CIO Halamka on Security Action Items for 2016Healthcare Leader Discusses Evolving Cyberthreats and Challenges
As the cyberthreats facing the healthcare sector grow ever more sophisticated, CIO John Halamka, M.D., says organizations must launch aggressive security initiatives, including investing in analytics to improve breach detection, ramping up endpoint protection policies and educating staff about phishing.
"We have to look at technology, policy and education," says Halamka, CIO at Beth Israel Deaconess HealthCare, a Boston-area integrated healthcare delivery network that includes a Harvard-affiliated medical center, several hospitals and a physician's organization.
Too many healthcare organizations take many months, or even years, to realize they've been the victim of a cyberattack or other security incident. Faced with a menacing cyberthreat landscape, breach detection must improve, Halamka stresses.
"Increasingly we're getting vast amounts of log files from many devices. And there's a lot of noise there. It's really challenging separating the wheat from the chaff," he says in an interview with Information Security Media Group. "So I would say the technology focus would have to be ... security analytics systems and visualizations that you can put in so that if an event occurs, you can rapidly detect it; you can analyze new vulnerabilities and determine your mitigations for emerging threats. It's really about turning the data into wisdom."
As for policy priorities, "as hard as this is, it's increasingly important that we restrict the behavior of individuals more than we ever have before," he says.
Five years ago, it might have been OK to borrow your child's home computer to access your medical records, he notes. But now "this is the same computer that has been downloading infected games, and probably has screen scrapers and keystroke loggers. It's just no longer acceptable," he says. So there is a need for "more and more policy about endpoint protection and good security practice."
Healthcare sector employees also need to be educated to better recognize socially engineered schemes, he says.
"Not a day goes by where we all don't receive some kind of email with a phishing or spear-phishing campaign," he says. "They're getting increasingly sophisticated. Gone are the grammatical errors and spelling mistakes, and the urgency to give bank account [numbers] and DNA samples. In fact, you're now being asked to click on links that look very much like institutional links to perform an institutional function. And that is the issue that we really have to educate our workforce about."
The healthcare sector will face more serious cyberthreats in the year ahead, Halamka predicts. "Hospitals are being targeted. It's not about simple malware or the usual Internet noise. It's directed attacks at hospitals for medical identity theft and fraud."
Many healthcare organizations designate a much smaller portion of their IT budgets to information security than companies in other industries, such as financial services, he laments. So in the effort to fight cybercriminals, information security resources also need to be re-examined, he stresses.
In the interview, Halmaka also discusses:
- Tips for stretching resources to carry out top priorities, including how to get buy-in from board members;
- Suggestions for hiring and developing information security talent;
- New data breach liability and indemnification language that Beth Israel Deaconess includes in its contracts with business associates, and why the healthcare organization will no longer sign deals with vendors who refuse those terms;
- Advice for dealing with government regulators, including the Department of Health and Human Services' Office for Civil Rights and state attorneys general, during breach investigations or HIPAA audits;
- His reaction to the Office of the National Coordinator for Health IT's 2016 goals for secure and interoperable nationwide health information exchange.
Halamka, a practicing emergency physician, writes the blog Life as a Healthcare CIO. He is co-chair of the HIT Standards Committee, an advisory group to the Office of National Coordinator for Health IT. Halamka is professor of medicine at Harvard Medical School. He also is chairman of the New England Healthcare Exchange Network in Massachusetts and is co-chair of the Massachusetts HIT Advisory Committee.