EXCLUSIVE - Cyberthreats are a business risk - Communicating the message to senior management in healthcare
The first instalment of a two-part OpenGov Breakfast Leadership Dialogue series on “Expanding Cybersecurity Threats in the Healthcare Sector” was held in Sydney on the 17th of August. Select officials from the public and private health care areas in New South Wales participated in this invitation-only, closed-door session.
The healthcare industry is on the cusp of a technology-driven metamorphosis. Hospitals and healthcare agencies operate in a complex network of patients, doctors, nurses, pharmacists, technicians and administrators.
This web is being turned into a connected network by advances in ICT. In addition to long-gestating advances like telemedicine, IoT in the form of wearable devices, unprecedented volumes of big data, and the flexibility of clouds have the potential to irrevocably transform thinking and operations in the sector. The pace of change is only going to accelerate, and along with the sophistication, number and speed of threats.
Mt. Mohit Sagar, Editor-in-chief of OpenGov Asia, kicked off the conversation asking the participating executives what keeps them awake at night.
The responses ranged from concerns over data confidentiality, end-user education, consistency in policies, resource constraints and constantly evolving threat situation.
An apt analogy of Swiss Cheese came up in view of the proliferating number of security vulnerabilities.
Mr. Sagar summarised the current threat landscape and talked about insider threats and Dwell Time, the time elapsed from infection to remediation. Dwell time is the key metric which demonstrates the preparedness of an organisation for security incidents. Currently it is at dismal 205 days.
Mr. Guy Eilon, Country Manager of Forcepoint in Australia, stressed the importance of awareness and education and highlighted three primary risks he sees dominating conversations. The first is the evolving business environment driving decisions such as moving to the cloud. IT is not usually involved in the decision-making and consequently, security becomes an add-on, an afterthought. Secondly, over 90% of security investment is directed at external threats, but majority threats are internal, whether malicious or accidental.
Last but not the least, was the added complexity from profusion of vendors and products in the market. How do you manage the hundreds of thousands of logs obtained from different systems?
Guest Speaker, Mr. Lim Soo Tong, CIO of Jurong Health Services (JHS), under Integrated Health Information Services, an IT organisation under the Ministry of Health, presented the Singapore perspective on security in health IT. He started by talking about the agencies responsible, and the different levels of framework, right on from a body under the Prime Minister’s Office to one level lower at the Ministry of Health then implementation level policies and guidelines at the level of IHiS.
Mr. Soo Tong shared his experience on initially allowing Bring your Own Device (BYOD) but gradually realising that even with security measures and policies, potential gaps for data leakages remain too many to plug. JHS is considering revoking BYOD privileges by the end of August, 2016.
He also tackled the issue of network segmentation. His preference would be to provide controlled/limited access, with users allowed to log on to a dynamic list of white-listed sites, in contrast with blacklisting. When questioned by a participant over the number of remote users, he explained the difficulty of knowing the exact number.
Dialogue questions and discussion
The very first question posed to the delegates regarding the main driver for their information security expenditure sparked off a fascinating discussion. The overwhelming favourite was “Protecting criticial assets from being compromised”, garnering 86% of the vote.
“Compliance with laws and regulations” came a distant second at 14%. Adam Vaughan, from Wolper Hospital and Chatswood Private pointed out patient privacy laws are in place but are not enforced yet. That will change soon and regulations might become an important driver for security expenditure decisions. Peter Bates from St. Vincent’s Health said that laws and regulations might help to get things done.
There were no votes for the option “Protecting the organisation’s reputation” reflecting the way IT and cybersecurity is viewed in many organisations. Mr. Sagar asked if IT is viewed as an expense or an investment. Majority of delegates agreed that IT operations are still looked at as an expense, even in the era of high-profile digital transformation projects. Tens of millions of dollars might be spent on a project, but there is little thought or budgeting devoted to day-to-day operations.
The conversation moved to how best ICT professionals can present the case for security to the Board or Senior Management. A case has to be made for IT and IT security as a business enabler.
The next question was about the security threats causing maximum concern. “Data identity thefts” was the top choice with 43% of the delegates selecting it. In response, Mr. Eilon mentioned that 65% of data leakages worldwide happen due to insider incidents, mostly accidental.
Mr. Jason Mitchell from Primary Healthcare gave an idea of the volume of data being stored by healthcare bodies. They hold on to data for decades, not disposing off even one X-ray. Currently in most organisations this data is stored in a de-centralised fashion, in many different systems, leading to huge security concerns.
Shifting the data to centralised storage might be the best option if “All Data” has to be secured. It is difficult to sift through and classify the data.
The discussion moved to user behaviour and how timely alerts might make the difference between a catastrophe causing massive financial and reputational damage and prevention or containment. For instance, if one person suddenly starts handling 20 patient records daily, up from 5 earlier, it could be an alert. It might be a regular, approved change in that individual’s responsibility and authorisation. But it might very well be an erroneous access expansion. Each such small mistake could open up a new potential point of data leakage in the system.
“Process/ system failures” and “Employee negligence” obtained 29% and 14% votes respectively. Randeep Rana, Head of Technology from HCF Insurance spoke about how there needs to be shift from reacting after the event to planning and prevention. Regarding the point of employee behaviour, most delegates said that from their observations, employees will click on external links, irrespective of security training. It’s a kind of social reaction.
Following questions on challenges with security architecture and important security measures, the dialogue circled back to the issue of communicating the urgency of acting on escalating risks to senior management.
The consensus was that the case has to be made by the people who are aware of the systems and the environment, namely the ICT executives. But it has to be simplified and put forth in a language the business heads can understand.
Anecdotal evidence shows that the mentality of Boards is changing gradually. In 71% of the attendee’s organisations, the ultimate responsibility for security lies with the relevant Minister/CEO/President, which in itself is a huge step forward.
But in 28% of organisations attending the dialogue the onus is still laid on CIOs, CSOs or Heads of Security. Moreover, 33% do not formally evaluate effectiveness of security spend.
Approaches to IT risk management are not changing fast enough. Cybersecurity is still frequently viewed as an IT Problem. But it is a matter of Business Risk. A thorough risk assessment by an external third party could make all the difference, demonstrating the risks in lucid, easy-to-understand terms, providing undeniable evidence and the decisive push in the right direction.