ra2 studio - Fotolia


Healthcare cybersecurity strategies: Balance the human factor with technology

Healthcare cybersecurity is a mixture of employee training and technology, but how much of either? And what cybersecurity strategies should be used? A security expert explains.

With healthcare cybersecurity, the balancing act between training employees to not put the healthcare organization at risk by clicking on bad links or misusing devices and simultaneously implementing the right technologies to protect against an attack can be challenging. At the Health IT Summit in Boston, Jigar Kadakia, chief information security and privacy officer at Partners HealthCare, discussed how much of healthcare cybersecurity strategies is the human factor and how much is the technology factor. He also talked about health IT security approaches and strategies healthcare organizations should consider if they want to ward off attacks.

How much of healthcare cybersecurity strategies is a human issue versus a technology issue?

Jigar Kadakia: I would say 60% to 70% is the human factor and 30% is the technology factor. So if you think about the way we operate in our world today ... the majority of us have a very broad print on social media, whether you have LinkedIn, which just got hacked; Facebook, which has been hacked; or other social media sites. ... Most of the stuff that you put on there ties to your corporation somehow. Whether you use a similar username or same set of password credentials, you use your phone, maybe you have a work phone that also is your personal phone, and that's where the token code goes. But either way, all the information is out there, and it just takes a little bit of time and some smarts and now analytics to figure out what you're doing and that which will expose you. So that's the human element of it.

The technology side of it: You know every one of us has monitoring solutions in place, you get threat intelligence feeds, you get all the critical updates, et cetera -- so every known signature we're aware of, right? So most organizations can block the known signatures -- the malicious code, et cetera -- from the known actor hacks. The real question is: Can you see the unknown? The only way to do the unknown or prevent the unknown is user education. Don't click on links or do stupid things on email.

And then the other aspect of it is user-based analytics. So understanding the whole pattern and behavior for each individual in your organization and then using an algorithm or standard deviation with regards to what the daily activity is. So the typical knowledge-based worker ... works 8 to 5, Monday through Friday. They log into seven different systems on average per day or during the week, and [if] they start logging in on the weekend, then that's a flag for you to take action because that's an anomalous activity, and it should be investigated. So you're going to have a pattern of activity that's abnormal, which will catch the unknown activity, which will ultimately protect you overall.

It is often said that effective healthcare cybersecurity strategies need a layered, multifaceted approach. What are other approaches and strategies?

Kadakia: You're not going to stop it, right? They're going to continually attack. The problem is for most hospital organizations and provider organizations there are personal devices, corporate devices that are essentially tied to an individual, so you have a little bit of visibility and control over that and what happens on that device. So I have a laptop that I use kind of for my day-to-day activity. The other aspects of it are the shared work stations that are throughout the hospital. Those devices are shared amongst hundreds if not thousands of different people. They come in and out, they log in and out, new activities in and out, surf the net in and out, download things in and out. It isn't technically tied to their own device because it's a shared device. That poses the big issues when you think about it in a hospital environment. So a lot of people logging on to the same device and you know a lot of different activities, downloading a lot of different things, that's the risk vector from an overall perspective of a hospital environment versus a personal device that you have a lot more control and ownership over because you can manage it a little bit better and have much better visibility over who's doing what than you would on these shared devices. So vectors are coming in that way.

People get scared by ransomware. It is a scary thing, but honestly, if you have good security practices in place and a good IT program overall, you're going to have backups, right? A lot of these things are coming in through infected work stations. You can detect the work station and take it offline, rebuild it, put it back online, very minimal task to do if you can detect it. The question is, are you able to detect it? And if you can't detect it, that's when you're in trouble. ... We know ransomware that's infecting most workstations right now is a known signature. The issue with Hollywood Presbyterian and MedStar is it just didn't have very good monitoring controls in place, and Hollywood Presbyterian didn't have virus protection on the workstation that got affected.

Next Steps

Providers lock down mobile devices for healthcare security

As endpoints expand, worries rise about security breaches

Technology to protect against ransomware attacks

Dig Deeper on Electronic health records security compliance