Cedars-Sinai CIO: External threats are new horizon of health security
The historically closed systems of healthcare organizations now are exposed to a growing number of medical devices, smartphones, portable devices, and other external risks, changing the security landscape of the industry, Darren Dworkin, CIO of Cedars-Sinai Health System said at the National Institute of Standards and Technology and the Office of Civil Rights’ joint conference, “Safeguarding Health Information: Building Assurance through HIPAA Security,” on Sept. 23.
Healthcare has changed rapidly not only during the past few years, but over the past decades. In the 1970s, healthcare information—primarily non-clinical like billing and registration—was stored in pockets for use throughout health systems. An explosion of EMRs followed about 12 years ago, bringing more patient information into digital format, he said.
More recently, an “explosion” of information from medical devices is entering patient records and “we have new information we did not historically have at our fingertips.” A new wave of mobility means that “all patients and providers are walking around with computers in their pockets. You put that all together and it’s a change in landscape,” Dworkin said.
At Cedars-Sinai, it’s not just risks from desktops and laptops, but smartphones, cloud storage services, BYOD policies and UBS ports that must be considered. “It’s not just about devices and users bringing in smartphones and tablets, it’s about the ability of users to use services and platforms that let them drive what they want to do. Put that in a landscape that has been historically closed, and it poses new and interesting problems,” Dworkin said.
In addition to clinical care, the research arm of Cedars-Sinai is facing “interesting conundrums,” as researchers rely on access to large amounts of data, he said. Segregating data in different databases may be what it takes to mitigate this threat.
Organizations increasingly will need to be vigilant of external threats, especially as personal health information has financial value. Recent breaches and hackers infiltrating Boston Children’s Hospital, Community Health Systems and Healthcare.gov underscore this trend. While 95 percent of security efforts go to protecting internal systems, Dworkin said, “I think that’s going to shift.”
Dworkin shared Cedar-Sinai’s own journey of “sentinel events” that shaped its security and privacy policies.
2003: A blaster RPC worm, an email virus, infiltrated its system. “We learned the importance of cache management, automated management and internal firewalls. If you protect borders, everything is secured.”
2009: Conficker, a computer worn, infiltrated the health system. This experience taught Cedars-Sinai about the importance of firewalls at endpoints within a network.
2011: With a No. 1 ranking on spamranking.net, the health system realized it had to make sure it was doing scanning right. “We underestimated the difficulty in making sure we had the right amount of patches in place,” he said.
2014: The Heartbleed security bug alerted the system to outside threats.
“The best way to understand and learn about security, unfortunately, is around an incident,” he said, adding that there is an opportunity for organizations to share experiences to avoid repeating the same mistakes.
In other comments, Dworkin said while HIPAA is driving many security efforts, more and more it’s patient expectations that will shape entities’ policies.
“Patients have wider expectations of what we’re doing with information,” he said. “We’ll have to adapt and become more transparent.”