Healthcare IT and the lack of security hygiene
By Aaron Miri
We've all been there. It's a bright and muggy day and you've been outside playing kickball with your elementary school friends. Suddenly you notice something particularly pungent so you turn to your buddy and let them know "hey man ... you stink."
The healthcare IT sector, unfortunately, has a distinctively unsavory practice of security hygiene and it's time that we act swiftly and decisively toward dealing with the issue that's fowling up the industry.
After many years of leading multiple IT organizations, I have seen more examples of poor IT security hygiene than I could care to recount. I have been the unfortunate recipient of multiple, brand new, direct-from-the-factory medicine dispensing cabinets that, once connected to my network, came with the joyful early Christmas present of the Gimmiv.A "Server Service Vulnerability" Trojan. Surprisingly, the medicine dispensing cabinets ran on top of an antiquated operating system that had long been out of support.
On a separate occasion, I received a downstream computer virus outbreak as a result of a dedicated VPN connection to a remote hosted based software upon which my clinicians and physicians relied. Apparently, the hosting company did not isolate or protectively monitor their customers and thus their security issue became their customer's issues.
There are numerous other security hygiene mistakes that people also invariably make when using technology, such as an employee trying to plug in a USB stick that they happened to find in the parking lot, and other cringe-worthy activities.
Every single healthcare CIO has a story to tell that mirrors my examples. The healthcare industry, as a whole, has not done a good job of protecting healthcare IT users from themselves.
Recently, the U.S. Senate passed the Cybersecurity Information Sharing Act of 2015 (CISA), which contained numerous healthcare- and federal-specific mandates around cyberthreat information sharing and setting universal standards and frameworks. In a separate bill, H.R. 1560, passed by the House of Representatives, a similar theme of information sharing and various cyberthreat provisions were passed. While it's clear that our legislators have realized that the healthcare industry is being attacked on a wide scale and are starting the much-needed legislation process, we need to move faster and get ahead of the snowball that's rolling faster and faster downhill.
Currently, healthcare organizations are building the healthcare IT equivalent of the United States Interstate Highway System. What is categorically missing is a nationally endorsed and enforced framework accrediting body that standardizes how these HIT highways are being built and, more importantly, how to enforce crucial highway construction elements that lead toward end user acceptance and trust. To put it simply; why would anyone trust taking their family on a road trip on non-speed limit governed highways and on roads made of questionable materials?
During National Health IT Week on Capitol Hill in October, in a joint cybersecurity briefing, I and other healthcare CIO's had the privilege of speaking with congressional staffers, walking them through the harsh realities that are facing hospitals across the country. Putting aside the therapeutic nature of the panel to know that I am not alone in the struggles of securing patient data, it's a scary thought in that each and every single hospital is essentially under attack for their patient data whether they realize it or not. One CIO on the panel recounted that his very rural hospital was being scanned and attacked more than six times per second from numerous external entities looking for a weakness in his security technology perimeter.
So what should we do while Congress establishes the national standards, frameworks and cybersecurity information sharing networks that we so badly need? First, we must continuously educate and over communicate to our teams the importance of good cybersecurity hygiene. This starts with understanding our application portfolios and where both data at-rest and data in-transit reside. Second, we must adopt a zero trust model of security in which all permissions, access, identity management and policies are securitized, and where there is no assumption that all user accounts and actors are inherently good in their intentions.
Next, if your budget allows, adopt two-factor authentication. There are outstanding solutions on the market that can quickly help curb intentional and unintentional access to systems and applications. Even if your budget doesn't allow for two-factor authentication, adopt a process of auditing and expiring accounts on routine and unannounced intervals.
Lastly, work with your vendors toward strengthening the application postures of each of your apps, even if there's not patient data directly involved.
Security hygiene is everyone's problem. However, if some of the basic organizational steps aren't taken; it's only a matter of time before your buddy turns to you and reminds you the importance of good hygiene.
Aaron Miri serves as chief information officer at Walnut Hill Medical Center in Dallas.