The second instalment (report on first session) of the invitation-only OpenGov Breakfast Series Dialogue on the “Expanding Cyberthreat landscape in healthcare” was held in Melbourne on the 18th of August, 2016. C-level ICT executives from the healthcare sector across Melbourne came together in a room to have a stimulating, freewheeling conversation lasting over 2 hours. They shared their experiences and concerns, discussed possible solutions, different approaches to cybersecurity suitable for varying contexts. It was the perfect example of sharing and learning that OpenGov strives to enable and facilitate.
Mr. Mohit Sagar, Editor-in-chief of OpenGov Asia opened the doors and started the dialogue, asking who holds ultimate responsibility for security in healthcare organisations. In an increasingly dangerous cyberspace, with blurring lines between insider malice, ignorance and negligence, with ruthless ransomware attacks becoming a fact of life, who takes the call on what to do. The patients repose their trust, place their lives in the hands of the hospitals. Who is responsible for justifying that trust and steering the ship through choppy waters.
The natural reaction to the escalating threats can be to lock the doors and bury the key, by restricting internet access, strictly segmenting networks, keeping devices offline. But this might hamper constructive, collaborative work. The real challenge would be to ensure safety while integrating yourself with the connected world of IoT, cloud and big data.
Mr. Guy Eilon from Forcepoint talked about businesses moving to the cloud. Unfortunately, security concerns are not factored in at an early stage, resulting in significant over-run in costs in the long term. He also spoke about Remote users and the ubiquity of mobile devices. Organisations have no boundaries now and in such an environment, it becomes a real challenge to secure assets, regardless of location of data and users.
Mr. Eilon reiterated the problematic focus on external threats. Organisations spend over 90% of budgets, build higher and higher walls, trying to protect against external attacks. But hackers are becoming increasingly sophisticated. Metaphoric helicopters can airdrop malware right at the heart of our IT systems, rendering the walls impotent. The malware sitting in the systems basically behaves as an insider. In addition, there are insider threats emanating from users, who wilfully or unintentionally are responsible for 65% of data leakages worldwide.
He closed his presentation stressing the importance of getting the right security products for different needs and integrating wherever possible. But even with a common dashboard, there might be a limit to how many incidents can be realistically monitored. The ability to highlight the most important information to direct energies and attention is crucial in this scenario.
Mr. Lim Soo Tong, CIO of Jurong Health Services (JHS) one of the six clusters under the Ministry of Health, talked about the cybersecurity approach in the Singapore public health system. He underscored the urgency of cybersecurity, saying that you might successfully block tens of thousands of malicious emails, but it takes only one to get through a tiny chink in the armour and bring down the system.
Healthcare has been identified as one of the 11 critical areas in the public sector in Singapore and the standards and policies in Singapore health IT are constantly reviewed.
He also tackled the issue of network segmentation. His preference would be to provide controlled/limited access, with users allowed to log on to a dynamic list of accredited, white-listed sites, in contrast with blacklisting. They are also considering internet access through a secure, virtualised web browser. In the past, it was enough to ensure that antivirus signature is up to date and track failed login attempts. Now it is much more complex.
Mr. Soo Tong touched upon a Ransomware attack they faced. Thankfully, very few laptops and printers were affected and the fallout was contained easily. In his view, the operational risk from such attacks is more important than financial and reputational damage. In a hospital, interrupted operations are literally a matter of life and death.
Bring Your Own Device and Compliance
Mr. Soo Tong shared his mixed experience on initially permitting Bring your Own Device (BYOD). Security measures and policies were implemented but many potential gaps for data leakages remained. As mentioned in the previous session's summary, Jurong Health is considering revoking BYOD privileges by the end of August, 2016.
Mr. Nicholas Hobbs from Epworth Healthcare said that medical devices tend to lag a long way behind in terms of IT. Devices and technologies bought off-the-shelf from vendors need to be patched and they try to ring-fence but it is a difficult process.
Mrs. Sally Campbell from the Royal Melbourne Children’s Hospital recalled the early stage when YouTube etc. were banned due to concerns over productivity reigned supreme. But then as younger doctors started joining the workforce and bringing in all sorts of devices, they tried to put rules in place around the devices themselves and access to shared drives and the internet. But the thoughtfully framed, sensible policies approved through long processes proved difficult to implement.
Mr. Soo Tong described their approach as trying to minimise exposure. So, their network is isolated. Doctors’ own devices are read-only. They are not allowed to download material onto them. Admin rights are not provided on any systems to end-users.
But there are potential open doors everywhere. For instance, read-only restrictions can be circumvented by the simple method of clicking a photo. The doctor’s reluctance to comply partially stems from the obstacles imposed by regulations in the way of delivering healthcare.
The key question is how to obtain compliance. It just takes one person to disobey the rule. The challenge is to achieve that elusive balance between productivity and efficiency one one side and potentially stifling rules on the other.
Russel Withers from Western Health shared his prior experience in designing, building, commissioning and then running Fiona Stanley Hospital. They built a single firewall, a proxy service, mobile device management for BYOD, single network and all medical devices had to sit on that network. They had to comply with the structure of the network, its security protocols. Generic passwords were disallowed, use of USBs was restricted, encryption implemented. It was constraining. Vendors and doctors complained. But when a security incident occurred they were able to trace the responsible individual quickly and only one application service was down for a short period.
But here everything was planned and built from the ground-up, without the constraint of legacy systems. Working in a hybrid environment with a combination of old and new infrastructure and doctors not connecting to the controlled ICT environment is a much tougher trial for CIOs.
Mr. Withers said new developments are designed with the new, up-to-date IT infrastructure. That becomes the new starting point.
Cloud security and the comfort of redundancies
Earlier during the dialogue, Mr. Sagar had spoken about cloud security concerns, what is being parked where and for what reasons. What is the ultimate objective of moving to cloud?
The conversation now moved to detailing those concerns after Mr. Withers explained why they had chosen on-premise systems for Fiona Stanley. If an incident occurs, if public networks and medical information cannot be accessed and systems cannot be fixed because they are hosted off premises, then how can business continuity be ensured.
Several of the delegates expressed preference for redundancies in their networks and data centres. But they significantly add to costs and complicate design.
Backups to disks and older archives on tapes continue to be widely relied on, with copies stored on and off premises. The physicality is re-assuring but it might not be a viable long-term solution.
Mr. David Collier, CIO, Chisholm, Institute of TAFE, pointed out that the dedicated resources of cloud infrastructure providers are exponentially higher than those available to individual healthcare bodies. The implicit security from that cannot be matched by any level of redundancies implemented by hospitals.
He added the caveat that more standardisation is required and moving to the cloud has to be done with consideration of every single detail of processes. Ministers and bureaucrats must be educated and no corners must be cut on funding.
Another possible solution could be a private cloud, like the one used by the Singaporean healthcare system. A private cloud would provide better control, while leveraging the benefits of collaboration and flexibility.
Dialogue questions and discussion
The first question posed to the delegates was the same as in the Sydney session. regarding the main driver for their information security expenditure. The response was similar to the previous session with “Protecting critical assets from being compromised” garnering 66.7% of votes. Concerns were related to both preventing outwards data theft and inwards malware intrusion.
The next question on the most concerning security threats generated split response in the form of 30% for Employee negligence and 20% each for Insider threats, data and identity thefts and process/ system failures. These threats are inter-linked and have to be dealt with through an integrated strategy.
When asked about the most important security measures, “Data protection and data loss prevention” was at the top of the participants’ minds, with 70% voting for it. Data leakage might be happening without the ICT teams even being aware of it, either through malicious insider actions or malware sitting in the system. Such silent data leakage could seriously compromise operations and reputations.
During the subsequent conversation, it emerged that due to security concerns and differences and ambiguities in regulations, data sharing is limited across state jurisdictions. Old-fashioned calls are often relied on for getting out-of-state patients’ records. Even within the state, sharing health records between public and private sector healthcare is limited. There is also a problem with unique identifiers.
Currently, the Australian government is rolling out a national individual health record system, called My Health Record. As of August 7, 2016, 4 million people or 17% of Australia's population had registered.
A polling question on measuring effectiveness of security expenditure revealed that 50% of delegates’ organisations do not formally evaluate the same. Some do not track IT security expenditure separately. In addition, in 40% of organisations attending the dialogue the final responsibility for IT security continues to be laid on CIOs, CSOs or Heads of Security.
Like the Dialogue in Sydney, the conclusion was that Ministers, Boards and senior management must realise the importance of ICT and ICT security and dedicate enough funding. A large proportion of currently available funding goes to keeping the lights on.
ICT is evolving at an accelerating pace. The healthcare sector, like other industries is rushing to keep up. Silos are being smashed, systems being integrated. Certain aspects might be overlooked, wrinkles left un-ironed and holes left unplugged.
As threat proliferate and escalate, the ramifications of not taking action can be deadly. An attack on one hospital is an attack on the entire medical care system. It impairs public trust, which is essential for healthcare agencies and hospitals to continue doing their job, effectively delivering vital services.
Securing the environment is not about reaching a destination but rather an ongoing process, a never-ending journey. Predictive analytics can be used to discover vulnerabilities and patch them in time. Security can be made a part of IT infrastructure design. It is time to wake up and be pro-active, rather than reactive.