- BOSTON – Healthcare security leaders need to think beyond protecting the organization to protecting patient privacy and data security at home in the coming years, observed Christiana Care Health System CISO Anahi Santiago.
“At some point, I’m going to have start thinking about how to protect patients in their home. My information security program is not going to just be about the data center or the cloud but an extension into the patients’ homes. So, we can be responsible for protecting them wherever they use technology,” Santiago told a panel Monday at the HIMSS Healthcare Security Forum being held here.
“The patients are going to be driving the decision when it comes to their care, how they communicate, and the technology they want to use,” she said.
Santiago said that the security team needs to be at the table when an organizational strategy is being developed.
Healthcare information security is a patient safety issue, she stressed. “As we think about the next generation of security, we need to bake security into the fabric of the organization, as opposed to putting it in after the fact,” she added.
Santiago said that providers need to automate more of their security tasks to keep up with threats. Organizations should automate menial tasks that take up a lot of time, such as researching phishing attacks.
Chad Wilson, director of IT security at Children’s National Medical Center, said that the healthcare industry is still focused on incident response. Part of the problem is a shortage of talent.
More needs to be done on prevention. This is where automation, process improvement, and employee training come in, he said.
Wilson stressed that healthcare security starts with the business, which is focused on people. “As healthcare security leaders, we need to be people people. We need to focus on people first … We need to craft our security strategy and program to what the doctors, nurses, and others are doing,” he said.
Sirius Cybersecurity Director Matt Sickles said that healthcare has an overabundance of security information that is making it harder, not easier, to deal with threats. “Bad guys know that there are advantages to your overabundance of information. Data exfiltration is passé. We know that people are taking data, but we don’t know as much about how they are manipulating data.”
The next generation of attack will be targeted and focused on data manipulation, not data exfiltration, he said.
Munya Kanaventi, senior director of information security at Everbridge, predicted that the healthcare industry would become one of the most targeted industries in the coming years. “Cyber adversaries are just now being able to quantify how they can monetize healthcare records and data. Once they really start to understand how to monetize the data, you will see a transition in criminal activity targeting healthcare,” he said.
Kanaventi noted that defense-in-depth worked well when the data to be protected was on-premise. But that data is moving to the cloud, the security situation has changed.
“Now we have to follow the data where it is going and that it is being used as intended. So, the security situation has changed. I follow my data now,” he said.
Sonia Arista, national healthcare practice director at Fortinet, stressed that healthcare organizations need to be aware of supply chain security risks.
“Go back to the well with your application service providers about cryptographic sciences to protect your data. Cryptography has come a long way, and there may be options on the table at lower cost,” Arista said.
Arista also stressed the need for healthcare organizations to segment networks. “The problems I see continuously come from non-segmented networks,” she concluded.