Halamka shares info security advice

BOSTON—Despite changing security threats on a global scale, internal users just might be your organization’s biggest risk, said John Halamka, MD, CIO and acting CISO of Beth Israel Deaconess Medical Center in Boston, who spoke at HIMSS’ Privacy and Security Forum.

Halamka discussed the various ways Beth Israel employees have created security problems. One doctor bought a new laptop, brought it into the office, unplugged his old one, plugged in the new one and downloaded 119,000 emails. He left his office and when he returned the laptop was gone. The organization was able to track down the thief who is now in jail but never found the laptop. The doctor had also copied those emails to Dropbox before the theft. As a result, Beth Israel had to hire an external forensics firm to determine whether there was protected health information (PHI) involved in the theft.  

“$600,000 and two years of [Office of Civil Rights] activity later, we have notified the patients and are close to signing a settlement with them,” Halamka said. And although the doctor violated all of the organization’s security policies, he is the one, as CISO, who is accountable for security breaches.

Outside threats also must be addressed, he said. “The nature of threats is so much more virulent.” He cited an employee who downloaded a game from a website but the source scooped her email and spammers used it to send 1 million scam emails. As a result, Beth Israel was blacklisted by several major email service providers. “You have to control data flows and prevent reputational and financial loss.”

Hacktivism is real, Halamka noted, even though it wasn’t long ago that no one thought healthcare was really at risk. “If you have a breach, use it as a catalyst for change,” he advised.

Halamka shared Beth Israel’s experience with educating employees about security threats. They launched an internal phishing campaign to learn who is falling for scam emails, clicking through and putting information at risk. “We are sharing more data with more people for more reasons but we have to keep it more controlled. It’s a tenuous balance. The most secure library in the world would not allow you to check out books but it would be useless.” Managers learned which of their employees clicked through the phishing emails so they could focus their education and awareness efforts.

Enterprise-wide, Halamka said they undertook an effort to identify those workstreams that could be improved to “make us stronger and better.” The effort would be years in the making. They identified 14 workstreams and hired a firm to manage them. There was a 90-day effort to develop a timeline and budget. Because there is so much interdependency among the workstreams, they decided to stagger the hiring of new FTEs.

The workstreams include governance, policies and procedures; data ownership, classification and protection; endpoint security; overall project management; and software development lifecycle. For example, make sure you have well understood policies on social media and bring your own device, he said. And, Beth Israel is learning where to outsource to those who can respond more robustly.

Overall, the effort will improve Beth Israel’s infrastructure, close configuration gaps and improve internal education and assessment. Each workstream is now subject to a yearly review, which Halamka said creates an ongoing burden. “It’s a slow, painful road to implement network access control but there is a silver lining in the better controls, the ability to justify decisions. I’ve spent millions and half my time on it but it’s worth it.”