Chad Wilson, Director, IT Security, Children's National Health System
An ideal healthcare system involves open doors, where no patients are denied admission or treatment. An ideal healthcare cybersecurity system, however, requires a closed-door setup with maximum security to protect the confidential business and patient’s Protected Health Information (PHI). While at first these two concepts seem at odds with one another, healthcare organizations must think proactively, balance risks and benefits, and keep a closed door for bad activity when managing the organization’s information environment.
This dichotomy comes with challenges, especially when organizations are just starting to develop or enhance cybersecurity strategy and capabilities. Establishing a strong plan means considering the many threats that can compromise an entire network and recognizing that even the smallest risk can spread to have large consequences. Understanding malware’s immediate and adaptive impact, organizations must remain vigilant of changing environmental threats and ensure a strong defensive strategy. A balanced approach to building defensive capability must not be disruptive of the primary mission to provide excellent patient care.
At Children’s National Health System, located in Washington, D.C., we strive towards a balanced approach in protecting the information of our children. We also recognize the high risks and potential for fast dissemination when bad activity enters the system. Given the need to be strategic and act quickly, we consider Children’s cybersecurity action plan in lifesaving steps: Stop the bleeding, start the breathing, protect the wound, and treat for shock. This foundational first-aid approach lends towards a strategy based on key tenants to enable care, promote trust, and protect information.
Assess Current State and Establish an Improvement Plan for Risk Areas
An ideal healthcare cybersecurity system has strong governance in place where policies and procedures, roles and responsibilities, and risk management are routinely addressed. The organization should be strategic and purposeful in its overall plan development. Having a comprehensive view of the organization, with an understanding of specific needs and level of risk tolerance, are considerations necessary for organizations to put pressure to cybersecurity wounds and stop the bleeding.
Risk areas vary across organizations; however, there are a few basic tenants which apply to all healthcare organizations. First, an organization must ensure data encryption to minimize the impact of lost or stolen devices. A stolen hospital employee laptop containing PHI must have the data at rest encrypted so that it will be unavailable to anyone finding the device. Data in motion from one healthcare facility to another must also be encrypted.
"Threat management and cyber intelligence describe known malware, providing a great foundation for addressing necessary remediation based on industry standards"
The hospital system must also consider visibility as a risk area. It is difficult to protect against unknown external threats, so it is important that any cyber environment visibility gaps are addressed. With improvement in this area, the organization can focus on location and accessibility of data. Knowing how data is accessed, which controls are in place, and who accesses information will contribute to the overall defense plan.
Remove Bad Activity and Malware from the Environment
As an organization works to stop the bleeding, they can simultaneously provide oxygen to the blood. A strong cybersecurity plan involves isolating and removing any known bad activity in order to start the breathing and normalize the environment.
Most organizations already have resources and systems in place to monitor and alert for bad activity. Threat management and cyber intelligence describe known malware, providing a great foundation for addressing necessary remediation based on industry standards. Health systems, however, may need to take it a step further to apply cyber intelligence and automate systems to turn off the malware and alerts. By turning off malicious activity, the organization proactively removes itself from a risky situation, thus contributing to safer and more reliable services benefitting patient care.
Establish Protections and Baselines for Protecting Information and Defending Against Malware
The next step for an organization involves protecting the wound and the entire system from bad activity. The organization approaches issues more strategically, and they can take time for a major clean-up of the system to ensure limited vulnerable software. The preferred approach involves using another or updated version of any risky applications. For example, to protect the wound with a risky browser, the organization can update end-users’ devices with the newest version. If changing software is not an option, however, organizations can also isolate vulnerable systems to limit their activity and minimize the risk of compromise.
Establish a Culture of Awareness and Vigilance
Security is everyone’s job in the organization; in order to treat for shock, all employees should strive to be great stewards over sensitive data. Creating a culture of awareness, inclusiveness, engagement, and accountability provides an environment for employees to be vigilant in protecting the organization and its assets. An organization’s best defense involves the human mind and its abilities and actions to recognize threats.
If employees see something, they should say something. The approach is simple and applicable in any organization, as long as employees are educated on how to differentiate between acceptable and malicious activity. It only takes one employee and a single email click to compromise an entire organization’s system. It is critical for organizations to focus on the basics, invest in training, and ensure support for the overall security strategic plan and its improvement. Leadership may consider soliciting the help of fellow organizations and engage consultants who have worked with similar clients to understand how they have addressed similar security threats.
Knowing that it will take time to determine the best course of action, leadership must continue to protect the organization while enhancing its cybersecurity strategy and associated maturity to create a culture of awareness for the entire organization.
A strong cyber defense plan and associated capabilities will promote the trust that an organization can protect confidential information while caring for patients. Following the four steps–stop the bleeding, start the breathing, protect the wound, and treat for shock–can help healthcare organizations develop an agile and resilient cybersecurity strategy. Hospitals and clinics should start by analyzing the current state and evaluating risk areas with encryption and visibility. The organization then removes bad activity from their environment utilizing cyber intelligence and turning off malware entirely. With this activity minimized, organizations isolate, update, or remove vulnerable applications to minimize the risk of future compromise and establish protections. An improved overall system allows organizations to focus on the final component with educating employees and maintaining a culture of vigilance. This strategy not only provides a proactive and balanced approach to securing information, but also proves that cyber security, like the lifesaving steps establishes a protected environment for effective treatment and care of the people that need it most–our patients.