Spartak - Fotolia
In a Q&A from the conference floor at HIMSS 2017, health data security expert Mac McMillan, CEO and co-founder of CyngergisTek Inc., talks about new cybersecurity technologies, new disruptive cyberattacks in healthcare and what more providers can do to secure protected health information.
How effective are some of the new cybersecurity technologies such as identity access control and security analytics, stuff that goes beyond traditional cybersecurity tools? Can they make a difference?
Mac McMillan: They make a difference, absolutely. When you talk about access control, you're talking literally about something that stops the threat from occurring. If I eliminate elevated privileges in my environment by going to a vaulted solution where there are no elevated privileges that are persistent, it makes a hacker's job 10 times harder. Say a hacker finds a way in, perhaps through a system that's not patched properly, or a port that's open, now they start to do their reconnaissance and they're looking for those elevated privileges that give them the ability to exploit the network. If those don't exist, they're back to square one.
Healthcare providers can still have elevated privileges but they're in a vault. Somebody has to check in to the vault, check out a set of elevated privileges, and then they get checked back in or they expire; they're not persistent. Now let's talk about behavioral analytics. These are the new cybersecurity technologies we absolutely need to embrace going forward. The old antiquated systems that managed our environments based solely on rules just can't keep up anymore. They don't discover identity theft by authorized users. If I work in pediatrics, and I start looking over in oncology, there's a chance no one is going to notice that. And if there's no limitation on the number of pediatrics records I can look at even though I should only be looking at the ones I'm taking care of. Most of our systems don't enable us to notice that kind of aberrant behavior. However, behavioral analytics tools go in and look at the user not just from a user permissions perspective but also from a behavioral perspective. The system begins to learn what's normal.
Systems that have machine learning or behavioral analytics capabilities learn what normal is and they recognize what's not normal. For example, let's say there are three of us who all have the same access in pediatrics. We all come to work every day and do our jobs. Only while the two are doing [their] job or on break, I'm in there surfing on the records, looking for information that I then take and use for identity theft. No bells and whistles go off because I'm still looking at records that I'm authorized to look at. I'm looking at my patients and [their] patients. But when we start applying behavioral analytics and we know that on a normal shift we would touch 40 or 50 patients and I'm touching 150 or 200 records I'm obviously doing something other than my job. I'm either snooping or taking that information and doing something illegal with it.
McMillan: Things like ransomware are not going away, but I think you're going to see a lot more attacks on the internet of things, with all these medical devices that are connected to our networks. It's also going to be the year of disruption. You're going to see more of the attacks in which networks, communications, internet service and software as a service providers, and our extended supply chains are disrupted.
How much progress have providers made in protecting the health data in their systems, whether or not they use the new cybersecurity technologies?
McMillan: There has been some increase in awareness certainly by the large health systems and the systems that have a qualified CISO on board who knows what's going on and can articulate what the threat really is. But we still have a lot of organizations that don't have that dedicated person yet, or that expertise. And we still have a lot of people who are still approaching the problem as a point solution. For example, I get a little irritated when people mention ransomware because people look at ransomware as if it's this big amorphous thing. It's actually just one type of attack, one type of malware that's out there. But because we had a large volume of ransomware attacks last year, all of a sudden we had people thinking they had to spend money on advanced malware technology to spot those things, to spot attachments to emails that could potentially have malware in them.
We always have had that. Why haven't we been doing that already? Just going after one thing is not going to solve this problem. We need to get back to the basics, like using two-factor authentication. Build a solid infrastructure. Do a good job in terms of security hygiene with respect to how you manage your environment, meaning keeping operating system up to date, patching things regularly, configuring things smartly and employing technology in layers throughout the environment.
Healthcare cybersecurity and HIPAA compliance
Network monitoring a basic tool for healthcare cybersecurity
Fraud detection aided by behavioral analytics