Case Study: A CISO's View of Security's 'Paradigm Shift'Premise Health's Johnson on How Compliance Builds a False Sense of Security
As the cyberthreat landscape evolves from lost and stolen mobile devices to sophisticated hacker attacks, healthcare organizations need a major paradigm shift in their approach to security, says Joey Johnson, CISO at Premise Health, which manages more than 500 work site-based health and wellness centers and serves more than 200 employers.
"There are lots of cyber threats and risks out there, but the one most specific to healthcare is the distribution of data," he says in an interview with Information Security Media Group. Healthcare entities "make copies upon copies, upon copies of data, and it goes off to many different places. When you think about e-prescribing and sending information off to insurers, and all the different places it needs to go for medical billing ... by the end of the ecosystem, [the patient's] information has been copied lots of times and has gone to lots of different places."
Unlike, say, the breach of payment cards, where consumers can replace compromised accounts, breaches of healthcare data have greater consequences, he says. "You can't turn it off. It can't be expired. When it's stolen, or abused, there's no one single source [to] track it down."
So security programs based purely on HIPAA compliance aren't robust enough to battle healthcare's cybersecurity challenges, Johnson contends.
"Building to compliance is the failure, because it's creating a false sense of confidence," he says. Some healthcare organizations suffering massive breaches were "doing what they're supposed to do" under HIPAA, he notes.
"But what compliance doesn't focus on is the specific location of the data assets. Organizations need to have a paradigm shift in thought, and start thinking less about ... the compliance check-box. Those ... are the low water marks."
To prevent breaches, it's also vital to understand user behavior within your organization, he says. "If you don't know your own environment, if you don't have contextual awareness, you're not going to detect those kinds of patterns" that indicate anomalous user behavior and potential breaches, he says.
Assumption of Breach
"Organizations need to take the assumption of breach. They need to take the defensive mentality that you're not just putting in tools, but you are actively protecting assets," he says. "And by assuming breach, that means you need to be able to know if a malicious pattern has happened with your data."
Ultimately, the question that CISOs and CIOs need to ask themselves, he says, is: "Can you definitively tell if something has happened with your data? If you can't, then that's a problem, and you're probably not building the roadmaps for the appropriate protection of your organization."
In the interview (see audio link below photo), Johnson also discusses:
- How the "flow" of information through the healthcare system, including patient-generated data from new consumer wearable devices, is intensifying the challenge of safeguarding data against breaches and potential fraud;
- Other major mistakes that healthcare sector organizations make that weaken their security stance;
- Why achieving "authentication maturity" is a top priority at Premise Health.
Johnson has more than 15 years of cybersecurity experience. As CISO of Premise Health, Johnson leads all organizational efforts related to cybersecurity, IT and security compliance and policy development, as well as security audit and vendor risk management. Premise Health, based in Brentwood, Tenn. was formed as a result of the merger of Take Care Employer Solutions - a former subsidiary of Walgreen Co. - and CHS Health Services. Previously, Johnson held technical and program leadership roles in the public and private sectors. He formerly served as chief security officer for the U.S. Department of Commerce - Office of Computer Services, and held various security and network architecture roles leading the design and implementation of complex enterprise networks for airports, hospitals, universities and federal agencies.