Dell execs offer cybersecurity advice

The growing amount of data along with more and more mobile devices are adding up to big cybersecurity problems for healthcare. Almost half (43 percent) of major breaches targeted healthcare data in 2013.

Paul Christman, vice president of public sector for Dell Software and Cliff Bleustein, MD, MBA, chief medical officer and global head of health consulting for Dell Services, spoke with Clinical Innovation + Technology about how healthcare organizations can better protect patient data.

Providers are a top target, driving a lot of security consulting business, because of the black market value of the information, said Bleustein. Starting at $50, the value of medical record data is substantially higher than just a Social Security number. That's leading to more individuals trying to get at those data.

Christman said the healthcare industry is working on determining who their users are and what they need to do and tracking what they’ve been doing. There’s a general sense of cleaning up so organizations can protect data, comply with regulations and enable new technologies. "The idea of a breach can gather both financial and political will to make changes. It’s a catalyzing moment.”

There’s been an “absolute explosion” in data and how electronic data is formed through HIEs, ACOs, and sharing of EHRs. Meanwhile, the people going after the information are coordinated, motivated and well-funded, he said.

Users are the biggest problem, however, because “they tend to click on things they shouldn’t. A device is only as good as the people controlling it.” An important tactic is raising cybersecurity awareness and making sure everyone in an organization understands that security is part of their responsibility. Security is a shared responsibility--not just that of IT.

The embracing of technology and BYOD policies within the healthcare industry are creating additional areas for people to attack. “On top of that, you have compliance regulations and increasing complexity associated with being complaint with those regulations,” said Christman.

“Not everybody has a comprehensive security program,” said Bleustein. They do components rather than looking at the big picture. He recommended the following four programs:

1. Initial assessments looking at architecture and security program review. This includes understanding your gap analysis and knowing the Meaningful Use risk requirements.
2. Security infrastructure. This should address not only your organization’s perimeter but apps you have as well as endpoints.
3. Ongoing monitoring program. This includes threat intelligence and incident management.
4. Testing program. This includes a scanning platform, testing services, vulnerability testing and penetration testing.

“It’s not a matter of doing any one thing. Security management is going to continue to evolve and it’s going to require ongoing management,” said Bleustein.

It also requires a realization that “no matter how protected, there is always some level of risk that can be exploited,” said Christman. “At some point, people will gain access to information so you need a much more thorough, sophisticated, evolved idea of risk assessment.”

Another thing healthcare needs to do on the security front is create a closed loop to improve the situation, said Christman. “We don’t necessarily look at learning from our mistakes. It’s hard to justify the expense of that but that’s when you can learn the lessons from a situation that was unforeseen and unfortunate. Coming back to improve the process is one of the things folks need to build into their plan.”

There is a huge shortage of security professionals but “there is no reason for a small or medium-sized healthcare organization to have an army of these experts when they can be engaged in consulting agreements,” he said. Find a good consulting firm but work on training employees so they understand security risk. “Get people conversing. You have to mobilize the general awareness of the user population to protect themselves as well as the data they’re collecting. We think of it as end-user education not necessarily cybersecurity education."

Looking ahead, Bleustein said “we see an environment where the number and the breadth and depth of devices that are creating information are expanding exponentially and the type of information in terms of size and importance are increasing as well. That complexity is going to make [data security] even more important going forward than it ever has been before."

Christman said that while healthcare has work to do to improve data security, one thing they don’t want is more legislation. Providers and stakeholders have said “they want more recommendations and frameworks to learn how to get this under control.” They pointed to the NIST cybersecurity framework as a positive example and are looking to build coalitions and peer-to-peer sharing of information.

“We’re in that troublesome transitional period where we’re adopting new technology very quickly based on [the Affordable Care Act] and the idea of rapidly digitizing this whole healthcare delivery system. I think we’re in a very challenging time. It will get better. There is going to be some improvement in security and identity management but we’re in the middle of this transitional phase which makes people unsure about whether they’re doing the right thing. It’s hard work so people might be skeptical.”