MIAMI — Compliance is a key metric used in healthcare security conversations, measured of course against state and federal regulations, including the The Health Insurance Portability and Accountability Act. But arriving at “compliant” in no way equates to a strong cyber posture. And it’s a driving cause of why smaller and mid-sized organizations are still struggling to keep pace.
“Do you know what compliance means? That means you are at sea level, that means if you were in school, you are passing,” said Thomas Graham, Ph.D., CynergisTek chief information security officer, during the opening cybersecurity track session at ViVE in Miami on Monday. “And do you really want your organization or your security to be at sea level?
Not to mention, many covered entities are failing to even meet the HIPAA compliance level.
The pandemic and evolving attack surfaces have shown the sector that provider entities must move past compliance and into resilience, which means ensuring all protections, processes, and policies are put into place that actually work against the current threat landscape.
The NIST framework is the standard recommended by the cybersecurity task force for all of healthcare, enabling entities to identify all of the assets that need protection and then make a determination for the best way to secure it.
For now NIST is just a recommendation, but some stakeholders have predicted NIST may become the industry standard for which the Department of Health and Human Services hold entities accountable. The trouble is that shifting into a new standard or framework is not a quick or easy task within the healthcare environment.
“It doesn’t happen overnight. It’s a huge list of requirements, standards, policies, and procedures to protect and maintain your organization,” said Jesse Fasolo, director of technology infrastructure and information security officer of St. Joseph's Health.
For Fasolo’s health system, the shift “took approximately five years of going back and forth, implementing systems, solutions, and policies,” which were then adapted and constantly evolved to bring them more than just compliance, or at sea level.
Having the framework is good for checking the boxes, but “it would behoove anyone to actually put more effort into actually going through it.” For example, Fasolo’s health system has a third-party program for certain security elements, but it also reviews on its own to be sure they’re adhering to NIST in the best possible way.
Can’t secure healthcare without examining clinician behaviors
Insider issues are another key discussion for healthcare security, with plenty of opinions on how to bolster employee risk. For David Ting, founder and chief technology officer of Tausight, entities can try hard to change clinician behaviors, but at the end of the day, providers are going to do what they think is best for patients and their care, in the most efficient way.
Alternatively, entities should be thinking through how to help the clinicians improve their ability to do their jobs, then supporting those workflows with secure systems “to account for their behaviors and their workflows.”
As healthcare continues to decentralize and add distributed end users “who will do anything on mobile devices on their own machines,” entities need to now focus on gaining visibility into those activities. Without it, security leaders won’t have a “complete picture into those attack points” that fall far outside of endpoint detection.
“I have this theory that if you don’t secure with a clinician, you’ll never get a full layer of defense,” said Ting. Security “has to be more mobile than our traditional firewalls or endpoint detection and response tools, or expanding it from the network to the device. If you don't take [security] where the clinicians are going, you're never going to close down all those points.”
In a healthcare environment, it means security leaders must understand clinician workflows to see their daily activities and determine why and how they’re operating in the hospital network. Ting shared an example of a common practice of clinicians moving discharge records or handoff notes into the cloud as a “stash of private notes” shared between nurses.
Clearly the activity is not allowed, but the behavior only became apparent when someone questioned why unauthorized folders were being created. Consider the WannaCry incident in 2017, caused by a clinician-installed program using a split program. A clinician opened a file behind a secured network that fanned out in a matter of hours.
Activities like these that violate HIPAA drive the need for understanding the behaviors of clinicians and their workflows, then marrying it to how an entity thinks about how it secures things. Ting stressed that providers “can’t just count on traditional models, if we don’t understand or have visibility into what’s going on.”
If not, healthcare entities will continue to fail.
“The greatest risk is always that you can’t address what you don't know. And that's something that stays the same,” said Graham. “As technology grows, as operations change, and the way you're structured…. the way that you're doing things is always changing, too.”