Pixelbliss - Fotolia

Security standards for healthcare information systems needed

In order to achieve interoperability of security tools and strengthen security, one CIO said that there must be security standards for healthcare information systems.

Healthcare organizations need to integrate security tools, and security standards for healthcare information systems must be implemented, according to a healthcare CIO.

When people think of interoperability in healthcare, often what comes to mind is the ability to share patient data freely and seamlessly from system to system. But many don't think about how important it is for security tools to be interoperable too. At present, they are largely not interoperable and this hinders the effectiveness of these security tools thereby limiting the strength of healthcare organizations' cybersecurity strategies.

"What we … need are security tools that are aware of each other and functioning collaboratively to identify a threat and then hopefully keep it out, but if not keep it out then minimize the impact of it," David Reis, former CISO and current senior vice president and CIO at Lahey Health in Burlington, Mass., said. "From my point of view, it's more about the integration of security tools than any one security tool or vendor."

Examples of integration and collaboration

David Reis, senior vice president and CIO, Lahey HealthDavid Reis

Reis said that in some small cases there are examples where two security technologies are aware of each other; for example, what some organizations are doing with network access control (NAC).

"When the NAC solution identifies an unknown device, the interoperability is there to allow the NAC solution to communicate with the network infrastructure to take affirmative steps to quarantine the unknown device," Reis explained.

However, once an alert is triggered, an employee would have to get the alert, analyze it and then react to it.

"What would be far better is if we had a solution like the antivirus or the firewalls or the secure load balancers that are aggregating the data in a certain area but then based upon what they see could send a triggering event to another tool to shut down the communication automatically," Reis said.

Reis said Cisco's self-defending network from about 10 years ago was on the right track. However, Reis' only critique is that he said Cisco's self-defending network needed to be a closed looped ecosystem of all Cisco equipment.

What we need is these security tools that are aware of each other and functioning collaboratively to identify a threat and then hopefully keep it out, but if not keep it out then minimize the impact of it.
senior vice president and CIO at Lahey HealthDavid Reis

Reis said Amazon's Echo -- which has a voice recognition service called Alexa -- is a good example of what healthcare information security technologies should strive for.

"It's stunning how many tools are integrated with Amazon Alexa to be voice activated and we need that same kind of [integration] approach in information security," he said.

But many security technologies are lacking when it comes to integrated tools.

"What we're not getting is the collective benefit of intelligence that's gathered throughout the defense and depth layer of the network," Reis said.

Security analytics tools need to be tweaked

Although there are security analytics tools, Reis said they are actually more like business intelligence tools that inform the organization about what is going on but not actually taking action. He imagines security analytics tools to be able to automatically take action when there is suspicious activity in the network: "I think we see a lot in the security industry, terms like analytics but they're not really analytics it's more just telling us what's happening, it's not actually directing an activity and that's really what we need to get to. And true analytics cannot happen without interoperability between heterogeneous security solutions."

More on security standards for healthcare information systems

Q&A on healthcare information security leadership with healthcare system CISO Anahi Santiago, from our sister site SearchSecurity.

Learn how to develop an effective healthcare network security policy for your organization.

Security standards for healthcare information systems

Right now, Reis said, healthcare is far from achieving this type of security where security tools interact and collaborate and automatically take action if something is wrong.

"We have very little security predictive analytics where actions are taken to prevent a breach, not just react once a breach has happened," he said.

In order to achieve this vision, Reis said standards and commitment across the industry to create interoperability across security tools are needed. He added that vendors also need to be held accountable.

"We don't talk about interoperability [security standards for healthcare information systems]. We talk about all these tools and the only two predominant things that enable the current degree of interoperability are a) syslog and b) staff." Reis said. "That's a high hurdle for a lot of organizations to try to combine a management tool and then dedicate staff to it. We need the security industry to work more collaboratively together."

Next Steps

Healthcare interoperability standards face challenges, Epic VP said

CIOs offer tips on healthcare cybersecurity vulnerabilities

Security and interoperability of health data key for CIOs

Dig Deeper on Electronic medical records security and data loss prevention