- Some data breaches garner more attention than others. The recent Target data breach, for instance, was in national news for weeks because it affected so many consumers and information regarding the attack is still filtering out. But how do industry-specific IT security personnel view these cross-industry breaches? According to Reid Stephan, Director of IT Security at St. Luke’s Health System in Boise, Idaho, it’s imperative to for him and his team watch and track these instances with a close eye.
Industry-agnostic IT security attacks help Stephan and his peers at St. Lukes have an idea of the different types of threats out there and form a proactive security plan. He explained that he needs to be aware of breaches such as Target’s because there wasn’t an industry-specific vulnerability or weakness involved – it could have happened in any industry.
We are very interested when breaches occur – we try to understand what happened and then try to proactively apply the learning in our environment. I came [to St. Luke’s] from outside of healthcare and when I came into the industry, I observed that many of the IT benchmarks we measured against would be healthcare-specific. I have tried to broaden that view to encompass a cross-industry perspective, in particular as it relates to IT security benchmarks. We try not to fall into the trap of measuring how mature we are only within the healthcare vertical – instead we look for the best practices regardless of industry.
Check out Part 1 here.
An important part of balancing security and compliance for Stephan is the fact that he has a strong support system around him. Now, more than ever, healthcare organizations have to be cognizant of new compliance requirements as well as regulatory bodies such as the Department of Health and Human Services (HHS) or the Federal Trade Commission (FTC) wielding enforcement powers. Stephan said St. Luke’s internal Privacy and Compliance teams are important partners and help his security team stay to date in emerging and changing regulations.
As regulations or compliance mandates evolve, they will reach out to us and explain how they think it applies to our environment. An active discussion will often ensue as we try and reach a common understanding. There are times when our Compliance team will feel that we need to take immediate action on something, but when my team does their assessment, we may have a different perspective and push back a bit, saying that while it is a good practice, immediately focusing on it would divert our attention from other areas that would provide a more secure end state. It is always a valuable dialogue, and the result is better security which I believe yields compliance.
Heading into spring of 2014, Stephan said that user awareness will be a continued focus for St. Luke’s. And part of that focus will be using a SANS phishing program that will allow him and his team to establish a benchmark of how susceptible his employees are to phishing campaigns, and to provide real time training and awareness. He explained that this process wasn’t taken lightly, as this type of approach will be a cultural shift for St. Luke’s and the organization is talking about what the best approach would be for the phishing program.
As St. Luke’s moves toward becoming an accountable care organization (ACO), an ongoing focus for the entire organization on reducing cost and waste. Combining this venture with the fact that Stephan said he will always have a limited budget for products and services, as he doesn’t have the luxury of acquiring expensive, best-of-breed solutions, the organization has made efforts to standardize its security products. Stephan detailed why St. Luke’s decided to standardize with a small number of vendors for a large percentage of security tools and services.
This provides us with economies of scale for the acquisition and support costs, and it gives us operational efficiencies that keep staffing requirements lower. This year, we’re in the process of switching out our web and email gateways, deploying IPS, SEIM and vulnerability management system. These will roll up into a central console for visibility and management.
Lastly, Stephan added that St. Lukes will be applying greater focus to clinical engineering. Because the government announced it will start to audit in the clinical engineering (CE) space this year, Stephan said there will be more collaboration between his team and those involved with CE, which generally had been a separate division before. “CE devices continue to look more and more like a general computing device, running an operating system and needing to ride on the network,” he said. “This presents an attack surface that is exploitable, so we’re partnering with the CE team to figure out how we can best lend them support and offer them some good IT management and security principles for those devices.”