Cybersecurity is on everyone's mind in health IT, and that was made apparent at HIMSS 2016. As breaches continue in healthcare, whether due to phishing or malware or ransomware or a combination, it is imperative that CIOs know what best practices and technologies they should be implementing to protect their organization from healthcare cybersecurity vulnerabilities.
At HIMSS 2016, Marc Probst urged CIOs to work together. "Ultimately security and privacy goes to the weakest link," Probst told SearchHealthIT at the conference. "We need to make sure all ships rise."
SearchHealthIT spoke with a number of CIOs at HIMSS 2016 about best practices and technologies to help stave off healthcare cybersecurity vulnerabilities. The advice the CIOs offered ranges from vulnerability testing, to disaster recovery, to monitoring tools and more. Here's what they had to say about identifying and protecting against healthcare cybersecurity vulnerabilities:
Marc Probst, CIO at Intermountain Healthcare in Salt Lake City: We've got to continue to work on protecting ourselves from these phishing attacks, whether it's ransomware or some other kind of bot that's put in to harm your systems. So we're going to have to work on perimeter, we're going to have work on email, we're just going to have to keep educating our population, the users that we have around the hazards associated with the phishing attempts and the evil use of emails.
Ed Ricks, CIO at Beaufort Memorial Hospital in Beaufort, S.C.: I would say vulnerability testing. It's just another tool to scan your entire network, all your devices, to look for plug-ins and things that are outdated from a security patch perspective. So it seems like it should be a really simple thing to do until you realize [you're] not big, but [you've] got well over 2,000 PCs running in [your] environment that have different users and different use cases -- you've got all these different versions of Internet Explorer or all the other plug-ins like Java, things that you might have. And the security patches are, if you stay current with them, I mean they are there for a reason: To help you prevent these things. So that's kind of a key is to be able to do [vulnerability testing] periodically even if you can't have a tool of your own to do it more frequently, at least once every quarter would make sense.
We do a monthly security newsletter that goes out, and we try to make it interesting and fun so [employees will] at least browse it real quickly and understand it's not us against the users. Really, we want to provide the services, and we understand we're not a technology company, we're a healthcare company. So we've got to keep these networks and services running so that the clinicians can provide care, and I think that the biggest thing is if people understand that we're really trying to work to help them. That's the goal. The awareness stuff, the more you can do [that's] educational the better, I think.
Andrew Rosenberg, CMIO at the University of Michigan Health System: We are recognizing that investments in cybersecurity and in information assurance and in identity management and hardening both our shell, but also being more knowledgeable about how internal maleficence, internal attacks, can also be damaging. We've done fire drills, and we've done all sorts of mandatories. We're spending a lot more time at the University of Michigan, for example, doing that. Not just doing it with the health system, by the way, not just doing it within the hospitals and clinics, but actually as part of the overall organization, and I think that's another part that's frequently missed to the extent that a health entity is part of a broader organization.
Cybersecurity is really a part of a disaster and incident management plan, and it has to be robust and it has to be practiced and there have to be investments in it. The challenge that we have is where to put specific investments relative to other things that we have to invest. One bit of advice would be looking at a broad framework-based plan with a very honest evaluation of where an organization's strengths and weaknesses are. [That] will direct that organization to where it needs to do more investing.
David Higginson, CIO at Phoenix Children's Hospital: So we do a lot of monitoring tools. So we use a product called AlienVault, and there are many other products out there that really establish a baseline in your infrastructure. So they do a scan; establish the baseline, which is expected to be kind of this safe and steady state; and then they monitor changes in real time against that ... steady state. So if you start to see activity on the server that you wouldn’t normally see, or you start to see accounts created ... then much like your home security system [you] pay someone to monitor that 24/7 looking for those alerts and then trigger alarms based on those.
Cybersecurity in healthcare: A former CIO weighs in
Healthcare cybersecurity attacks: Reduce or prevent them
Cybersecurity expert on health data