If you worked with just about any hospital or healthcare provider a mere ten years ago you may have come across the Information Security Manager, Director of Security and Compliance, or someone who filled this role under another title. Their role was to lead ‘IT Security’ and manage a small staff of security administrators or analysts, whose role in turn, was to provision users to systems, and troubleshoot access problems. The team would also occasionally check firewall and other security logs when time permitted, amongst a myriad of other tasks and responsibilities, including vulnerability testing and HIPAA and PCI self-assessments.
Healthcare security teams usually were (and still are) smaller, less skilled and poorly paid compared to their peers in other industries. Their need to be generalists prevented the development of specialists with deep technical security skills. Security was often an afterthought in IT architecture or development conversations, and usually seen somewhat negatively as being an obstacle to the release of new systems or feature improvements to older ones.
The security leader, even if they had a ‘CISO’ title, often reported into IT, usually below the CIO, CTO, or someone even more detached from the Board. The conflict between IT’s mission to provide technology systems for users, versus security’s mission to protect the enterprise was very apparent. Security usually lost most battles with IT, and with end users. Rebellions were commonplace against improved user security controls, even for something like the implementation of complex passwords rotated every 90 days – things we take for granted today. A mere ten years ago healthcare was a living bastion of the past. A loud and vociferous user base dominated by Physicians happy to take their complaints directly to the Board, or to threaten to take their business elsewhere, ensured that nothing was put in the way of patient care – even a password! Such was the power that Physicians wielded.
Security was usually funded with whatever was left over or could be spared from the IT budget. Consequently it was seen as a drain on new tools and improved functionality for users. Whatever security received, it was usually way too small to do much with.
Occasional vulnerability and penetration testing along with compliance assessments against HIPAA, PCI and security frameworks like ISO and NIST were duly reported to CIO, CTO, or the designated compliance officer, complete with a list of identified gaps. However remediation of gaps was usually given little priority compared to the IT mission to build and release new application functionality “required” by the business. That is, a business, run and largely controlled by clinicians and a business focused more or less solely on providing patient care.
It was doubtful that the hospital or healthcare Board of Directors was ever provided with specific details of any such security audits or assessments, merely informed that the Covered Entity was compliant with HIPAA, PCI and any other regulatory requirements (if the subject came up at all). The security leader had no direct access to the Board, and was considered too junior to address these chieftains in person. Even if offered the opportunity, the security leader would probably talk in a language that the Board wouldn’t understand. Security Leaders were largely kept in the shadows, their message relayed and filtered by the CIO or CTO.
Today’s Healthcare Security Leader
Move ahead ten years and the picture has begun to change. Larger healthcare providers have an executive level security leader, or even a Chief Information Security Officer (CISO) who, while they may still report to the Chief Information Officer or Chief Compliance Officer, will have a seat at the table for Quarterly Board Meetings and may now chair sub-committees on security, privacy and compliance.
Security is now recognized as one of the most important enterprise risks by healthcare Boards of Directors. Media fixation with security breaches at other provider or payer organizations, complete with news of fines, penalties and reciprocity to patients whose information may have been disclosed, has ensured this. So too has media attention to ransomware outbreaks at health providers and the encryption of hospital data and IT systems needed to treat patients. Such is the power of the media, and the impact to business revenues and reputation when security incidents occur.
This increased focus on security by the Board, is leading to demands for not only regular situation reporting on security, privacy and risks from the CISO, but also reporting from the CTO, COO, CFO and CEO on what is being done to address identified risks. In the course of ten years, Security Leadership reporting has gone from almost unnoticed to ‘center stage’.
In fact, corporate boards are now in some cases directly appointing external highly experienced CISOs to lead security and to act as change agents across the organization. These ‘Change Agent’ or ‘Advisory’ CISOs are often brought in from leading security organizations like Cisco or the Big 4 audit firms, and are deployed for a finite period of time in order to achieve rapid advancement in the security, risk, and compliance posture of the organization to satisfy its board.
Despite this recent focus, according the Cisco Security Capabilities Benchmark Study (PDF) healthcare organizations are still not implementing as full an array of strong security defenses as organizations in other industries. Furthermore, the report claims that healthcare organizations are more likely than those in other industries, to try to manage their security needs internally instead of outsourcing services such as monitoring, incident response, remediation, and auditing. This slowness to embrace expert services in key specialty areas, may account for the recent spike in healthcare breaches as hackers focus their attention on easy targets.
The same survey also indicated that CISOs tend to be more optimistic than their SecOps colleagues about their security protections. It could be that as security leadership gets further away from the hands-on defense of the realm, so too does their realization of the ability of healthcare, to respond to a threat landscape that changes almost daily. Healthcare is after all, under attack as widely reported in previous articles and publications!
Given the scarcity of security resources, and the ability of healthcare to attract and retain such professionals in a highly competitive market, this is hardly surprising. According to Cisco’s 2015 Mid Year Security Report there is now a 12x demand over supply for qualified or experienced security professionals, and despite limited success to hire or grow additional security resources, healthcare simply cannot onboard enough security staff to defend itself against current attacks.
The result is that many healthcare providers are now looking at ways to maximize the effectiveness of their limited security staffs, by consuming managed security services for much of their security operations, threat detection (PDF) and security incident response (PDF) in order to free up security team members for higher value tasks.
This change in focus was recently identified in the Cisco 2016 Annual Security Report.
As security professionals become aware of threats, they may be seeking ways to improve their defenses for example, by outsourcing security tasks that can be managed more efficiently by consultants or vendors. In 2015, 47 percent of our surveyed companies outsourced security audits, an increase from 41 percent in 2014. Also in 2015, 42 percent outsourced incident response processes, compared with 35 percent in 2014. (See figure below)
In addition, more security leaders are outsourcing at least some security functions. In 2014, 21 percent of the survey respondents said they did not outsource any security services. In 2015, that number dropped significantly, to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.
While healthcare security leadership and better visibility has greatly improved the size breadth and expertise of security teams, it has by and large, made only limited advances to overall security, fueled in part by limitations on security budgets and the availability of additional or specialist security professionals. At the same time, the enormity of the threats leveled against healthcare payer, provider and pharmaceutical organizations has grown exponentially, creating further gaps in security. The need for security leaders to evaluate security needs holistically and to spend money wisely is perhaps more important now than ever before.
Information Security is also not immune to the ‘Do More With Less’ mantra that is affecting all areas of business, and must be creative in how it allocates its resources and selective, where it spends its money. Looking for opportunities to improve efficiencies while at the same time improving the probability of security outcomes, is now the new ‘modus operandi’ for security leaders.
Tomorrow’s Healthcare Security Leader
The security leader of tomorrow will be an executive in charge of his or her own budget, staff and the procurement where it makes sense, of vendor provided security functions that can be consumed as a service, often better, cheaper and faster than developing or running these from within. In the same way that the cloud has changed application development and the internal data center, so too will the consumption of security services.
Tomorrow’s security leader will also more than likely be titled ‘CISO’ or some other ‘C’ level derivative, fulfilling the role of information security leadership and governance. They will likely report outside of IT to the COO, CFO or directly to the CEO. They might even sit at the right hand of the CEO in Board meetings, and will be instrumental in helping to maintain the confidence of the CEO in the eyes of the Board.
During the dot-com bubble we used to talk of an ‘Internet Year’ being nothing more than a few months or weeks. Its not surprising then, that in the period of a mere ten solar years, the role of the healthcare security leader has evolved an ‘Internet millennium’.
Given the almost exponential change in cybersecurity, how many solar years will it take for the healthcare security leadership role to evolve another Internet millennium?
Perhaps just as important:
What cybersecurity event or series of events will accelerate this shift in paradigm – of not just security leadership and governance, but also healthcare security posture and spend?
Will it require a hospital system to be sued out of business following a massive breach of patient, financial or other critical healthcare information? Or will healthcare leadership pro-actively address its business-life-threatening risks before its too late?
For help with developing your security program or for interim expert security leadership, please visit cisco.com/go/securityservices.
From recent discussions in healthcare it is clear that conversations with the Board are not as prevalent as they need to be. At the same time the pressure on the IT teams to add devices and technologies to their network to support both medical and patient needs in very short timeframes, often means the potential security consequences are ‘overlooked’ because of lack of funding. This means that the security posture of healthcare facilities is getting no better and may be declining in some instances. This will only get worse in future years if healthcare management doesn’t accept that medical staff, patients and others who interact with healthcare will increase their connectivity requests dramatically and that to secure this new constantly evolving environment requires their commitment, support and funding. Failure to provide these will, as Richard points out, result in “a hospital system to be sued out of business following a massive breach of patient, financial or other critical healthcare information”and potentially expose enormous amounts of private patient information – something no hospital system wants to happen.
It’s improving but as you say Stuart, Board – CISO conversations are no where near where they need to be. Larger healthcare payers and providers seem to be leading the way, but the boards of smaller entities are still very much myopically focused on patient care and patient risks and keeping the business afloat in the midst of declining revenues and increasing costs. That being said, the recent ransomware attacks targeting healthcare, although executed by cyber criminals, are having a direct impact upon patient care and safety, and this is waking up healthcare leadership to the convergence of cybersecurity and patient safety, and hopefully the need to do something about it.
As they say, there’s nothing like an attack or a breach to focus leadership’s eyes to solving a problem immediately in their faces. We are seeing that many of those that suffer a breach, for a short period at least, have the absolute attention of senior leadership and the Board, and have an opportunity to ‘make good’ on 20 years of under-spending on security controls, tools, resources and services.
I agree with you that digitalization of the healthcare industry will further drive the need for improved cybersecurity, but lets hope that leadership includes security in its plans for new digital services at the outset rather than as an 11th hour ‘strap-on’ as the service goes live. Cybersecurity is after all, an ENABLER of new riskier digital services, and in turn an enabler of new revenue sources for healthcare organizations.
Here’s a question for you and others….Just how fickle are healthcare consumers? Its widely acknowledged that Target, Home Depot, and others suffered a decline in customers following their massive credit card breaches in 2014, but if my medical records were stolen, or my local hospital had to reduce services for a period, or even turn patients away as the result of a ransomware attack, how willing would I be to go to that hospital again? How worried would I be as a patient of a hospital that their under-protected information systems might succumb to a cyber-attack – perhaps while I was under the knife in surgery?
Companies typically sign year-long contracts with their medical plan providers so are locked into that contract, but how would a cyber-attack against one of their plan providers, play into the selection of insurers the following year? To what degree would employee dissatisfaction at the breach of their medical records play into corporate decision making in this respect?
Richard is old enough (LOL) to have acquired a great perspective around the changes that have taken place. Instead of compliance, outcomes and use cases are discussed more often now and have a flavor around the business / mission.. While brand image is still important, availability of services (can we say Ransomeware) is critical. While M&A continues onward the ability to spin off or acquire organizations requires a better segmentation and security approach. 3rd Party Vendor/Supplier/Partner is now being discussed along with Supply Chain Management. The CISO is more business focused, and the new titles are Privacy Officer and/or Trust Officer. Will be interested in your thoughts and insights. Jeff
I agree with you Jeff that regulatory compliance is declining as a motivating factor for improved security across the healthcare industry – even the dreaded OCR audit! OCR will issue perhaps a $1m fine for audit failures. PHI or PII breach is resulting in WAY bigger class action law suites in the multiple billions of dollars in the USA. What will the liability be of providers when patient safety is put at risk as the result of a cyber attack that the entity was not prepared for?
Ransoming of encrypted file systems is just the first pass of the ransom attacks on hospitals and other providers. I don’t believe it will be long before ransomers start to demand not thousands of dollars as they are currently for the encryption keys, but millions or billions of dollars in return for not executing patients when the systems they are attached to in hospitals have been compromised. That’s when things really get scary!
This reminds me of the shifts in focus we have seen in other areas such as industrial control systems, manufacturing, and others. Same story – little focus on security, a threat is seen at a few locations, execs in the same industry start asking questions, and now focus is on improving security quickly.
Too often a tactical approach is followed where a technology-only solution is taken to FIX the problem, whereas a strategic approach (like you recommended) is a much better outcome as you can ensure the higher risk items are attended to first and the organisation gets the best risk reduction / dollar spent, rather than the newest shiny panacea. Shiny boxes are not much good unless you have well integrated processes and the right people to get the value out of them.
Mark – All too often in the course of my dealings with customers and clients, I see evidence of the fascination with “shiny objects” and the “magic quadrant shopping approach” to security. It wastes money, often takes forever to implement and integrate into an already complicated array of disparate and fragmented security tools and technologies. What’s more, at the end of the day, that expensive solution doesn’t really reduce the highest risks across the business.
As you state, point solutions are not the answer. We need a holistic managerial approach across all aspects of security and a better (quantitative) understanding of risks, along with the application of improved controls to those areas exhibiting the greatest risk and threats to the business.
The first step has to be for CISOs and their leadership teams, to improve their understanding of the entire attack profile; to understand where potential attacks are likely to target, then to procure expert services from specialist security services providers, to protect against these attacks and to provide holistic evaluation and road-mapping expertise so that the CISO and his or her Board, are better informed where they need to focus scare resources.
Great stuff Richard. Completely agree that putting a CISO in place doesn’t auto-magically make an organization more prepared for threats. Lots of moving parts that need to align, in order to help CISOs not only transform security programs, but also position security as a driver for growth.
As you infer Steve, its not just a title or a position, but a complete ecosystem of appropriate resources that need to be brought to bear in order to protect an organization. That includes adequate funding for the CISO and his or her security program and active engagement and support right the way up the food chain to the Board of Directors.