Authentication: Overcoming ReluctanceA CISO Discusses User Acceptance Issues
To efficiently address mobile security, organizations need to understand and acknowledge how the challenges evolve and become more complex, says Jeff Cobb, CISO at Capella HealthCare.
"The most difficult challenge is to admit that you have a problem," says Cobb, who leads data security at Capella, a Tennessee-based health system that operates 14 acute care and specialty hospitals in six states. "That is exactly where we were a year to year and a half ago," he reveals in in an interview with Information Security Media Group during which he analyzes findings of the recent 2014 Healthcare Information Security Today survey.
"You start out allowing e-mail [on] devices, and don't allow any additional connectivity and you think, 'Well it stops there.' But obviously, everybody knows that I could move documents through e-mail, I can do different things. Just because I'm only using it for one specific instance, once you enter the market, even if it's just e-mail, you're in the mobility business. It's admitting you have a problem," he says.
Mobile security, including deploying a mobile device management system, is among the top priorities in 2014 at Capella, he says. "This year is actually our year to start to tackle that issue. Both from a technology and policy and standards perspective," he says. "Right now, our approach will be BYOD. We don't have a lot of corporate managed devices as of today, but I do see things like iPad kiosks, [and] other types of mechanisms coming into play. That will definitely be part of our overall mobile strategy going forward."
In the interview, Cobb also discusses:
- Information security priorities revealed in the Healthcare Information Security Today survey;
- Information security budget trends, including Capella's plans for 2014.
As CISO for Capella, Cobb is responsible for information security and privacy. He has more than 12 years of experience in information technology and security, primarily in healthcare. Previously, Cobb served in leadership and consulting positions with Ingenuity Associates, UnitedHealth Group and AIM Healthcare, now part of Optum. He is also president of the Middle Tennessee chapter of the Information Systems Security Association and chair of the Metro Nashville Information Security Advisory Board.
MARIANNE KOLBASUK MCGEE: As we know, more than half of the large health data breaches listed on the Department of Health and Human Services "Wall of Shame" involve lost or stolen unencrypted computing devices. Why does encryption appear to be so challenging for many healthcare organizations, and where is it most important to implement encryption?
JEFF COBB: I think from my perspective, not just with encryption but with a lot of security initiatives in today's world, they are competing priorities. There are a lot of things going [on] in healthcare IT with the [HITECH Act] meaningful use [program], the list goes on and on, and working additional security initiatives into an already tight schedule can be very challenging. I know that is one of the challenges we have at Capella. As far as encryption goes, I still think you have to stick to the data we have at hand to determine what are the higher priority areas. For instance the [survey data about breaches] shows laptops [and] mobile devices [as] still being an issue. I think that is where you have to concentrate. A lot of attention is still given to encryption at the data center level, encryption within applications and things like that, and those are very important. But I still follow that security 101 type perspective. It's going to be hard for me to get to the database encryption conversation and be effective if I'm still having trouble managing full disk encryption on an endpoint. It's still focusing on those basic core elements and getting sound operationally before you can move on to other things.
Implementing Strong Authentication
MCGEE: When it comes to implementing strong authentication practices in healthcare for onsite and remote users, what do you think are the biggest challenges?
COBB: I think the biggest challenge is the area we always face, and that is user acceptance. Anytime you are adding an additional step or two to a process, or changing the way a user interacts with a device, there is always some pushback. From my lens, I see a lot of two-factor authentication from the remote access perspective. I think the areas we're still struggling [in] are related to new initiatives, for instance the patient portal requirement. As you extend access to information outside of the corporate walls to a much different clientele, now being the patients, that user acceptance thing comes back up in my mind. Secondly, again, [with] advanced technologies like digital certificates, there is probably some discomfort on how to manage that. It is a difficult technology to keep track of. You have additional mechanisms in place to manage certificates. Operationally, how do [you] handle that, where [it] may be another factor [in] why people have shied away from the use of that from a strong authentication perspective.
Protecting Data, Providing Access
MCGEE: What are the most challenging aspects about protecting data while providing records access to patients?
COBB: From a hospital perspective, we are in process with our patient portal project as part of meaningful use requirements. Our physician services side has had a patient portal as part of their system for the last couple of years. So they are a little bit ahead of the game as far as usage. We will have patient portals up and running that cover both sides of the company. I think the challenges line up with a lot of the things that are a concern from your survey. As far as offering portals to our patients, I think [we see] some of the same concerns with the survey results, [and the] same concerns we've seen in the banking industry come up. First and foremost, making sure the patients are who they say they are when they sign up for accounts; what type of process do I have to support that? Secondly, how do we at least educate the patients to help them understand what some of the challenges are, or some of the concerns might be, when they sign up for the portal? This goes beyond your patient privacy and consent forms and that conversation. It's things like your home machine, [if] there is a piece of malware on it, would that potentially cause an issue or unauthorized access to your patient record? Again, these things have been well-known, documented, and talked about with your financial or e-commerce sites. Healthcare is just now getting to the point to have to tackle those issues, so hopefully there [are] some lessons learned with industries and other businesses that have gone ahead [of us so] we can incorporate those technologies into the portals as they come live.
MCGEE: What do you think is most challenging about mobile security, and do you allow bring your own device at Capella?
COBB: I think the most difficult challenge is to admit that you have a problem. That is exactly where we were a year to year and a half ago. You start out allowing e-mail [on] devices, and don't allow any additional connectivity and you think, "Well it stops there." But obviously everybody knows that I could move documents through e-mail, I can do different things. Just because I'm only using it for one specific instance, once you enter the market, even if it's just e-mail, you're in the mobility business. It's admitting you have a problem.
Here at Capella, this year is actually our year to start to tackle that issue, both from a technology and policy and standards perspective. Right now, our approach will be BYOD. We don't have a lot of corporate managed devices as of today, but I do see things like iPad kiosks, [and] other types of mechanisms coming into play. That will definitely be part of our overall mobile strategy going forward.
Security and Privacy Agenda
MCGEE: How do our survey results compare with what's on your security and privacy agenda at Capella for this year?
COBB: I don't think there is anything surprising. Those are items that are backed up by data we have today, [like] breach data we have through the Department of Health and Human Services websites. Here at Capella, I'm still trying to take the approach of, let's figure out how we can manage the basics first. It comes down to a control framework that we can understand [and] manage. If it's only 20 controls at the end of the day, and we can manage those effectively, I think that is just as important and effective as having a list of 70 controls. If your framework is mapped to your other concerns, meaning, "I know what my control framework is, I know how it satisfies my regulatory requirements, whether that's PCI, HIPAA, SOX, whatever the case is." Then I can stay focused on the framework, and the outcomes of that will help me answer some of [those] other questions, particularly when it is related to the regulatory and compliance landscape.
Top Technology Investments
MCGEE: Our survey found that the top technology investments for 2014 are audit tool or log-management system, e-mail encryption, mobile device management systems, data loss prevention, and network monitoring. What do you think of those top information security investments for many healthcare organizations this year?
COBB: I definitely agree and understand [why they would be] audit tools, mobile device management and data loss prevention. I'm a little surprised to see things like e-mail encryption and network monitoring on there, only because those are things that have been around for a while. E-mail encryption to me is something more of a no-brainer, at least it is for us, having the capability. I think all of these things still come down [to if there] is user awareness and training activities that go with it to make sure users are, for instance, using e-mail encryption. Our initiatives line up pretty well with this. We have an initiative to bring in additional or improved auditing of our clinical systems. As I mentioned earlier, mobile device management is an initiative on our plate this year, and DLP has been something that has been on the radar for quite a while. We have some ground-level foundational steps to take in order to be able to support that initiative. So it is definitely on our longer term radar, probably not something we'll get to in 2014, but the strategy would be to start to kick that off in 2015.
MCGEE: Do you expect that your information security budget will increase, decrease, or stay about the same for 2014 and why?
COBB: The budget this year for 2014 has increased compared to 2013. And again, it's to support a couple of the major initiatives I mentioned before, [such as] audit logging and mobile security. I would hope that the budget continues to increase. I think for me it's a little easier to get new projects from a capital expense perspective approved, as opposed to operational. So the challenge for me going forward is going to be the resources to get things done, whether that's people [or] third parties. Operationally speaking, I think that is where we're trying to control our budget, as most organizations do. It has increased this year; my goal would be that we can keep ticking that up a little bit each consecutive year as we're able to complete initiatives and build on with new things coming from a security point of view.
Looking for Skills
MCGEE: Are there any particular information security related skills that you're looking for that are hard to find?
COBB: I always want to start with personality and aptitude. I feel like we're in a position here at Capella that we can teach some of the other skills and on-the-job experience will bring those people up [to speed]. That being said, the only consideration would be depending on our progress at the point in time that we are able to pull the trigger on resources, "Would we need somebody with a specific skill to come in and hit the ground running and speed the market on a particular initiative?" But all in all, I start with personality and aptitude. You want somebody who can have conversations with the business. You want a certain level of aptitude that you feel they can learn and grow, whether that's technical or non-technical. I feel like from the on-the-job experience and training mechanisms that are available, we can teach a lot of the other skills that would be needed to fill a position here.
MCGEE: Do you look much for the professional credentials?
COBB: We do, [but] I'm hesitant to put a strong requirement on those. I think it is that age-old thing with everybody; you see a lot of people that have certifications that they are very effective. [But], you see other people that [don't] have certifications only because maybe they haven't taken time to take the test, or it hasn't really been pushed in their career path. So, it's definitely not the end-all-be-all. Again, I think one of the things that does help measure is their aptitude and drive to do something. We try not to make it a strong requirement here. It's one of the things that [is] preferred, and if a candidate doesn't have those things, we look to build that into their professional development plan.