Security standards for healthcare information systems needed

Examples of integration and collaboration

David Reis

Reis said that in some small cases there are examples where two security technologies are aware of each other; for example, what some organizations are doing with network access control (NAC).

"When the NAC solution identifies an unknown device, the interoperability is there to allow the NAC solution to communicate with the network infrastructure to take affirmative steps to quarantine the unknown device," Reis explained.

However, once an alert is triggered, an employee would have to get the alert, analyze it and then react to it.

"What would be far better is if we had a solution like the antivirus or the firewalls or the secure load balancers that are aggregating the data in a certain area but then based upon what they see could send a triggering event to another tool to shut down the communication automatically," Reis said.

Reis said Cisco's self-defending network from about 10 years ago was on the right track. However, Reis' only critique is that he said Cisco's self-defending network needed to be a closed looped ecosystem of all Cisco equipment.

What we need is these security tools that are aware of each other and functioning collaboratively to identify a threat and then hopefully keep it out, but if not keep it out then minimize the impact of it.

Reis said Amazon's Echo -- which has a voice recognition service called Alexa -- is a good example of what healthcare information security technologies should strive for.

"It's stunning how many tools are integrated with Amazon Alexa to be voice activated and we need that same kind of [integration] approach in information security," he said.

But many security technologies are lacking when it comes to integrated tools.

"What we're not getting is the collective benefit of intelligence that's gathered throughout the defense and depth layer of the network," Reis said.

Security analytics tools need to be tweaked

Although there are security analytics tools, Reis said they are actually more like business intelligence tools that inform the organization about what is going on but not actually taking action. He imagines security analytics tools to be able to automatically take action when there is suspicious activity in the network: "I think we see a lot in the security industry, terms like analytics but they're not really analytics it's more just telling us what's happening, it's not actually directing an activity and that's really what we need to get to. And true analytics cannot happen without interoperability between heterogeneous security solutions."

Security standards for healthcare information systems

Right now, Reis said, healthcare is far from achieving this type of security where security tools interact and collaborate and automatically take action if something is wrong.

"We have very little security predictive analytics where actions are taken to prevent a breach, not just react once a breach has happened," he said.

In order to achieve this vision, Reis said standards and commitment across the industry to create interoperability across security tools are needed. He added that vendors also need to be held accountable.

"We don't talk about interoperability [security standards for healthcare information systems]. We talk about all these tools and the only two predominant things that enable the current degree of interoperability are a) syslog and b) staff." Reis said. "That's a high hurdle for a lot of organizations to try to combine a management tool and then dedicate staff to it. We need the security industry to work more collaboratively together."