In the days of mainframe computers, data was safe unless someone physically broke in to where it was stored. But now, data is everywhere, which is both a blessing and a curse. Information is available at users’ fingertips, often in real time, and can be used for countless business functions, as well as to provide solutions for better patient care. But greater access also means increased vulnerability.
Sean Lowder, an information security specialist with more than twenty years of experience, and former chief information security officer at Blue Cross Blue Shield of Louisiana (BCBSLA), points out that the greatest challenge for healthcare companies and security professionals is balancing the desire for speed and streamlined operations with the security required to protect them.
“People want things quickly, so security sometimes takes a back seat,” Lowder says. “The main concern used to be focusing on proper data processing and accuracy, but the new challenge is how to manage and protect massive amounts of data.”
In any system, Lowder says vulnerabilities exist simply by having that system up and running. Once identified, many can be dealt with by simply rolling out a patch, while others can’t be adequately addressed without shutting down the entire system and, instead, usually require constant monitoring.
Between those two extremes, Lowder stresses the importance of taking a holistic perspective that positions cybersecurity as part of an overall business model, not just an isolated specialty. This is the approach he took at BCBSLA. He first identified where the most critical security gaps and vulnerabilities existed, and then developed a short-term strategy that included funding plans and extensive communication with all stakeholders. This enabled the most critical items to be remedied as quickly as possible. His long-term plan added a broader range of processes and technologies that were designed to build on the initial improvements. This second phase required several additional years to complete.
“It’s essential to include as much of the business staff as possible in security improvement planning, and to explain why changes are being made in language they understand,” Lowder says. “Ultimately, they should be able to explain and defend the reasons for such an initiative as well as you can.”
Doing that successfully requires building strong personal relationships. Those relationships enable technology leaders to understand the concerns and priorities of other departments, how they do their jobs, and to get to know hot-button issues that might create resistance to proposed changes.
“Sometimes it’s less about technology and more about retreating from your position a bit to drink a lot of coffee, go to lunches, and ask a lot of questions,” Lowder admits. “Talking about what happened at another company or about online safety issues connected to someone else’s kids can be what brings them around to your point of view.”
The biggest mistake many companies make is trying to do too much too fast as they try to address security issues, Lowder says. In addition to causing problems by ignoring their staff’s natural resistance to change, hastily implemented solutions can also inadvertently interfere with normal business operations and processes. At one of Lowder’s former consulting clients, problems arose in the formulas for products the company manufactured, but implementing strict control measures the company wanted would have drastically interrupted operations. Instead, Lowder instituted passwords to acclimate staff to the new routine. The passwords then facilitated an examination of who had access to the formulas and, finally, led to developing more appropriate and effective controls.
Several ongoing developments are also providing added tools to protect organizations’ critical healthcare data. Artificial intelligence offers new capabilities for sifting through immense amounts of information to detect unusual patterns of human, as well as system- and, potentially, bot-initiated behavior. Threat intelligence analyst is a relatively new security position in which specialists scour the corners of the dark web to find sensitive information before criminals and scammers do. And the implementation of data center microsegmentation applies stringent permission restrictions so that users have access only to data required for approved functions related to their job responsibilities.
Lowder also participates in extensive threat sharing networks, such as the National Health Information Sharing and Analysis Center and HITRUST’s Cyber Threat Xchange. Security data used to be closely guarded by individual companies, but, in the interest of transparency, they now share information to head off new and developing threats as quickly as possible.
“Shared threat networks help keep us a step ahead of the bad guys,” Lowder says. “In some instances, information about a newly detected threat can be fed directly into a company’s security infrastructure for automatic adjustments and immediate added protection.”
With so many advancements, the greatest cybersecurity vulnerability remains human users of data and IT systems. For that reason, Lowder highly recommends maintaining an ongoing awareness initiative that constantly reminds staff of best practices and good data hygiene.
An important element of any awareness program is keeping audiences engaged with fresh presentations and information. To help keep things lively and interesting, in the past, Lowder has created live presentations with outside experts. For example, FBI agents have explained how to keep children safe online, which ties into the importance of routinely updating passwords and other desired security behaviors.
“There’s always some new threat or vulnerability, or some new breed of attack,” he says. “Because security issues change daily, we have to be in constant communication with leaders and end users. It’s never a one-and-done solution.”