Written by HITRUST Independent Security Journalist Sean Martin.
Day 2 at HITRUST 2016 opened with a candid discussion between Pamela Arora, Senior Vice President and Chief Information Officer at Children’s Health, and Roy Mellinger, Vice President of IT Security and Chief Information Security Officer at Anthem. Both took the time to walk the audience through the risks associated with biomedical devices.
While the number of attacks on biomed devices nowhere near matches that of the ransomware and wire fraud attacks targeting the healthcare industry, there is plenty of evidence available online to demonstrate the weaknesses and vulnerabilities of these devices. We may not be facing an outbreak situation today, but if and when one does occur, it may be too late to respond as a number of these devices don’t encrypt data and can’t be updated or patched to block attacks.
Here are some action-oriented highlights from the Arora and Mellinger session:
- First and foremost, treat your medical devices as part of your traditional IT infrastructure; they deserve the same types of risk assessments, controls, encryption, and incident response as your other critical health systems.
- Inventory the devices you currently have in-use and “Google” stories to find exposure and vulnerability information for these devices.
- Assess devices before you contract the purchase, just as you would for a critical server or application; check for hard-coded passwords, back doors, the latest OS and patches, and the risk associated with device connect types—wired and wireless.
- Leverage HITRUST’s expertise throughout its community of board and business associate members to assess the risk and to identify remediation options for these devices.
“HITRUST continues to innovate and lead the healthcare industry with cutting edge value,” said Mellinger. “Not just with questions, but with real-world examples.”
Successfully Engaging the Board
Establishing and implementing a successful security and privacy risk management program relies on the up-front and ongoing support of the executives and the board. During another conference presentation, Sanjeev Sah, Lance Lightfoot and Myra Davis (all of Texas Children’s) as well as Jimmy Joseph (Deloitte) shared their experiences and best practices for securing and keeping this support.
The list below captures a few key points made by each panel member:
- Lightfoot: “Understand what’s in it for the board. Why do they care? Figure out how to grab their attention and then work to satisfy each other’s needs.”
- Lightfoot: “If you don’t have a solid front as a team, there is a risk that some in your organization will try to take advantage of this lack of solidarity to do a bit of ‘forum shopping’—looking for someone who will give them the answer they want. A united front—including the strategy and the plan—ensures the objectives of the group are met and the mission upheld.”
- Myra: “One of the first things I did was engage third parties to help identify what we are doing vs. what we are not doing. We documented it and shared it with the team, and then had real conversations with the board and executives, helping them recognize what could happen—and would likely happen—if not the risk was not addressed.”
- Lightfoot: “Our CEO finds and reads literature and sends them to the team. He wants to understand how our program stacks up to what he is reading. These same topics are also discussed in the board meetings.”
- Sah: “Storytelling and execution are equally difficult and equally important. The board is capable of understanding risk, but if you present your story only in technical terms, you are missing the mark. If you tell a good story, you must be able to execute on time, meet your metrics, and show success.”
Before the Target breach, cyber insurance policies were essentially written based on a static approach for evaluating the risk; companies would fill out an assessment questionnaire, and possibly have limited dialog with the underwriters. This model no longer works.
At the panel discussion “Cybersecurity: How to Successfully Engage Executives & the Board”, Joshua M. Ladeau, a CISSP and the Privacy Lead of Privacy & Network Security for AWAC, said, “Insurers are seeing there is a great potential for loss, so availability and pricing are being impacted significantly.”
On that same panel, Robert O. Barberi, Jr., an MBA and Vice President of Willis Towers Watson, shared a few value points for leveraging HITRUST as part of your cyber insurance program:
- Gain efficiencies by reducing redundancy across submissions.
- Secure financial incentives through the realization of direct premium savings.
- Define, modify, and secure better policies with higher sub-limits and fewer exclusions.
The end of the day brought together 80 people as they participated in a cyber war game exercise lead by Deloitte. The group, which was broken up into multiple incident response teams, was challenged with dealing with a ransomware attack. The objectives were met:
- The group gained an increased awareness of the disruptive effects a cyber incident can have on their organizations.
- They shared perspectives on the challenges associated with recovering critical business processes and technical capabilities during a cyber incident.
- The group also identified strategies for increasing overall cyber resilience.
In addition to these three objectives, the team at Deloitte really wanted everyone to walk away with a “regiment of readiness.”
Day 2 at HITRUST 2016 did not disappoint; it dug a little deeper content-wise, and the attendees enjoyed it. Days 3 and 4 should continue to please this year’s attendees with even more information, tips and best practices.