In light of the rapidly evolving cyber threat landscape, a top goal at University of Pittsburgh Medical Center is to identify and stop security incidents before the damage escalates, says John Houston, vice president, information security and privacy.
"The sophistication of the threats continues to grow, and as a result, we're spending a lot of money just being able to keep up with the threat landscape," he says. "We're implementing a lot of tools that are fairly sophisticated."
Those tools include a security information and event management system, or SIEM, which UPMC rolled out to try to help identify potential malicious activities going on at the Pittsburgh-based integrated healthcare delivery system, which includes several hospitals as well as a health plan.
"We spend an enormous amount of effort on that alone," he says. "Across my entire IT infrastructure, in probably every area, I'm implementing something simply to help deal with the threat landscape that seems to be growing every day."
Predictive analytics tools are enabling UPMC to analyze activities going on in its networks to help identify "the needles in the haystack" that are indicative of potential malicious behaviors and security incidents, Houston says.
"For example, through data we log on people accessing our clinical systems, we might find a trend where a nurse who works the day shift, who typically accesses 10 patient records a day, is in the middle of the night looking at a hundred or a thousand records. That's clearly an indicator that [the nurse] is doing something wrong, or it could be a hacker who has stolen credentials to get into the systems and get data."
The key is to identify the problem early and respond swiftly before damage is done, he says. "You want to catch this quickly enough ... so that you can shut them down. If you can catch it as it's happening, or just after it happened, the amount of data exfiltrated, the amount of damage will be significantly lessened."
Among the most disturbing emerging threats, Houston says, are the recent ransomware attacks on healthcare organizations, including the incident last month at Hollywood Presbyterian Medical Center, which admitted that it paid extortionists $17,000 to unlock encrypted patient data.
"That's troubling for a couple reasons. ... We all thought that at some point, something like that would happen. But for a hospital to be targeted is very scary, both in terms of patient care but also as a business," he says.
While larger organizations have deeper resources to confront these security threats, "there are a lot of hospitals in the U.S. that are ill-prepared to take on that kind of challenge," Houston says. "There are so many small hospitals that are struggling to stay in business, trying to keep the lights on. For them to worry about trying to put that kind of security in place is a daunting task, and frankly I think they are not prepared."
In this interview (see audio link below photo), Houston also discusses:
- Efforts underway to prevent UPMC staff members from falling victim to phishing attacks and measures being taken to protect the credentials of privileged access users;
- The security pros and cons of cloud computing;
- Security and privacy concerns related to the Internet of Things;
- How UPMC handles the challenges of securing data and systems related to its delivery of healthcare services to patients as well as protecting information related to its health plan in light of major health insurers such as Anthem Inc. and Premera Blue Cross being targeted by hackers.
As vice president, information security and privacy, and associate counsel for UPMC, a $11 billion health system based Pittsburgh, Pa., Houston handles such issues as privacy, information security and legal matters associated with the acquisition, licensing and use of technology. He is an adjunct assistant professor in the department of biomedical informatics at the University of Pittsburgh School of Medicine.