CISO Trainings , Governance & Risk Management , Privacy
HIMSS18: Cybersecurity Takeaways
Insights From Interviews With CISOs, RegulatorsWhat's on the minds of healthcare CISOs these days when it comes to cybersecurity challenges and initiatives?
I got the chance to pick the brains of quite a few security leaders during the HIMSS18 conference in Las Vegas while attending a variety of sessions, conducting sit-down interviews and networking.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
My general impression from an all-day cybersecurity forum held March 5, for example, is that security is progressively becoming a much bigger worry for most organizations, including smaller entities that have no CISO and aren't familiar with nomenclature such as the "NIST cybersecurity framework" or acronyms, including DDoS.
Wake-Up Call
As Rod Piechowski, senior director of health information systems at HIMSS, summed up for me in an interview, cyberattacks that have hit all kinds of healthcare providers in recent months are making all organizations feel more vulnerable.
"Ransomware was a really big wake-up call," he says.
What all healthcare entities - big and small, urban and rural - seem to be finally realizing is that they're all sitting ducks unless they act, stat.
Whether it's being targeted by cybercriminals using social engineering schemes or getting snagged in ransomware and other malware attacks, everyone seems to be finally acknowledging they've got major security problems that will only worsen if they're not addressed.
Taking Action
So, how are CISOs responding to the cyber challenges they're facing?
Jigar Kadakia, CISO of Boston-based Partners HealthCare - arguably one of the more cyber-mature healthcare entities - is focused on enhancing endpoint protections and other advanced security projects.
Daniel Bowden, CISO at Sentara Healthcare, told me that his organization is also striving to achieve a higher level of patient data protection.
"In 2017, we did a large two-factor authentication implementation that was very successful. Now we want to uplift things like privileged access management on critical IT assets and we also want to get better reporting and auditing of activity in all our clinical systems," he says.
Bowden is also examining a technology area that certainly got a lot of buzz during HIMSS - blockchain.
Kristopher Kusche, CISO at Albany Medical Center in New York, told me that healthcare entities need to address the evolving cyber challenges they face using basic security practices as well as more sophisticated, emerging security technologies. Organizations need "an understanding that you need basic tools and advanced tools to really mitigate these issues," he says.
Regulatory Landscape
As usual, federal regulators were on hand at the big event to provide updates on a variety of government efforts, including rulemaking work and enforcement activities.
Roger Severino, director of the Department of Health and Human Services' Office for Civil Rights, told a packed audience at his session that there is "no slowdown in our enforcement efforts," and that the agency will continue with the "same enforcement mindset" as in recent years.
The real question to me, however, is whether OCR - with big HHS budget cuts planned by the Trump administration - will have adequate resources to carry out its enforcement activities. In fact, OCR's HIPAA audit compliance program appears to be on the backburner once again.
When I asked Severino whether OCR has plans for onsite audits and a "phase three audit program," he told me no. There will be no onsite audits, and instead phase three will only involve OCR belatedly analyzing and compiling findings from phase two audits carried out in 2016 and early 2017.
OCR officials had previously said that the analysis work of the remote desk audits of about 200 covered entities and business associates - plus, an unspecified number of more comprehensive onsite audits - were supposed to be part of phase two, paving the way for a permanent program.
The odds of a permanent program ever being launched look remote.
Meanwhile, over at OCR's sister agency - the Office of the National Coordinator for Health IT - officials say they are busy including work on the final version of its Trusted Exchange Framework and Common Agreement. ONC's draft framework, unveiled in January, aims to help fulfill a call for increased health data exchange in the 21st Century Cures Act that was signed into law in 2016.
Genevieve Morris, principal deputy national coordinator for health IT, told me that ONC - in response to more than 200 public comments it received - is in the process of making a variety of tweaks to the framework.
"We're looking forward to refining the privacy and security requirements and getting to a place where folks feel comfortable that the data that we're exchanging is safe and secure," she says.
Let's hope that all players in the healthcare sector are also planning refinements - big and small - to their cybersecurity programs so that their patients' data is effectively safeguarded from evolving threats.