Dan Munro On Healthcare Information Security
MediPro had the opportunity to interview Dan Munro, the man who literally wrote the book on the subject. Dan is highly respected authority on the subject writing for Forbes and authoring the book Casino Healthcare. So without further ado … let’s get right to the questions:
What are the biggest security challenges facing healthcare providers in 2016 and how do you think that will change in the next few years?
The biggest challenges are cultural and operational – not technical – and I don’t think this changes for the foreseeable future. Opsec and infosec (and all the related legal and technical functions) demand the committed focus of an Executive Team and Board of Directors. This isn’t just an IT issue. John Chambers (of CISCO fame) said it best.
“There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”
I’ve also seen this rephrased recently in a way that emphasizes the operational challenge:
“It’s not a question of if your organization will be breached … it’s how long will it take to discover it.”
According to one recent study, the answer to that question is – on average – almost 5 months.
Specific to healthcare, what’s become crystal clear over the last few years is the huge magnet health data represents to criminals that are able to penetrate healthcare networks with relative impunity. The number of health records breached in just one year – 2015 – was a staggering 112 million. As a percentage of the population, that’s about 35% of the U.S. I wrote about the ease of logging into the network of a sizable hospital (through a network attached printer) in 2014, and I know these vulnerabilities still exist. Health data is also lifelong, so there’s a long tail value that easily eclipses temporary financial data like credit cards.
So the real challenge I see isn’t just automating security through technology deployment, it’s the process of infusing an entire culture of security into an industry that – at least until recently – has largely managed to avoid it. The technology is relatively easy and directly tied to the IT budget process. What’s harder and longer is the training and ongoing commitment to best security practices for every organization – of every size. This is the real overhead that many healthcare organizations both resent and avoid – and this resistance has to be overcome. In the cyberwars ahead, there is no Red Cross safety zone. In fact, healthcare is a big bullseye.
It’s often mentioned that the biggest security holes are the people who don’t understand what they’re doing, installing apps and viruses on their machines. How do healthcare providers combat that?
This is the operational challenge I referenced in the previous question. It’s people and processes that create the most vulnerability to every organization and the only way to combat this is by creating a culture of security. In this sense, healthcare suffers from no less than 3 different – and significant Human Resource issues:
- Healthcare organizations need to include security as an integral – and full-time – member of the executive team. In some cases, it’s actually been relegated to part-time status and assuming that level of organizational risk is no longer an option. The Chief Information Security Officer position needs to be full-time, dedicated, Board level and not just as a token head to axe when there’s a significant breach.
- Cybersecurity talent generally is in very high-demand and short supply – and that’s not going to get better anytime soon. Healthcare organizations need to understand that they’re about 5-10 years behind other industries in their cybersecurity profile – and that’s an added burden in attracting and keeping the kind of talent necessary to reduce the risks. This will result in serious budget challenges – and discussions – as it should. Finding, securing and retaining this talent will require an even larger organizational commitment over time. I know of cases where large (instantly recognizable healthcare brands) lost key talent because they thought of security as a single hiring investment.
- Every member of an organization – both inside and outside of IT – needs to be trained on best security practices around the most serious threat of all – social engineering. In the cyber battles ahead, the attackers have the advantage because the defenders need to protect against all threats all the time, Attackers, on the other hand, only need to exploit a single vulnerability once. More and more, that vulnerability is a sophisticated phishing campaign that delivers an unknown, often unseen payload that can infect or even disable an entire organization.
Ransomware is a growing problem that doesn’t even guarantee a solution if the ransom is paid. How can healthcare providers safeguard themselves against such attacks?
Ransomware isn’t new – technically, the first example was in 1989 with the AIDS Trojan Virus – and while it’s currently a high profile one, it’s not that unique in terms of the need to develop effective planning and counter measures. An effective DDOS attack (like the hacktivism one that took Boston Children’s hospital offline for days) is a similar operational risk – and these both represent the highest cost both clinically and financially. There are a number of approaches to mitigate the risk – but there are no guaranteed, single bullet solutions.
- Consider new technical solutions (like Silo by authentic8) as a way to minimize executable code (like inside most browsers) from crossing the network perimeter altogether.
- Accelerate moves to cloud based storage and SaaS applications. This doesn’t eliminate the overall risk, but it will minimize it. Cloud vendors have strong legal motivations, big budgets, and staff dedicated to minimizing many different types of cyber threats – including ransomware.
- Successful attacks aren’t convenient and don’t adhere to any schedule. Have an approved contingency plan in place for each of the major risks. When an attack of any kind is successful, everyone should have a clear understanding of the roles and responsibilities to minimize the impact and repair the damage. This process is iterative and also needs to include communicating with regulatory bodies, partners, and patients in an honest and authentic way.
More and more healthcare practitioners need access to information from a mobile device. How big a security risk is this and how can it be mitigated to secure both the data in transit and the data in the event the device is lost or stolen?
Endpoint security is a big category of vulnerability and risk for every network, and while it does have unique attributes, it’s really no different in terms of embracing a culture of security. The goal isn’t endpoint or mobile security as a priority. The goal is a culture of security that includes all the vulnerabilities and risks. It’s why security is so challenging. Again, defenders have to protect against all vulnerabilities all the time whereas attackers only need to exploit a single vulnerability once. That attack surface could be a mobile device, but it could just as easily be a network attached color printer that the marketing department bought and installed yesterday.
Backups are a critical component of any healthcare provider’s strategy to keep their data available. How can they keep their offsite backups secure once it out of their hands?
Cloud storage, SaaS and data backups through any 3rd party (large or small) rely almost entirely on legally binding agreements and contracts. In a culture of security, the goal here is to fully understand the bounds of liability and capacity for all 3rd party agreements. A small vendor that handles data storage offsite can be appealing for economic reasons, but have limited capacity to handle the real economic liability associated with a breach – which includes communication, remediation, fines, legal defense and (potentially) expenses around brand damage. The larger vendors are well equipped to handle these extended terms and conditions – even if their monthly service expense is considerably higher. A culture of security is able to weigh all the security risks – and liabilities – associated with all 3rd party vendor contracts.
Medical software is moving towards the Cloud. What security features should physicians look for in a Cloud based product to help protect their practice and patient data?
I can’t make individual recommendations, of course, because they’re highly variable to the size and need of the organization, but generally, all vendor partners should be carefully screened through a competitive review and budgeting process. Data security is a critical lens through which all vendor partners need to be assessed. The stakes are high – and getting higher as more health data is captured, managed, manipulated and stored through 3rd party contracts. It’s also never ending. A good example here is that Microsoft just announced another security update today. That’s not surprising except that it’s for Office 2003.
In the end, the most important commodity in all of healthcare is trust – and that’s the biggest risk behind any deficiencies in the culture of security. The size of the organization is immaterial. It can easily be a small solo practice – or a globally recognized healthcare brand – but every organization is dependent on both partners and employees to protect the most valuable healthcare asset we all rely on in all its forms – health data.
About Our Interviewee: Dan Munro is an author and Forbes Contributor on the topic of U.S. Healthcare. His book ‘Casino Healthcare‘ in now available and he has written extensively on cyber threats in healthcare. Follow him on Twitter at: @danmunro