Even as cyber-attacks and cyber disasters proliferate nationwide, cyber leaders are doing everything they can to turn the tide in favor of their patient care organizations and patients and patient populations altogether.
One who is among that group is Hugo Lai, the chief information security officer (CISO) of the Philadelphia-based Temple Health. Lai spoke recently with Healthcare Innovation Editor-in-Chief Mark Hagland about some of the issues he and his team have been facing at Temple Health. Below are excerpts from that interview.
There’s a lot going on right now in cybersecurity in healthcare. What are some of the biggest issues facing you and your team?
A good topic to start with in this discussion would be to talk about third-party risks. Per the Change Healthcare situation, we should ask in situations like that, about how downstream or upstream suppliers or partners be impacted by such a breach? Of course it could be claims processing related to Change Healthcare, or a range of issues related to electronic health record vendors like Epic or Cerner or whoever your EHR [electronic health record] vendor is, or your medications, connected to Surescripts. Those are all things that healthcare organizations need to prepare for. For example, what happens if a vendor partner is offline or no longer available to service your patient care organization? Do you have a backup? There are countless ways in which your organization could be impacted, in the wake of any breach or failure. We have to think broadly and strategically about all of those possibilities.
What about the use of advanced strategies in cybersecurity? A survey we did found low levels of implementation among four key advanced strategies: auditing of backups; behavioral monitoring; advanced network micro-segmentation; and the engagement of security operations centers (SOCs). Is your team engaged in any of those strategies yet?
Yes, absolutely, we’re moving forward in those areas. In my view, every organization should be doing something in those four areas. The maturity level of every organization should be different. But they should be aware of those areas. When you’re doing those correctly, you have a better chance of surviving a cyber incident.
For example, only a small percentage of readers are auditing their backups at all.
There are a couple of major issues there. First, an organization may not have full visibility of all the assets in their environment. Second, it might not have completed a business impact analysis and analyzed the critical systems in their environment. Doing that audit speaks to the maturity of your information security program, and helps to highlight what you need to pay attention to. Restoration and standing up alternate processes and equipment.
What about advanced network micro-segmentation, especially around the EHR? Many have said that this is a particularly thorny issue to tackle.
There are many ways to skin that cat. You don’t have to do it everywhere, and quite honestly, I don’t know whether you can accomplish micro-segmentation across the board. But you should identify areas that you can segment: your EHR, or your PACS, or just making sure your endpoint workstations are segmented. Start somewhere and think about IoTs and medical devices, and put additional barriers around, wherever you can. I don’t think there’s a formula per se, but each organization needs to think hard and look at themselves internally, at whether they should start internally or at endpoints. And the approach simply has to be all-around-strategic.
