I recently attended the Cerner Health Conference along with the Health Connect Partners 2017 Fall Hospital and Healthcare IT Conference, and at both conferences healthcare security was a topic of high interest. I had the opportunity to attend multiple sessions on this topic between the two conferences, and thought I would share the most valuable insights I gained from these sessions, as well as practical recommendations for the healthcare industry.
1. A process for security is important, perhaps more important than security tools.
For many this is not a surprising statement, as I suspect most healthcare customers have well defined security processes in place. The 2017 HIMSS Cybersecurity survey reported that 62% of healthcare organizations use the NIST Cybersecurity Framework (a common security framework useful in building an internal security process), and that number jumps to 95% if the healthcare organization has a CISO in place.
However, the emphasis I observed is more about how serious you are in following your processes and how well your security tools map to the processes you have in place. Much of the feedback from these security sessions really drilled in on the mapping tools to processes issue.
Much of the approach to security today is asset focused: How secure are my applications? How secure are my devices? How secure is my data? But by focusing on the individual components you ignore much of the risk. A healthcare workflow may touch multiple apps, devices and users spread across multiple geographies. Securing this workflow requires more of a risk management approach vs. an asset management approach. This is challenging when you have too many tools that only look at individual pieces of that workflow, and the complexity of all of the interactions within this workflow only increases your risk exposure.
So what are you to do? The discussion here turned back to really building out your risk landscape. Map out your workflows, identify all of the components within those workflows, understand where the data flows, and map out all the tools you have in place and how they map to those workflows. That will help you understand where your security gaps are and where you have redundancies in your security coverage. Combine your tech and processes together as much as possible, and have a documented view of how they intertwine.
This is where frameworks such as the NIST Cybersecurity framework can help, but you need to take the risk assessment portion of your process seriously. Make sure you are continuously evaluating your risk posture and assessing how all parts of the organization are implementing and following your security processes. There was plenty of feedback that there needs to be more education, more testing, more awareness spread across the entire healthcare organization so it is not just a small subset of people taking an active role in security. When workflows touch multiple applications, multiple devices, multiple people, any part of that chain is part of your potential attack surface.
2. It takes a village: Collaboration is a must for security.
An interesting point raised that I really believe is that there is little competitive advantage to be gained when a competitor is attacked. An attacker just has to get lucky once out of a thousand attempts to be considered successful. But if you turn around and say you are successful in stopping 99.9% of attacks, that still may be considered not only a failure for you, but for the entire healthcare industry.
One way to improve your success rate is to regularly exchange information, ideas and best practices within the healthcare community. Healthcare is somewhat unique in that the rich set of data healthcare organizations are managing makes healthcare a very attractive attack target. So don't approach security from an island; work with your peers.
Look at getting involved with regional communities where you regularly get together with your healthcare peers to share information. What attacks have you seen? How are your processes working? Where have the breakdowns been? What is working, what is not? What tools work better than others?
It was encouraging to see examples of these communities in existence, but it was also evident that this idea has not spread everywhere. Another frustration expressed was the challenge in recruiting security talent, and I think the more collaborative healthcare is when it comes to security, the quicker you can onboard and make use of the talent you hire.
One other point on collaboration. Not only is collaboration with your peers important, but so is internal collaboration. For organizations that have a CISO, it is important that the CISO to CIO collaboration and communication is constant. This stands as a self evident statement, but there are examples of where this lack of collaboration had serious implications.
3. Medical devices (and IoT) are both an opportunity and a frustration.
I mentioned earlier how workflows today encompass data flowing from multiple applications to multiple users and multiple devices. Securing this whole workflow represents new challenges as mentioned above, but securing devices and things is creating all kinds of new challenges and was an active topic of conversation. Gone are the days when an application can be thought of a transaction between a client and a server. There increasingly will be all kinds of medical devices, instruments, things, IT managed computing devices, tiny embedded devices and personal wearables that are all taking part in medical workflows. And all of these devices may have differing capabilities and requirements for security. Yet this is the world we live in—the challenge is, how do you secure this world? This will be an evolving conversation for sure.
Much of the conversation centered around network segmentation and device visibility. Network segmentation allows you to put IoT and medical devices are on different segments than PCs and laptops that may have access to a broader set of sensitive data. Segments can be designed for certain types of devices, or locations within your organization, or per workflow. The goal is to avoid the scenario where if one device is compromised, the entire organization is put at risk, much like the casino that was hacked when their 'smart fish tank' was compromised.
You still need to complement network segmentation with good visibility into all of the devices and applications on your network and their corresponding communications. You can also take a close look at those network segments to ensure the communications within and between them are behaving as expected. With this type of visibility, you can see when an unexpected device appears on your network, or an expected device starts communicating data in an unexpected fashion.
Open discussions and sharing of ideas will only help healthcare as a industry build its overall security profile. Throughout these conversations, continuous risk assessment, community engagement, and comprehensive network visibility are all rising to the top when it comes to healthcare security recommendations.
If you're looking for help building out your Healthcare IT analytics and security profile, you've come to the right place. Healthcare orgs can easily map and assess their environments, automate threat detection, and access full IoT visibility using real-time analytics from ExtraHop. Go here to learn how it works!
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/healthcare-security-2017/