Over 40,000 stakeholders from every corner of healthcare descended on Las Vegas this week for the 2018 Healthcare Information Management Systems Society Conference. A convention of this size and scale can be a “lions and tigers and bears, oh my!” type of scary.
HIMSS 2018: THE TOP 4 TAKEAWAYS ON CYBERSECURITY TO IMPROVE THE ODDS FOR YOUR ORGANIZATION
While over 40,000 people are in Las Vegas this week for HIMSS 2018, the most intense “game” with the highest stakes for this crowd isn’t in the casino. And the name of that game is cybersecurity.
Cybersecurity has become core to every healthcare delivery system and a board level discussion because of what is at risk from an operations and reputation perspective.
On Monday at HIMSS, close to 400 healthcare and IT professionals attended an all-day session focused on cybersecurity and its impact on healthcare. In just its second year, the Cybersecurity Forum has doubled in size. While Vegas is known as a vacation spot and gambler’s paradise, it was all business and trying to eliminate risk in the Cybersecurity Forum.
Some of the topics covered included the characteristics of an effective security leader, the difference between compliance and security, and enterprise risk. Here are the top four takeaways to improve the odds for your organization:
- Be an enabler.The day started with Erik Decker, chief security and privacy officer at University of Chicago Medicine, and Karl West, chief information security officer and AVP of information systems at Intermountain Healthcare, discussing how to be an effective cybersecurity leader in healthcare. The key to being an effective security leader is focusing on being a business enabler rather than a business blocker. Mr. West presented the concept of frictionless security, or providing security in a way that doesn’t add additional steps or detours for the business. The security leader must establish a vision, build capital with key stakeholders, and communicate the vision so the organization works with security to implement. The key for an organization is to have a clear vision and take active steps to manage security proactively with the buy-in of the business. Security is a major risk for a healthcare organization and needs to have the appropriate visibility and support throughout the business up to the boardroom.
- Compliance does not equate to security.The next theme was this: Compliance is not security. While it was said by almost every presenter, it is a strong statement at face value. What is meant by this statement is that HITRUST, SSAE 16, ISO and other certifications are only compliance-based achievements. Security is gauged by maturity, and the maturity level should be part of the company culture. For security to be successful, there needs to be top-down support for it. So why is this especially relevant at a healthcare cybersecurity forum? The Identity Theft Resource Center reported that healthcare was the most breached sector in 2017, accounting for 28% of reported breaches. The prevailing thought among the presenters and attendees isn’t just that healthcare is necessarily a target, but that it is especially at risk due to having such a large footprint with limited security resources. Security awareness and culture needs to be ingrained in an organization; it cannot just be a checklist-style activity. Security hygiene and behavior starts with every individual in an organization strongly supported by an organization’s leadership. A higher level of security maturity also requires a different level of technical skills and sophistication.
- Shift risk mitigation to integrity.The cornerstone to any security program is to understand the risks impacting an organization. There is an interesting paradigm shift in the way healthcare organizations have to think about security. When looking at the CIA triad (confidentiality, integrity, and availability), the industry has focused heavily on evaluating the risk of data breaches as a risk to confidentiality. Basically, risk mitigation strategies have been designed to protect unauthorized access to data. Starting in 2016, the industry shifted its thinking toward availability. The Nuance NotPetya breach in 2017 drew attention to what happens when a system is no longer available. The healthcare industry is now starting to consider the risk to integrity. The discussion also shifted to what happens if a network-connected medical device is breached, impacting the integrity of the medical system. Not only can this affect patient care, it also affects the perception of the integrity of the system to perform its intended function. Besides damaging an organization’s reputation, the unavailability of systems can have harmful consequences for patients.
- Manage cloud security.
The use of cloud technologies was regularly mentioned by attendees and briefly touched on during the presentations. In addition, security themes were covered in other meetings, such as the Cloud Forum. For example, HIMSS research concluded that many cloud adopters have found the cloud more effective at mitigating security risk. One of the reasons cited was that cloud service providers (CSP) have many more highly trained security resources at their disposition. However, there is a shared security responsibility between the CSP and the healthcare organization. Before moving to the cloud, an organization needs to understand data governance and have a mature model. The need for pursuing and complying to a well-recognized certification framework was also highlighted. A solid data and risk inventory that includes cloud services was recommended. From a presenter standpoint, cloud can be an enabler for a business but cloud solutions need to be reviewed for CIA just as an on-premise solution. As organizations continue to embrace cloud services, it is beneficial for them to actively manage cloud security strategy.
We have all heard the phrase “What happens in Vegas, stays in Vegas,” but when it comes to cybersecurity, we can and should all be learning from each other and working together. The Cybersecurity Forum provided great insights into how to be an effective security leader, the difference between compliance and security, and how an organization must continually evaluate its risk. As a network of security practitioners, we can greatly increase our odds, lower the risk and play the game much better than we can if playing on our own.