Elevating IT Security in Health

Doug Barton is Chief Technology Officer of the Leidos Health Group. As the nation’s third-largest healthcare IT consulting firm, Leidos provides services and solutions in health information technology, population-health risk management, case management, health analytics, life sciences, and public health. Barton discusses how healthcare organizations can manage cybersecurity risks.

HOW CAN HEALTHCARE ORGANIZATIONS KEEP ONE STEP AHEAD OF THE EVER-EVOLVING CYBERSECURITY RISKS AND ATTACKS?

Barton: First, healthcare organizations should shift to a business-aligned cyber capability. It’s no longer enough to buy and deploy disjointed security tools and apply controls to IT infrastructure. The chief information security officer and (CISO) organization needs to provide a cohesive cyber capability in partnership with the business that permeates the enterprise. The primary focus should be securing the forward edge of where patient care is delivered. Then cybersecurity is viewed as an enabler — a line of business that is integrated and collaborates coequally with the business as patient care evolves.

Second, a cyber-threat intelligence capability to proactively inform the organization about pending cyber threats is a nonnegotiable issue. The foundation is building robust cyber threat intelligence alerts to your security operations center associated with your internet-facing footprint, IP addresses, host names, company brands/logos, VIPs, and domain names. These intelligence-gathering techniques can result in locating dark web chatter, stashed logo information, dumped documents, domain registrations, or other indicators that could lead to thwarting a pending cyberattack.

Third, foundational security practices remain a powerful tool to bring order and structure to the vast complexities of healthcare. Organizations need a strong risk management program that aligns to key business risks, focusing resources and efforts where they matter most. They should monitor operational risk management with meaningful monthly security metrics, and shape daily priorities to stay sharp and vigilant.

DO HEALTHCARE ORGANIZATIONS UNDERSTAND WHAT THEY ARE UP AGAINST WHEN IT COMES TO SECURITY RISKS?

Barton: I firmly believe there is a solid cadre of experienced and passionate CISOs and other healthcare industry professionals that understand the serious and constant cyber threat to their organizations and patients.

Security risks are multidimensional. To reduce cyber risk, healthcare organizations should simplify by reducing complexity as well as streamlining and consolidating healthcare IT infrastructure. They should also leverage key partners to fill gaps in security expertise and platform support. A tighter, more well-defined business infrastructure is more efficient, easier, and more cost-effective to protect.

But risk urgency is not as well understood by healthcare. While we haven’t seen it manifest, the potential for loss of life because of a cyber-event exists. Leidos defends against these risks daily for our military and government customers. Ransomware is just a “gateway attack” to more damaging attacks, and healthcare may not react with the proper urgency until a cyberevent results in a major hospital “takeover” or loss of life.

WHAT BEST PRACTICES DOES LEIDOS RECOMMEND TO HELP HEALTHCARE ORGANIZATIONS PROACTIVELY REMEDIATE AND MITIGATE ADVANCED THREATS?

Barton: Healthcare security is ultimately about protecting patients and their families. Securing the forward edge of where clinicians and staff deliver patient care is critical. This requires a highly integrated blend of threat intelligence, end-point identity and data security, and event monitoring/response. It demands a paradigm where the CISO organization engages with the business providing cyber innovation alongside evolving care models.

The best practices rely on fundamental “cyber blocking and tackling,” such as the following:

• A risk management program based on assets, infra-structure, high-value data, and business workflows. Organizations can neither protect nor prioritize re-sources, the budget, and risk mitigation if they don’t have and keep an updated inventory of what their business processes and infrastructure assets are.
• A well-governed and supported cyber-hygiene program including training for users can work miracles to create a proactive culture and technical posture that is priceless and extremely economic to implement.
• Robust browser isolation that allows employees to open emails and click URLs without security risk along with a security operations center alert notification and response system creates a powerful combination against phishing.

WHAT’S IN THE FUTURE FOR DIGITAL HEALTHCARE SECURITY?

Barton: The importance of identifying where shared capabilities are easily aligned and provide financial economies of scale will increase. An unexpected or anomalous event requiring remediation can occur in security, financial, supply-chain, or clinical-event data segments of the business. Leidos believes in taking an approach where data analytics and response operations— business, clinical, or cyber—can be a shared capability with business-aligned response workflows.

Connectedness will grow as the new efficiency. Our everyday lives are increasingly more connected. Everyday problems are solved in real time with a click and swipe on a device. The same should be true of a vigilant, poised, agile-based cyber team. The team should have a virtual, connected presence, capable of crowdsourcing, and solving and resolving incidents in real time 24/7.