Published on March 7th, 2022 📆 | 2283 Views ⚑
0How to move beyond cybersecurity compliance in healthcare? Focus on clinician workflows
MIAMI â Compliance is a key metric used in healthcare security conversations, measured of course against state and federal regulations, including the The Health Insurance Portability and Accountability Act. But arriving at âcompliantâ in no way equates to a strong cyber posture. And itâs a driving cause of why smaller and mid-sized organizations are still struggling to keep pace.
âDo you know what compliance means? That means you are at sea level, that means if you were in school, you are passing,â said Thomas Graham, Ph.D., CynergisTek chief information security officer, during the opening cybersecurity track session at ViVE in Miami on Monday. âAnd do you really want your organization or your security to be at sea level?
Not to mention, many covered entities are failing to even meet the HIPAA compliance level.
The pandemic and evolving attack surfaces have shown the sector that provider entities must move past compliance and into resilience, which means ensuring all protections, processes, and policies are put into place that actually work against the current threat landscape.
The NIST framework is the standard recommended by the cybersecurity task force for all of healthcare, enabling entities to identify all of the assets that need protection and then make a determination for the best way to secure it.
For now NIST is just a recommendation, but some stakeholders have predicted NIST may become the industry standard for which the Department of Health and Human Services hold entities accountable. The trouble is that shifting into a new standard or framework is not a quick or easy task within the healthcare environment.
âIt doesnât happen overnight. Itâs a huge list of requirements, standards, policies, and procedures to protect and maintain your organization,â said Jesse Fasolo, director of technology infrastructure and information security officer of St. Joseph's Health.
For Fasoloâs health system, the shift âtook approximately five years of going back and forth, implementing systems, solutions, and policies,â which were then adapted and constantly evolved to bring them more than just compliance, or at sea level.
Having the framework is good for checking the boxes, but âit would behoove anyone to actually put more effort into actually going through it.â For example, Fasoloâs health system has a third-party program for certain security elements, but it also reviews on its own to be sure theyâre adhering to NIST in the best possible way.
Canât secure healthcare without examining clinician behaviors
Insider issues are another key discussion for healthcare security, with plenty of opinions on how to bolster employee risk. For David Ting, founder and chief technology officer of Tausight, entities can try hard to change clinician behaviors, but at the end of the day, providers are going to do what they think is best for patients and their care, in the most efficient way.
Alternatively, entities should be thinking through how to help the clinicians improve their ability to do their jobs, then supporting those workflows with secure systems âto account for their behaviors and their workflows.â
As healthcare continues to decentralize and add distributed end users âwho will do anything on mobile devices on their own machines,â entities need to now focus on gaining visibility into those activities. Without it, security leaders wonât have a âcomplete picture into those attack pointsâ that fall far outside of endpoint detection.
âI have this theory that if you donât secure with a clinician, youâll never get a full layer of defense,â said Ting. Security âhas to be more mobile than our traditional firewalls or endpoint detection and response tools, or expanding it from the network to the device. If you don't take [security] where the clinicians are going, you're never going to close down all those points.â
In a healthcare environment, it means security leaders must understand clinician workflows to see their daily activities and determine why and how theyâre operating in the hospital network. Ting shared an example of a common practice of clinicians moving discharge records or handoff notes into the cloud as a âstash of private notesâ shared between nurses.
Clearly the activity is not allowed, but the behavior only became apparent when someone questioned why unauthorized folders were being created. Consider the WannaCry incident in 2017, caused by a clinician-installed program using a split program. A clinician opened a file behind a secured network that fanned out in a matter of hours.
Activities like these that violate HIPAA drive the need for understanding the behaviors of clinicians and their workflows, then marrying it to how an entity thinks about how it secures things. Ting stressed that providers âcanât just count on traditional models, if we donât understand or have visibility into whatâs going on.â
If not, healthcare entities will continue to fail.Â
âThe greatest risk is always that you canât address what you don't know. And that's something that stays the same,â said Graham. âAs technology grows, as operations change, and the way you're structuredâŚ. the way that you're doing things is always changing, too.â
Gloss