Adam Zoller, CISO, Providence
When most people think about security breaches, the images often conjured involve hospitals being offline for days, or ransomware taking down large health systems. And although those events do certainly happen, fortunately they tend to be few and far between.
The more urgent threats, according to Nick Culbertson, Co-Founder and CEO of Protenus, are seemingly “low-risk incidents” such as storing ePHI on a laptop that “tend to build up over time and actually lead to bigger incidents.” Individuals who get away with “benign” actions are more likely to continue to push the envelope and do more nefarious things, he said during a recent discussion, which also featured Adam Zoller (CISO, Providence), Chuck Christian (VP of Technology and CTO, Franciscan Health), and Nicole Brown (Director, Privacy, Office of Compliance and Integrity, Ann & Robert H. Lurie Children’s Hospital of Chicago).
It’s enough to scare even (or perhaps, especially) the most seasoned IT and security leaders, particularly given the fact that the likelihood of a minor cybersecurity violation is far greater than a headline-grabbing ransomware attack. And as more organizations migrate to the cloud, it’s not going to get any easier to protect data.
“We’re creating an ever-expanding threat landscape,” said Christian. With solutions, platforms, and infrastructures now available as a service, the attack surface is continually growing. “And we, in some cases, are making it easier for people to make mistakes.”
The other differentiator is access — a concept that has evolved significantly since the days of paper charts, according to Brown. Because EHRs are compartmentalized, users may not realize that even if they’re simply looking at demographic information, they’re still accessing Protected Health Information (PHI). “We have to explain what access really means in the digital age,” she said, noting that the experience has been eye-opening.
Nicole Brown, Director, Privacy, Office of Compliance and Integrity, Ann & Robert H. Lurie Children’s Hospital
Zoller agreed, adding that attacks that enter from within an organization can incur the most damage because they already have a foot in the door. “From a threat actor’s perspective, it’s much easier to take data as a trusted individual.” And it doesn’t have to be an employee; it can be a contractor, vendor, or anyone who touches the organization, noted Culbertson. “It’s not just about hackers. It’s all the insiders you have to be responsible for, because of the “unfettered access they have throughout healthcare.”
That access, combined with factors like human error or what the panelists termed “willful ignorance,” can make risk mitigation seem impossible. However, with the right people, processes, and tools in place, organizations can make major strides. Below, the experts shared best practices based their experiences.
Keys to Managing Insider Threats
- Leaders in lockstep. According to Christian, having solid policies — and people who are willing to enforce them — is key. In Franciscan’s case, it’s his top security leaders. “We work together to do that. And we’re in lockstep when it comes to physical and virtual access to the systems.”
- Good governance. For Zoller, having an “incredibly supportive executive team that takes security very seriously” has made a big difference. “We’ve set up governance structures within Providence to have conversations with individuals who accept risk around data security and cybersecurity for the entire system.” And it’s not just about cybersecurity; if an initiative poses risks in terms of data privacy or reputational damage, it becomes a discussion. “We have an open conversation, and the right individuals can make an informed decision as to whether it’s acceptable, rather than just coming from me.”
- Empowered CISOs. Although it doesn’t always go over well when security leaders have to veto an idea, it’s important they are empowered to say no — for example, a request to set up a VPN between a third party and another country. “There’s no way that’s getting approved because we inherit the cybersecurity risk from those parties,” Zoller said.
- Involving compliance. At Lurie Children’s Hospital, the research arm has embedded compliance officers on privacy and security committees who are able to answer questions and raise flags when needed. “We have a very close working relationship with them,” said Brown. “That has really helped us remain in compliance.”
- Lean on data. Zoller believes the key is in adopting an approach that’s realistic and driven by data. “Everyone wants to trust that their employees are doing the right thing, but not many are actually looking at what they’re doing with their data or with their systems.” And while no leader wants to go looking for a monster, it’s critical to acknowledge that the monster does, in fact, exist. Doing so can help boost understanding of “your risk posture as an organization and the proactive measures you’ve put in place to protect against adverse events,” he said.
- Cultivate relationships. When any measure is put into place that can hinder workflow — and subsequently, impact patient care — clinician pushback can be expected, according to Christian, noting that CIOs and other leaders are often perceived as being obstructive. “It’s a fine line,” he said. “The way I’ve addressed it is by forming relationships and making sure people understand that I’m not doing it just because I can. We’re protecting the organization; everybody needs to focus on that.”
PHI is “everywhere”
The challenge in doing that? PHI can be very difficult to locate, added Christian. “I don’t think any health system knows exactly where PHI lives.” What he does know is that “it’s everywhere,” including laptops, despite warnings from leaders not to save or store on any shared devices.
Chuck Christian, VP of Technology, Franciscan Health
According to Culbertson, “one of the things we often hear from CISOs and privacy officers is that it’s really difficult to protect the data if you don’t really know where all of it is.”
Finding it, however, is only half the battle — that’s where Protenus comes in. “We’re able to monitor access log layer events and determine whether there’s questionable activity in those logs that are indicative of a potential data breach or privacy violation,” he said.
Once PHI is identified, Protenus uses AI to help automate auditing capabilities and be able to predict and prevent incidents, Culbertson said.
Targeted education
The auditing component has proven to be critical, particularly for organizations like Lurie Children’s that periodically audit and monitor access to ePHI. Doing so alerts leaders to practices that may not violate HIPAA standards, but are “questionable from a compliance perspective,” said Brown. “It also allows us to create more targeted education and helps inform some of the actions we take in response.” The ultimate goal is to be “in a more proactive state,” which she believes will be achieved eventually.
What’s important to note is that, like so many other challenges in healthcare, mitigating insider threats can be approached several different ways depending on the needs of a particular organization. And what works today may not be enough in a few years, noted Zoller. “Systems are changing. We’re moving apps to the cloud. We have new tools at our disposal that give us visibility that we never had in the past.”
Nick Culbertson, Co-Founder & CEO, Protenus
The key, he said, is to “look at it from a cybersecurity angle. What am I chartered to protect? What tools do I have to protect it? Do I have the right data sources and visibility in the right mechanisms to act if something happens? A lot of organizations struggle with this.” And while all leaders want to believe their employees are trustworthy, it’s important not to bury your head in the sand, he added. “You have to have mechanisms in place to control for situations where data is being misused and systems are being inappropriately accessed, exposing you to external threats. It’s about balancing risk versus reward.”
And of course, education is a critical part of that — and not just for new hires, noted Culbertson. In fact, the most effective training occurs right on the spot when someone is found to be acting questionably. “What we can do is identify those early warning signs or benign behaviors, reach out to them, and point out what they’re doing wrong,” he said. By intervening, not only can leaders correct the behavior of that individual; they can also prevent future incidents from happening.
Zoller agreed, urging colleagues to implement preventative controls and detection controls to help keep users on the right path. “Treat insider threats the same as you would external threats,” he said. “It all has to be part of your risk calculus.”
Finally, leaders need to remember that security, like anything else, is “never done,” noted Christian. “Never assume you have everything buttoned up. You have to stay at it, and you have to be diligent.”
To view the archive of this webinar — Strategies for Mitigating Insider Threat Risk (Sponsored by Protenus) — please click here.
