As cyber attacks and cyber disasters escalate across the country, cyber leaders are doing all they can to turn the tide in favor of patient care organizations, patients and the patient population as a whole.
One member of that group is Hugo Lai, chief information security officer (CISO) at Philadelphia-based Temple Health. Lai recently spoke with Healthcare Innovation Editor-in-Chief Mark Haglund about some of the challenges he and his team face at Temple Health. Below are excerpts from the interview.
There’s a lot going on in healthcare cybersecurity right now. What are the biggest challenges you and your team face?
A good topic to start this discussion on is talking about third-party risk. In the Change Healthcare situation, you have to ask how downstream or upstream suppliers or partners might be affected by such a breach. Of course, that could be claims processing related to Change Healthcare, or various issues related to electronic health record vendors like Epic or Cerner, or issues related to the EHR. [electronic health record] Whether a vendor is connected to Surescripts or whether a pharmaceutical is connected to Surescripts. These are all things that healthcare organizations need to prepare for. For example, what happens if a vendor partner goes offline or is no longer able to provide services to the patient care organization? Do you have a backup? There are a myriad of ways that an organization could be impacted if a breach or outage occurs. We need to think broadly and strategically about all of these possibilities.
What about using advanced strategies in cybersecurity? Our research found low adoption rates for four key advanced strategies: auditing backups, behavioral monitoring, advanced network microsegmentation, and using a Security Operations Center (SOC). Is your team already using any of these strategies?
Yes, absolutely. We are making progress in these areas. In my opinion, every organization needs to have some measures in place in these four areas. Every organization is at a different level of maturity, but they need to be aware of these areas. If they do these things correctly, they have a better chance of surviving a cyber incident.
For example, very few readers audit their backups.
There are a few big issues there. First, organizations may not have a complete view of all assets in their environment. Second, they may not have completed a business impact analysis and analyzed the critical systems in their environment. Conducting an audit will provide insight into the maturity of your information security program and highlight areas that need attention: restore and bring-up alternative processes and equipment.
What about advanced network microsegmentation, specifically as it pertains to EHRs? Many have said this is a particularly difficult problem to tackle.
There are many ways to skin the cat. You don’t have to do it everywhere, and to be honest, I don’t know if you can achieve microsegmentation across the board. But you have to identify areas that you can segment. Just make sure your EHR, your PACS, or your endpoint workstations are segmented. Start somewhere, think about IoT, medical devices, put up additional barriers where you can. I don’t think there’s a formula per se, but each organization needs to think hard and think internally about whether they should start from the inside or the endpoint. And the approach needs to be holistically strategic.
