- CISOs need to be business experts as well as healthcare IT security experts, observed University of Chicago Medicine VP and CIO Heather Nelson during her Oct. 19 keynote address at the Safeguarding Health Information: Building Assurance Through HIPAA Security conference being held this week in Washington, DC.
“You’ve got to know the technical stuff, but more importantly, you need to understand your business,” she said.
“This is what our information security team has done. We are part of the business … Our team does intentional rounding throughout the units and the emergency departments,” she explained.
“We make sure that people know the infosec team isn’t Big Brother. We are not here to punish. We are here to help,” she added.
Healthcare IT security has undergone a radical transformation over the last decade. Gone are the days when healthcare organizations could protect their IT systems and devices from attack behind a firewall and network perimeter, Nelson related.
Today, the IT infrastructure is patient centric and porous. “There are a lot of threats, pressures, and expectations. Our world just expects everything to be available…. It’s becoming harder and harder to understand where our data is going and who has access to our data because everything is hyper-connected. The perimeter is no longer there,” she said.
“We need to make sure that we know what is going on, that we have standards and processes in place because we know that there are threats out there,” she added.
One area of growing concern for healthcare organizations is medical device security. Nelson's organization has a security standards agreement that goes along with any master services agreement, statement of work, or business associate agreement that it signs with a medical device maker or other vendor.
“Medical devices are getting hacked. Think about the amount of data that is in those medical devices. Think about the amount of data that is in a bedside monitoring device in the ICU. That is a lot of information that our researchers at the University of Chicago want because it is very rich. But it is also rich for hackers and others who want to take that data and do harm,” she noted.
“We need to make sure that our organizations understand the threats, but more importantly understands the interplay of the risks,” she said.
Nelson related that the University of Chicago Medicine is supporting an effort to develop healthcare cybersecurity practices guidelines as part of the Cybersecurity Act of 2015, Section 405(d). That section reads, in part:
“The [HHS] Secretary shall establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the Director of the National Institute of Standards and Technology, and any Federal entity or non-Federal entity the Secretary determines appropriate, a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that serve as a resource for cost-effectively reducing cybersecurity risks for a range of healthcare organizations.”
Developing these guidelines has been undertaken by an HHS-convened task group of more than 150 individuals, including information security officers, medical professionals, privacy experts, and industry experts. These people meet in Washington, DC, several times a year to work on this guidance.
“They are working on getting tools out there for all of us that’s easy to use. It’s for small organizations, medium organizations, and large organizations,” Nelson noted.
The task group is one of 12 set up by the Healthcare and Public Health Sector Coordinating Council’s Joint Cyber Security Working Group to implement the Cybersecurity Act.
The task group, chaired by University of Chicago Medicine Chief Security and Privacy Officer Erik Decker, has identified five current major cybersecurity threats to healthcare: email phishing attacks; ransomware attacks; loss or theft of equipment or data; internal, accidental, or intentional data loss; and attacks against medical devices.
The task group is also developing cybersecurity best practices for healthcare organizations in 10 key areas: email protection, endpoint protection, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, medical device security, and cybersecurity policies.
“This will be a living and breathing document that all of us can provide feedback on, but more importantly that we can leverage,” she concluded.