report warns. And the healthcare industry is being “brutally” and “relentlessly” targeted, according to the Institute for Critical Infrastructure Technology.
Several attendees had a story to tell of ransomware, malware or phishing attacks at their organizations. And in the weeks leading up to and following the HIMSS event, an alarming number of breaches made headlines.
One of the most dramatic was a late-February ransomware attack that paralyzed California’s Hollywood Presbyterian Medical Center for more than a week. Staff worked with paper and fax machines as the hospital started diverting patients. The hackers
Data Security in the Information-Sharing AgeAn annual FierceHealthIT event, healthcare execs discuss multi-layered strategies to defend against cyberthreats
By Gienna Shaw and Dan Bowman
n3 Protect against email threats
n4 Sponsored Content: “Wearable Healthcare” – Let Data Drive Operations
n5 Invest in security, outside help
n5 Share safely with others
n5 Prepare for the worst
n6 Sponsored Content: Healthcare’s Cybersecurity Mandate
Data Security in the Information-Sharing Age // April 2016
An eBook from the editors ofshare: FierceHealthIT
demanded $3.6 million (9,000 Bitcoin), though they ended up settling for $17,000 (40 Bitcoin) to release the data. The story left many executives to ponder what they’d do in the same situation.
The question echoed around the room: Would you pay the ransom? Attendees debated the balance between the cost of losing the data and the cost of paying hackers to get it back.
For some, the math is simple. Downtime—and reverting to paper files and fax machines—for even just a few hours would cost the same as, or more than, the $17,000 that Hollywood Presbyterian paid the hackers. And recovering the data even after it’s released can take much longer than that, depending on how long the software lurked in your system, encrypting files one by one.
It might be an expensive lesson, but it’s still a lesson. Identify what happened, figure out how to keep it from happening again and move on from there, one attendee advised.
No one strategy to fight these threats emerged from the discussion. Rather, the group agreed, healthcare organizations must take a multi-pronged attack. Teaching employees to recognize the tell-tale signs of a phishing attack, such as typos and spelling errors, is fine, but you can’t rely on training alone.
If you do, one attendee noted, you’re only as strong as your least savvy employee.
“Are we just hoping that the people who are sending out ransomware don’t get better at spelling?” one executive asked the group. “It’s not going to take them long to start spelling better and getting the attachments to look legit. Then what do you do?”
In fact, said one health IT executive whose CEO fell for a targeted phishing attack, hackers are already getting better at looking legit. “The email looked like it was coming from my help desk. It was beautiful. It was amazing to see.”
Protect against email threatsSending information via email and attachments isn’t going away anytime soon. There just aren’t a lot of viable alternatives. To that end, attendees offered some suggestions to strengthen this common point of weakness.
For starters, they said, organizations must do a better job of clarifying what an official email looks like. Fonts and headings could be changed, for example, to give employees a visual clue that an email is real. One executive said his organization is looking into technology to color-code emails; a “background color of the month,” he said, could help employees identify genuine internal emails as safe.
Another suggestion: A button within the organization’s email system that allows users to report suspicious emails with just one click.
“If you don’t know you’ve been hacked, chances are it’s already happened.”
Continued on page 5
Data Security in the Information-Sharing Age // April 2016
Sponsored Content
No industry is more primed to turn futuristic technology into reality than healthcare. Organizations across the globe are already implementing portable devices and mobile solutions to improve provider service delivery and payer operational efficiencies in a digital world.
From an IT perspective, the key to healthcare organizations achieving success with wearables and IoT is to turn large amounts of critical data into smarter decisions and faster action. While the devices themselves continue to get most of the attention, physicians, patients and health insurers must be able to access data, put it in business context, and do something with it – regardless of the device.
Modern platforms for BPM and Case Management are the bridge to connect data from wearable technologies to actual process execution and business value. The result is business innovation capable of revolutionizing global health practices.
Healthcare providers continue to face the challenge of improving the quality of care while reducing cost and remaining compliant with
industry standards. The use of wearables can help providers more easily connect with their patients to track data and collaborate more openly around health status, preventative measures and treatment outcomes. Interactions between people, process, and data can be dynamic, ad hoc, and unpredictable. Wearable technology has made huge strides in allowing individuals to better-manage their own health and health data. Healthcare providers must have the policies and technology platforms in place to consume that data, collaborate around it with the patient and colleagues, enact a treatment decision, and monitor progress.
With razor-thin margins and high regulation, health payer organizations must operate with efficiency and accuracy to avoid spikes to insurance costs. Enterprise mobility, including wearables and smart sensors and other devices, presents a tremendous opportunity for these organizations to collect better data more quickly from providers looking to partner with payers to offer top-end healthcare solutions. For example, a mobile app for inspecting provider facilities can
speed provider on-boarding while also enforcing regulatory compliance.
The data itself, not the device on which data is collected and transmitted, holds the transformational gains wearables and other types of mobility can bring to worldwide health initiatives. The healthcare payers and providers that will have the greatest impact introducing wearables will be those that can effectively apply actionable data across the devices they wish to implement. Without the solution to connect people and processes to data, wearable initiatives will become just another fizzled pilot program.
Modern BPM and Case Management platforms generate applications that are equally process- and data-centric. In addition, they are platform-agnostic, enabling these applications to be written just once, and run natively across any desktop, the web, and mobile devices. Leveraging such platforms holds the key to digital transformation and real business value for all participants in the healthcare ecosystem.
“Wearable Healthcare” – Let Data Drive Operations By Fritz Haimberger, Healthcare Practice Leader, Appian
n3 Protect against email threats
n4 Sponsored Content: “Wearable Healthcare” – Let Data Drive Operations
n5 Invest in security, outside help
n5 Share safely with others
n5 Prepare for the worst
n6 Sponsored Content: Healthcare’s Cybersecurity Mandate
Data Security in the Information-Sharing Age // April 2016
An eBook from the editors ofshare: FierceHealthIT
Invest in security, outside helpAttendees agreed that prior to 2015, getting buy-in from C-Suite for cybersecurity was difficult. But after the plethora of breaches, it’s a top priority.
Budgets for security are increasing. “Our board is more and more aware as these stories come out. They’re asking what we’re doing. And we tell them we need to beef up the infrastructure,” one attendee said.
But money isn’t the only available resource. Think the FBI isn’t interested in the ransomware you found on that single computer? Think again. The agency wants your information and will track hackers even if they don’t follow through with a ransom demand, and even if a phishing email never puts patient data at risk.
In fact, one attendee said, the local FBI office sent out two agents to conduct training with IT staff, explaining the reporting process and giving them background on current threats.
Share safely with othersBecause sharing information is a necessity for care providers, hospitals must take steps to ensure the safety of both incoming and outgoing data. One potential solution, according to attendees: A gateway server
outside of the protected environment, which can receive and transmit data to a less-secure area so it can be vetted before it comes in.
And pay close attention not only to vendors, but their vendor partners, as well, who may be located in different countries. “That’s your threat,” one attendee said. “That outer layer.”
Another piece of advice that might seem counter-intuitive: Lighten up tight controls over some kinds of data. One example: Patient portals. Patients have experience protecting their information. And it is their information. So if they want to stay logged into their patient portal, attendees said, why not let them?
On the employee side, if you deliver alternative methods for file-sharing that are safe, staffers won’t need to get around the rules by using a thumb drive, for example. “Give them an equivalent safe process,” one attendee advised.
Prepare for the worstThose at the event who told stories about ransomware and targeted phishing attacks shared a common strategy: Isolate the threat to stop it from spreading and minimize downtime. Sometimes that’s as simple as unplugging an infected computer or group of computers.
“We were able to recover all of the data from our backups and regular processors; it never got to the point where someone was making demands for ransom,” one attendee reported.
“Are we just hoping that the people who are sending out ransomware don’t get better at spelling?”
Continued on page 7
Data Security in the Information-Sharing Age // April 2016
Sponsored Content
The mandate for healthcare information security is clear. Our industry has to raise the bar. We are reminded of this by the constant stream of breaches affecting healthcare providers such as the recent incidents impacting 21st Century Oncology and Hollywood Presbyterian Medical Center. Industry reports like this one from the Ponemon Institute state that healthcare organizations face cyberattacks every month and are still struggling to find effective strategies to keep systems secure.
One of the core vulnerabilities facing healthcare is identity and access risk as most healthcare organizations have vulnerabilities, but don’t realize their security strategies are insufficient. With frequent industry consolidation and the emergence of population health, information security is becoming increasingly more challenging to manage. Data is now being shared from a multitude of applications with both employed and non-employed physicians. Managing this risk is further complicated because it has multiple layers. You have to consider elevated privileges, remote and mobile access,
multi-factor authentication, and balance these concerns with providing efficient access. While Single-sign on (SSO) tools are often looked upon as the first line of defense in controlling identity and access risk, providers need additional capabilities because the threat landscape has evolved. Providers need to assume that insiders and outsiders with malicious intent are attempting to gain unauthorized access.
In order to reduce this risk, providers need greater visibility so that they can be more diligent. This entails a major shift in philosophy to a more proactive strategy that is constantly managing credentials and access rather than just reacting. The key to succeeding with this approach is to leverage automation. With the exploding number of applications and clinicians that must be managed, security teams must use tools that can automate manual security related processes. Here are a few examples of how automation can help manage risk:
• Provisioning and de-provisioning processes, which provides consistency in the process, saves
IT many hours of work and prevents errors
• User, entitlements and behavior data can be brought together in a single view so you have all the information you need to take action
• A governance, risk and compliance (GRC) dashboard can be set up with analytics to monitor and proactively manage risk efficiently (e.g. an orphaned accounts report)
• Real-time alerting can identify a potential incident as it happens to minimize damage
• Remediation can be simplified so that access can be removed or suspended in just a couple of clicks
Given the increased threats we face, healthcare needs to change its approach to security and privacy. Ultimately, the key is greater due diligence, day in and day out. If we use tools that help us accomplish this, then we give ourselves the best chance to win this battle.
Healthcare’s Cybersecurity Mandate By Mike Willingham, Vice President of Quality Assurance and Regulatory Affairs, Caradigm
n3 Protect against email threats
n4 Sponsored Content: “Wearable Healthcare” – Let Data Drive Operations
n5 Invest in security, outside help
n5 Share safely with others
n5 Prepare for the worst
n6 Sponsored Content: Healthcare’s Cybersecurity Mandate
Data Security in the Information-Sharing Age // April 2016
An Executive Report from the editors ofshare: FierceHealthIT
Most organizations plan for natural disasters. These days, they have to prepare for cyberattacks, too. “You can talk about it and say ‘no, we’re not going to negotiate with terrorists. We’re not going to pay.’” But theory is one thing. You have to test that decision in a way that mimics real life, one attendee said, by running it up through the chain to the CEO and asking “What are you going to do?”
Several executives said they’ve conducted tests to see if employees would alert IT to a suspicious email or if they’d download the suspicious attachment or click on an unknown link. Most employees were fooled, one attendee reported. “The interesting thing was the IT staff were just as equally hit.” n
