A CISO Identifies Emerging ThreatsUPMC's John Houston on Medical Devices, DDoS and More
John Houston, CISO at University of Pittsburgh Medical Center, is keeping his eye on emerging threats, including the risks tied to medical devices linked to networks and the potential for DDoS attacks to spread to healthcare.
Houston, UPMC's vice president and privacy and information security officer, says medical devices linked to networks pose a number of risks. "If the device is an FDA-approved device, the manufacturers typically claim that they have far less flexibility in terms of patching those devices," he says in an interview with HealthcareInfoSecurity (transcript below).
If the device has an underlying Microsoft operating system, for example, the manufacturers won't allow the patch until it's certified as being safe and doesn't affect the operation of the equipment. "It's delayed in comparison to what we do for the rest of our environment," he says.
"We really are concerned about this," Houston explains. "We monitor that equipment. We test it. But we also recognize that [it's] probably one of the most difficult areas to really secure."
UPMC is also monitoring emerging threats in other sectors, such as the distributed-denial-of-service attacks against banks, Houston says. "We just have to be very focused on what's happening in some of the other sectors, and try to respond effectively and see what they're doing and make sure we don't fall victim to the same issues," he says.
In the interview, Houston also discusses:
- The security risks involved in using cloud computing;
- Why using security incident and event management, or SIEM, to analyze trends is a priority;
- A new identity management software venture UPMC recently launched with software vendor Oracle.
Houston has been an information security leader at UPMC for more than a decade. UPMC has more than 20 hospitals, 400 outpatient sites and a health insurance division. He is a member of the Health IT Policy Committee's Privacy and Security Tiger Team, which makes recommendations to the National Coordinator for Health IT. Houston is also a member of the Pennsylvania eHealth Collaborative' s Policy and Operations Tiger Team.
Addressing Privacy, Security
MARIANNE KOLBASUK MCGEE: Tell us briefly about your organization and your role.
JOHN HOUSTON: I have a hybrid role, and I think that it's unlike some other organizations insofar as I'm responsible for both privacy, which is really a non-IT discipline, and security, which is predominantly an IT discipline. I tend to work in both realms, and in many ways I think it's more effective to merge those two disciplines in terms of trying to put together a comprehensive program to protect patient information.
Top Security, Privacy Priorities
MCGEE: What are some of your top security and privacy priorities at UPMC for this year?
HOUSTON: The one that we're most focused on is something called SIEM, security and incident event management. It's a discipline where we take large amounts of data and are able to analyze it to see whether we have different trends occurring within our environment with respect to security. It allows us to take information across our different information systems and understand whether there's some threat occurring. Had we not been able to put that information together and analyze it, we would never see the events occurring.
MCGEE: How about top projects in terms of privacy and security?
HOUSTON: That's probably at the top. We're also in the process of replacing our existing identity management environment. We developed an environment about 10 years ago to do identity management and it was very successful. But we also realized that with all the changes in healthcare, with the rise of mobility and consumerism, we really needed to have a different platform to support that.
MCGEE: You've commercialized that product?
HOUSTON: We're in the process of doing that. We're working with Oracle. It's an Oracle product at its core in that we're developing processes that are necessary for healthcare, and we're developing a solution for the small- to mid-size market.
MCGEE: Is it a commercial venture or is it a product that's going to be sold through Oracle?
HOUSTON: It's a UPMC company. It's an Oracle product and Oracle is assisting us in marketing. It's fundamentally a UPMC company though.
Biggest Security Challenges
MCGEE: What are some of your biggest challenges as a privacy and security leader right now?
HOUSTON: ... Look at the banking industry, by example, what's happening there and some of the different threats that they're experiencing. In Pittsburgh, PNC is a large financial institution and they had serious problems because of the distributed-denial-of-service attacks. We watch what's going on in the financial sector and we're worried that, obviously, we don't want that to happen in our environment as well. We just have to be very focused on what's happening in some of the other sectors and try to respond effectively and see what they're doing and make sure we don't fall victim to the same issues.
Biggest Outside Threats
MCGEE: When it comes to emerging threats from outside, what are you most worried about? What do you think healthcare needs to be paying more attention to?
HOUSTON: We're becoming more and more dependent upon the web. We have cloud-based services that we rely upon. We have data in the cloud. We have to deliver services through the cloud, both on a consumer side but also to other providers. We have to make sure that that vehicle - the web, the Internet - is something that's secure and is something we can ensure remains available and effective.
In the past, we have not had to worry about that. I can give you an example. Ten years ago, there was a very serious [computer] virus that had occurred, not just within our environment, but more generally. We shut down our Internet access until there was a good solution to that particular virus outbreak, and our Internet was probably down for a day. We purposely did that and we maintained operations, and it was of little consequence. We couldn't do that today. We couldn't simply say, "Oh, we're going to turn the Internet off because of some really nasty virus that's out there," because so much of what we do and what we rely upon is already in the cloud and the Internet. We have to think about how we're going to maintain those services regardless of what might be happening.
Medical Device Security
MCGEE: How about medical device security? What are the worries when it comes to malware affecting other systems in the organization, [or] people who use web-based mobile devices that have medical capabilities? What kind of threat does that pose potentially?
HOUSTON: If we split it into two pieces, on the medical device side, especially if the device is an FDA-approved device, the manufacturers typically claim that they have far less flexibility in terms of patching those devices. If there's a piece of medical equipment and it has an underlying Microsoft operating system and a patch comes out for that operating system, that device manufacturer typically won't let us patch that device until they have certified that that patch is safe and does not affect the operation of the equipment. It's delayed in comparison to what we do for the rest of our environment, and that delay could be weeks, if not months, at times. We really do have to be worried about medical equipment, and we tend to try to isolate it in our network.
However, as this equipment becomes more and more intelligent and expects to communicate with our clinical systems, sometimes that segregation is limited. We have to allow them to communicate more broadly within our network, and that opens up a door for potential problems. We really are concerned about this, and it's an area where we try to do as good of a job as we can. We monitor that equipment. We test it. But we also recognize that that's probably one of the most difficult areas to really secure.