Servers and storage are a primary focus for one hospital’s support upgrades.
The technology team at Ochsner Health System in New Orleans once saw prevention as the best medicine for securing its data network. Keeping cyberthreats from penetrating its walls was sufficient for ensuring the safety of both patient and provider information.
In recent years, that prescription proved less than effective, CIO Laura Wilt says. Ochsner, which owns, manages or is affiliated with 30 hospitals and 60 health centers throughout southern Louisiana, now implements a layered defense that relies on a number of new tools that more effectively identify and neutralize threats, even ones that somehow make it past the organization’s network perimeter.
“It’s still important to keep unauthorized people out of your network, so we’re doing that, but we’re also spending a lot more time monitoring our network and being proactive to make sure that we’re doing all that we can to protect people’s information and our operations,” Wilt says.
At Ochsner and other health organizations around the country, information security leaders are taking a multipronged approach to cybersecurity, implementing robust, layered systems to guard endpoints and defend from within, while also educating stakeholders about their role in mitigating such risks.
The security team deployed Cisco Systems’ Identity Services Engine, which allows security staff to immediately change an authorized user’s access to critical resources if they display suspicious behavior after logging on to the network, Wilt says.
Ochsner also uses several Trend Micro products, such as the cloud-based OfficeScan, which enhances its existing endpoint protection with global threat intelligence that analyzes files before execution and during runtime, as well as with integrated data loss prevention capabilities.
The latter tool also enables security staff to continuously monitor for ransomware attacks that make it past the firewall and proactively quarantine and terminate malicious activities before they can do damage.
Ochsner is hardly alone in emphasizing deployment of such tools. As healthcare organizations increasingly connect their data, clinical applications and medical devices to improve patient care and access, they also become prime targets for hackers and cyberterrorists. In fact, the healthcare industry has surged past financial services and manufacturing as the most frequently attacked industry, according to IBM’s 2016 Cyber Security Intelligence Index report.
“There’s now this recognition among the criminal element that healthcare information, unlike information in other industries, doesn’t perish,” says Mac McMillan, co-founder and CEO of CynergisTek, a healthcare IT consulting firm that specializes in security, privacy and compliance issues. He notes that Social Security numbers, personal information and medical histories can all be used for identity theft, extortion and as part of a ransomware attack.
“It’s information that’s ready-made for easy monetization and high profitability for the cybercriminal,” McMillan says.
As a result, more than 85 percent of healthcare IT professionals report that cybersecurity efforts within their organization are considered a business priority, according to the 2016 HIMSS Cybersecurity Survey.
Technology represents only a part of the equation. Like many other healthcare organizations, Ochsner now invests equally in shoring up security processes and enhancing related employee education, Wilt says. That flexibility is important, she says, as too heavy a focus on the former, without taking factors like staff knowledge or impact on patient care into consideration, could lead to workflow issues for doctors and nurses.
“It’s a balancing act,” Wilt says. “Talk to staff in their language, without all the scary, technical security words. Often, they see security as something that’s punitive, so we try to describe it and teach it in a way that makes them understand it and want to do the right thing, both for the patient and the organization.”
Henry Ford Health System, which has six hospitals and acute-care facilities in and around Detroit, is ahead of the curve. The organization reworked its security approach several years ago, says Meredith Harper, chief information privacy and security officer.
Technology plays a critical role in how Henry Ford guards against outside threats, as the system completely digitized patient records and allows more than 60,000 medical devices to connect to its network. In addition to traditional prevention tools, Harper and her team put a two-tiered network monitoring system in place, in which a third-party cloud provider performs day-to-day monitoring and elevates suspicious network penetration activities, sending them to Henry Ford’s internal security operations center for incident response.
Harper believes that Henry Ford’s greatest security and privacy vulnerability remains its 29,000 employees, “not because they’re trying to be malicious, of course, but because they’re human, and you have to address that factor in your security strategy,” she says.
To that end, her team uses behavioral analytics to closely monitor critical operational applications for inappropriate employee access and activity. Data loss prevention tools and protocols also are important in guarding patient data against insider threats, she says.
Three years ago, Harper was put in charge of both privacy and security, as well as information governance, which enables a much more coordinated and comprehensive approach. She and her team proceeded to develop and brand an ongoing employee education program, called iComply, that is recognized and taken seriously by hospital staff.
Harper notes that years of having the attention of hospital leadership enables a culture of better security to thrive.
“If I don’t put some of my investment into the business process and the people and educating the users appropriately, then no amount of technology investment is going to help,” she says. “That’s why it’s so important to take that balanced approach.”