- BOSTON—Security risks posed by integration of third-party patient services will be an ongoing healthcare security concern for organizations, commented Johns Hopkins University and Medicine CISO Darren Lacey during a panel discussion at HIMSS Healthcare Security Forum being held here Oct. 15-16.
“Third-party issues are going to a problem for a long time, especially as we try to integrate patient portals, health information exchanges, and those types of things,” he said.
Web server security will be a problem for healthcare organizations in the coming years. “Every web server is under continuous attack,” he said, adding, “You’ve got to solve your web server problem.”
Partners Healthcare Deputy CISO Esmond Kane told the panel that cyberattackers are “breaking systems and smashing and grabbing” when it comes to healthcare organizations.
Cyberattackers have “made a jump to light speed. They’ve got all kinds of technology, while we are struggling to justify our budgets,” said Kane.
In addition, there are elements of healthcare organizations that are very attractive to nation-states, such as the latest medical research developments. “Our research wings are being targeted by some of these nation-states,” he related.
Kane warned that smaller healthcare organizations are more susceptible to cyberattacks because they don’t have the resources to have a defense-in-depth strategy.
At the same time, larger organizations are not as agile when it comes to responding to cyberattacks. “We, at large organizations, are still going through a transformation to be as adept as the bad guys,” he noted.
Lacey said that small organizations pose a security risk for larger healthcare organizations. “When you have a small information security program, there is often no consistent practice. As an industry, we need to start thinking about how we help these people out.”
Kane noted that there are basic security best practices that every organization, regardless of size, needs to put in place, such as two-factor authentication, identity management, endpoint protection, anti-virus software, and patch management. “It’s not rocket science. We all know what needs to get done. You need to prioritize tasks based on your budget.”
Panel moderator Richard Staynings, chief security and trust officer at Clearwater Compliance and a member of the HIMSS Security and Privacy Committee, agreed.
“There is a need for healthcare organizations to do their due diligence. We are all aware of healthcare entities that have been caught off guard by the implementation of a large, multimillion-dollar security project, but they have not done the basics, such as risk analysis and making sure flash drives can’t be used for transferring data unless they are fully encrypted.”
Kane predicted that ransomware attackers will increase their evasion techniques and integrity attacks. “Attackers don’t need to take down your systems; they just need to plant the seeds that you can’t trust your systems. If clinicians can’t trust the data, they can’t put it in front of the patient,” he said.
Lacey observed that “integrity and availability are going to be as important as confidentiality going forward for healthcare organizations … Integrity is going to be where it is at.”
He said that healthcare organizations are going to have to use encryption, big data analysis, log monitoring, and machine learning to address the data integrity challenge.
Staynings asked if blockchain is a solution for the integrity challenge. Kane responded that blockchain has been oversold. “We are years away from anyone trusting a public ledger. We will probably first see a consortium set up a private ledger,” he said.
Kane said that while technology might help, it is not a panacea. In fact, the technology, if not properly implemented, might be used against healthcare organizations. “I would be cautious when you implement these technologies. Conduct your due diligence and make sure they can’t be turned against you,” he concluded.