Collaboration the Cure for ‘Sick’ Security in Healthcare

By William Marsh, Inpatient Nursing Officer, Madigan Army Medical Center 

In October AEHIS and CHIME convened the 2017 Fall Forum in San Antonio, Texas. These events allow the “community of the willing” to discuss issues facing all of us. By the end of the second day, the conversations usually turn toward the topic of “my boss/CEO/CFO/etc. makes me justify the security measures we are putting in place.” Or, “I am being told to show how much return on investment (ROI) I have for the most recent security upgrades.” All too often the CSO feels alone and battle-worn, bayonet between their teeth and defending their networks and budgets from all sides.

June 2017 is a month that many in the healthcare information security community will not likely forget. Globally, we saw WannaCry cripple system after system across our entire industry. For weeks afterward, the permutations of WannaCry (Petya, Not Petya, etc.) continued to wreak havoc on sensitive healthcare data systems around the globe. Healthcare leadership activated emergency meetings to ascertain if they fell prey to these vicious attacks and how severely the damage impacted their organization. Some leaders discovered the true ROI for the investments by the CSO. 

Shortly after these attacks, the long-awaited Healthcare Industry Cybersecurity Task Force (HCIC) released their report to Congress. Mandated by the Cybersecurity Act of 2015 (CISA), the HCIC was to examine the cybersecurity posture of the healthcare industry writ large. The report focused on six imperatives summarized by Mari Savickis and Leslie Krigstein here. Representatives from AEHIS and CHIME participated in the development of the report and these imperatives. The imperatives identified in the report are:

  1. Define and streamline leadership, governance and expectations for healthcare industry cybersecurity;
  2. Increase the security and resilience of medical devices and health IT;
  3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;
  4. Increase healthcare industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
  6. Improve information sharing of industry threats, risks and mitigation.

While they are all important, there are some that hold a higher degree of interest for your AEHIS Collaborative Relationships Committee. Those in bold directly outline the need to collaborate throughout our industry and with external entities. The action items associated with these imperatives serve as a “roadmap” for the AEHIS organization, CISOs and interested parties.

               The cybersecurity “professional” position usually requires 10 years of experience. Most budgets are getting cut regularly. If a CISO can recruit an “experienced” professional versus a recent graduate, chances are they will hire the “experienced” applicant. How, then, will that new graduate get the needed experiences to become qualified? The HCIC proposes a tiered method by which to develop the workforce. The essential aspect to this proposal is the internship process. CSOs can establish collaborative relationships with educational institutions to ensure healthcare cybersecurity is included in the curriculum. This provides the interns with a foot in the door and exposure to the unique security requirements in the healthcare arena.

               Due to the increasing lack of cybersecurity professionals, specifically in healthcare, there are some institutions that rely on those who are not formally trained to support their networks. When these networks were isolated unto themselves, the risk and damage was limited to those on that network. Now, in an ever-interconnected ecosystem with health information sharing, the damage to one can spread like a cancerous virus across the healthcare industry sector. The most recent attacks proved this concept repeatedly. Enter the proposal of increased collaboration. There are those institutions that can secure their networks with those within their institutions. With governmental protections, a mutual support agreement between hospitals helps galvanize those without a robust security ability and thus the greater healthcare sector.

               Finally, information sharing of threats, risks and mitigations is the crux of the Collaborative Relationships Committee. As AEHIS became more firmly established, we initiated a relationship with the National Health – Information Sharing and Analysis Center (NH-ISAC). The NH-ISAC shared the threat data of the June attacks throughout the AEHIS membership. This enabled members to leverage assets to directly stem the attacks. This proved invaluable for many.

               The HCIC report is meant to start actions, conversations and collaboration. Reinforced by the real-world attacks of June 2017, now is the time to make change. AEHIS and the Collaborative Relations Committee seek to “determine appropriate AEHIS partnerships–within and outside healthcare space; leverage these collaborative opportunities to mesh with Education/Professional Development/Public Policy efforts.” The United States’ national security depends on the critical infrastructure as outlined in presidential policy directives. This is not unique to the United States. All those with a digital ecosystem supporting their healthcare are vulnerable. As security professionals, we are charged with protecting the greater sector and our nation states.

More AEHIS News Volume 2, No. 1:

Looking to contribute to the AEHISecurity Newsletter? Email your contributions to [email protected].