Anahi Santiago, CISO, ChristianaCare
When Malcolm Gladwell first introduced the concept of the tipping point in his debut book, it was defined as “that magic moment when an idea, trend, or social behavior crosses a threshold, tips, and spreads like wildfire.”
And while healthcare IT has had its share of tipping points throughout the years, few have been quite as powerful as the dramatic rise of telemedicine. It has dramatically changed the way in which patients seek care and communicate with providers, and has enabled organizations to stay afloat during a devastating situation.
However, telehealth’s unprecedented growth hasn’t come without risks, particularly from a security perspective.
“It’s a challenge, but one we have to accept,” said Anahi Santiago, CISO at ChristianaCare. “We have to work with our stakeholders in clinical, business and technology to up our security game.” According to Santiago, who addressed the topic during a panel discussion with Sri Bharadwaj (VP of Digital Innovation with Franciscan Health) and Jonathan Langer (Co-Founder & CEO, Medigate), it’s going to require conversations around risk management and treatment, partnerships with technology providers, and a willingness to embed security processes throughout the entire life cycle of the supply chain.
And it doesn’t stop there.
“We need to make sure everyone is doing what they’ve contractually agreed to do, and that as the threat landscape changes, we’re circling back and making sure we’re not introducing new risks to the technology we’ve brought on board.”
It sounds like a lot — and it is. But, as is the case with many big tasks, the key is to break it into digestible bites, noted the panelists.
- Know what you have. With digitization continuing to push care outside of acute facilities, it’s critical to maintain an accurate inventory of all devices being used and to ensure visibility across the network, said Langer. “It’s going to be a big lift, but it’s a crucial starting point.”
- No preferential treatment. At Franciscan Health, a 14-hospital system providing care in multiple states, “We don’t think of IoT devices as anything different,” said Bharadwaj. “We consider them to be part of the framework of how we operate.” As more devices are added to the network, his team’s processes have become more structured around risk management. “You need to understand the risk profile of each specific device, then determine the appropriate measure for safeguarding it.”
- Set realistic goals. Although it’s important to aim high, achieving 100 percent remediation of vulnerabilities simply isn’t practical, noted Langer — especially considering the rapid rate at which threats evolve. Instead, he believes the most effective security strategy is “a combination of remediation, patching, and mitigating risk through various network restrictions and policy enforcement.”
- Zero trust. The challenge, according to Langer, is getting segmentation in place using the security solutions that most organizations already have, such as firewalls. “You need to create a zero-trust strategy around that and create policies that make it attainable.”
- Consider automation. Like all departments, security faces added budget constraints stemming from Covid-19, said Bharadwaj. One possible solution is to automate certain labor-intensive tasks such as running reports, tracking devices, and ensuring vulnerable devices have been patched appropriately.
But before any of this can be done, it’s vital that leaders change their thinking when it comes to safeguarding data, said Santiago. “Organizations need to stop thinking about security as an additional expense, and instead think of it as part of the cost of doing business. As we think about making decisions on how to use technology to deliver care, we need to always consider the risk of missing something in the way of security.”
Sri Bharadwaj, VP of Digital Innovation, Franciscan Health
At Franciscan Health, Bharadwaj’s team has applied an enterprise risk-based approach as it has shored up capabilities during the pandemic. The process is simple; risks are identified, then presented to the security and privacy committee to create a path going forward.
What’s not so simple, however, is carrying out a solid security strategy without collaboration among IT, IS and clinical engineering. If, for example, security identifies a vulnerability on an older device, they need to be able to reach out to biomed to take it offline and apply a patch. “That requires good processes and good lines of communication,” he noted.
Santiago concurred, adding that IT and clinical engineering “must be in lockstep,” and that supply chain and procurement are part of the conversation as well. At ChristianaCare, the policy is to have a security leader live within the clinical space to provide the “boots on the ground perspective” needed to facilitate collaboration.
In addition, the Delaware-based system has a steering committee with representation from nursing, physicians, research, privacy, compliance, and legal. “That committee is where decisions are made and policies are developed,” she said. Its members are also tasked with communicating the importance of cybersecurity to stakeholders across the organization.
That, according to Langer, is where the rubber meets the road — having a process in place to ensure various business leaders convene to talk about security issues before anything is decided. “The problem comes when biomed or another department makes plans without consulting security,” he added. “In that case, security becomes more complex and expensive, because you can have thousands of devices that aren’t being tracked and pose a threat to the network.”
What’s important, noted Langer, is that organizations don’t get bogged down by reporting structures, and that the focus remains on communication and collaboration. Fortunately, he has seen “an improvement,” and believes most organizations are taking the right steps.
It may even prove to be a tipping point for data security.
To view the video archive of this webinar – Adjusting Your Security Posture to an IoMT World – click here.
