What keeps HIT security executives up at night
BOSTON—“What keeps me up at night is the unknown,” said Heather Roszkowski, chief information security officer at Fletcher Allen Healthcare, speaking on top health IT security concerns at HIMSS' Privacy and Security Forum on Sept. 9.
“What’s the next big thing coming up—I don’t necessarily see that now. I try to get folks to understand that this constant worry is a challenge. It’s not just about the threat of breaches and fines, but harm to patients,” she said.
For the past two or three months, Fletcher Allen Healthcare, based in Burlington, Vt., has been inundated with phishing attempts. Roszkowski said her team stays focused on security. “Compliance standards are going to change, threats are going to change. We focus on security.”
If a healthcare organization has not been breached, there are two reasons why: they haven’t gotten to you right away or you aren’t that interesting, said Ken Patterson, chief information security officer at Harvard Pilgrim Health Care, which covers patients in Massachusetts, Maine and New Hampshire.
“You can’t stop it all. Even with what you have there’s no silver bullet,” he said.
Quick detection and remediation has been the key to the security program at his health system. Moreover, they conduct security assessments on any new health IT product or technology entering the system. Last year, they conducted 37 assessments with the number growing this year. He said wearables devices, often promoted by payer organizations looking to push wellness, have “the worst security I’ve seen in my life.”
For John Pritchard, director of information security at St. Charles Health System, a four-hospital system headquartered in Bend, Ore., complexity is what keeps him up at night. It’s a perfect storm of ICD-10, EHR requirements, technology changes, forced clinical and technical workflow changes—as well as increased competition for capital and operational investment.
“The reaction of the business executives is that this is something negative that the IT department is doing to them,” Pritchard said.
Nation-state actors are trying to break into networks, compromise credentials and set up their own credentials, he said. “We need to flip things around. Instead of reacting, we need to proactively hunt down actors in networks.”
At St. Charles, they have set up an enterprise portfolio steering committee with business leadership to prioritize security efforts. Pritchard recommended looking deeper at possible scenarios; for example, what would happen if a business associate handling patient discharge instructions had its server down for maintenance. “That could back up your whole process.”
“I worry about complacency, because the number one risk is a rogue agent,” said Sean Murphy, vice president at Leidos Health Solutions Group. When someone is out there consulting in different organizations or just does something wrong—like using an unencrypted laptop—patient data are at risk.
Also, medical device security is a grave concern, and working with manufacturers to resolve security problems has been going on too long, he said. “We’re still fighting it.”
In addition to industry challenges, finding the workforce to build strong security teams remains a challenge, the speakers agreed.
Roszkowski said that she has looked to veterans to fill the need, as many have strong backgrounds in information security. Patterson said he has tapped talent available in Boston area schools, as many feature cybersecurity programs.
Murphy noted that three distinct communities have emerged in the health IT security space: clinical, IT and clinical engineering. IT professionals need training in healthcare issues, and those on the clinical side need understanding of best IT practices. “It’s an interesting training issue.”