Mark Eggleston, Vice President, Chief Information Security and Privacy Officer, Health Partners Plans
1. What are the current market trends you see shaping the Healthcare InfoSec Space?
The shortage of information security professionals is prevalent. While many CISOs are working on implementing creative solutions to ensure more folks think about pursuing security careers, a majority of security teams do not have the professionals they need. Security consultancies must do a better job of adapting their practices to become consistent with those of managed security service providers (MSSPs). Also, technology vendors must ensure their products leverage automation and are intuitive to make it easier for security teams to use them. With this rapid innovation, more vendors are trying to make automation and cross-platform integration more manageable. However, security practitioners must be cautious of overhyped technology. The ability to make informed decisions about security will be increasingly important as consumers use more IoT (Internet of Things) devices to manage their health and devices in the home.
2. Patient data for nearly five million individuals was exposed or stolen as a result of roughly 300 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And a recent public release of Meltdown & Spectre has rendered virtually every computer system on the planet vulnerable to some extent. Events of this magnitude, coupled with the frequency of large public breaches, will likely accelerate much-needed change in the healthcare information security space. What kind of transition do you expect healthcare security space undergoing in the year 2018 and beyond?
The amount of executive attention on security will continue to grow. However, with the GDPR regulation impacting American technologies, and the subsequent realization of the value of privacy, more and more Americans will seek businesses or consumer products that put a high value on privacy. In addition, Americans will realize which security protections they are missing and which their European counterparts value. Specific to healthcare, there are numerous threats and opportunities on the horizon:
Almost all devices are compatible with Bluetooth, Wi- Fi, and even LTE communications. And as consumers demand home automation, healthcare delivery models are changing to adapt. This increased connectivity introduces doctor tele-consultations within your home and uses home biomedical equipment to report your care status to medical professionals.
"It is critical to ensure current backups are not only valid and updated but also recoverable to minimize damage from ransomware attacks or other threats"
The threat in this case hinges on the potential vulnerability of these devices to hackers. If you are hacked, your device could now be part of an army of botnets targeting legitimate companies.
Increase in data harvesting in healthcare
We’ll continue to see increased data harvesting to achieve more efficient care. Our premiums continue to rise and social determinants of health are becoming more pervasive. However, most of the data will be amassed without our consent, compelling Americans to become more engaged with privacy controls. Some innovative companies with considerable capital are becoming reacquainted with empowering consumer-oriented healthcare.
3. Please elaborate on the challenges that the organizations will need to address related to InfoSec in the healthcare arena in order to safeguard the highly confidential data that the EMR/EHR and other healthcare systems store?
Challenges in securing electronic health records include basic issues such as timely patch management, routine role-based access control and audit log review. These controls are foundational and have proven to be critical in preventing attacks. Other controls like two-factor authentication prevent credential breaches, while vetting third-party interfaces reduce the introduction of new vulnerabilities.
Any multiuser platform should be designed to ensure risks associated with the cloud and mobility are minimized. It is critical to ensure current backups are not only valid and updated but also recoverable to minimize damage from ransomware attacks or other threats. Ensuring that these platforms are accessible via mobile devices introduces new risks, but can be remediated if designed with containerization which ensures both data encryption and access controls to company data on a personal device without impacting employee privacy. The data is only accessible within the secure containerized mobile app.
4. Security is all about the correct process in place. The aim is to find the weakest link and create a process that can support it. What according to you are some of the benefits of Privacy and Security integration through a defined process?
Some of my favorite efficiencies and value-added bonuses of having both disciplines in one office include:
Typically, incidents are reported due to confidentiality concerns, not necessarily a privacy or security concern. Having privacy and security teams simultaneously review incoming incidents helps shorten response time and maximize collaborative effort.
Most organizations spend more on security program improvement. The same is not always true for privacy organizational improvement. Having one office manage cost centers for both helps to maximize the value of procured solutions, ensuring finite resources are spent on improving both security and confidentiality.
Education and awareness campaigns
Typically, the overlap in educating your workforce about privacy and security principles is significant. Methods for ensuring paper and electronic media confidentiality, lessons in spotting and responding to phishing attacks and training for safe internet practices can be easily combined to not only ensure regulatory compliance but also raise workforce awareness and reduce risk.
5. What are the major tasks for organizational CIOs at this point in time? Is there any unmet need in terms of healthcare Infosec space that is yet to be leveraged from the vendors?
CIOs are increasingly being seen as transformation agents who can guide a company’s digital future and market presence. From a CISO perspective, I’ve always seen it as my team’s role to lessen risk while ensuring compliance and to design security that is unobtrusive while mitigating risks. Ultimately, the goal is to empower our organization for sustained growth, added value and ensuring you have the resources required for the job. CISOs are also tasked to keep a high functioning and talented security team. Vendors need to understand that it’s difficult to procure or deploy the latest point solutions if we are frequently concerned with maintaining adequate staff around point solutions. Rather, vendors need to do a better job of integrating platforms or use cases and making the interfaces easier to use. Doing so could include better graphical user interfaces (GUIs) and rapid automation. MSSP relationships provide vendors with expedited utilization of security technologies for a more fruitful agreement.
6. What is your advice for budding technologists in the big data space? How can they seamlessly create an InfoSec Program in their organization and back it up with its proper implementation?
Start with privacy-by-design principles and ensure you have the right to retain the data in the repository. If you do, consider the data your own and check if you need to retain them. Security is always cheaper and better functioning if considered up front prior to implementation. Embracing these principles will save you enormous time and future headaches.
Routine in-house and external audits to ensure appropriate role-based access control (RBAC) and validation of effective security controls to prevent or lessen the impact of breaches. And masked data, when used appropriately, can be shared with researchers or other groups to derive value, while respecting confidentiality. Other concerns are with third-party hosting or access. Address this risk by leveraging security scorecards for existing and potential new vendors or perform your own assessments. Develop and test your incident response mechanism around the assumption of a breach. This will enable faster mitigation and risk reduction if something goes wrong.