While 15 months ago conversations revolved around a reactive response to the pandemic, talks now address the newest wave of digital transformation. According to David Logan, CTO Office for Aruba Networks, CIOs have come to his organization for help with undertaking new digital transformation initiatives and navigating network security.
A majority of Logan's conversations have centered around how health systems are expected to deliver experiences within their organization. According to Logan, the focus is on the system's constituents: anyone digitally interacting or benefitting from digital services.
"There's a whole set of experiences that all those different constituents need," he explained.
David Logan, CTO of Aruba Networks
Security and usability has been a challenge in this. According to Logan, it is a general tenet that systems cannot have adequate security and ease of use at the same time while delivering experiences.
Bring your own devices (BYOD), a phenomenon that began about a decade ago, is an example of the inability to balance. According to Logan, enterprise IT's reaction to BYOD, which were largely personal mobile devices, was distrust and keeping them on a guest network.
Later on, at departmental levels of organizations, sponsored applications started to support use cases and experiences that require BYOD devices.
"How do you, from an IT perspective, write a security policy for a personal device using an enterprise app? You couldn't do that ten years ago. It just wasn't possible to mingle those two things together. And so, from Aruba's perspective, that's one of the problems that we set out to solve," Logan said.
When starting to architect a network where not all mobile devices are known, the first step is understanding how a human thinks about security policies.
"You have to start with a human-understandable concept. Map that into applications, map that into devices and users, and then you find that there is a source of truth in the enterprise for users, and it could be an active directory," he said.
According to Logan, it is integral for networks to take advantage of sources of truth. This helps determine the access or exclusion of systems and devices. With lists made for security concepts, this is how the network can enforce a policy.
At the beginning of the pandemic, the immediate need was preparation activity for testing triages and patient treatment. According to Logan, no one knew how to scale this at an organizational or geographic level.
As contingency planning modes began, Aruba Networks' response was to have a set of software-defined architecture tools available to extend networks wherever necessary.
"We marshaled our own resources in terms of our supply chain, providing gear, expertise consulting systems, engineers to help do implementations, and also just serving as a sounding board for CEO's and their staff to prepare for the unexpected and then help them work through what actually happened," he said.
According to Logan, a software-defined network needs to be able to adapt to changing conditions. Whether they are mobile or fixed devices, known or unknown users, it does not matter. It is about allowing devices and users to use methods for identification, and through security protocols, can connect to the virtual network.
An example of this is an in-building wifi network for remote telehealth access. A provider can log in from a device, use authentication credentials, and access the same experience. While the user changes locations, software-defined networks extends to the remote location.
"Ultimately, a software-defined network architecture says let's abstract away the static concepts that we used to use. Still use them because, you know, we need interoperability. But let's make them software programmable... automatic. Let's make the user experience really easy... [and] mobility a primary outcome," he explained.
Extending the network in the new era, Aruba is revamping its supply chain and pivoting its manufacturing process to opt for physical products meant to be remotely deployed.
"That was really the only major change that we needed to go through to then enable our customer base to be able to react to the pandemic and build remote networks of any kind, of any size, in any location," he said.
According to Logan, the pandemic allowed Aruba to solidify architectures that will ultimately be more strategic in the long term. As healthcare organizations go through the cycles of mergers and acquisitions, it can be a challenge to integrate two different disparate IT networks.
While legacy architecture does not give much flexibility on merging two systems, software-defined architectures allow for reconfiguring a master architecture agreeable to both organizations.
"New capabilities can be extended to that acquired organization so that security can now be common. And then you can move into having operating models of network performance management and application performance management, common as well, just because of software-defined environments," he said.
According to Logan, 99% of the time, organizations beginning their journey for migrating network architecture with Aruba Networks already have a third party involved.
Because vendors will not replace everything, Aruba Networks helps its healthcare customers strategically look at their environment and decide the vital reinvestment areas. Over time, the augmenting of the environment in their architecture takes place.
According to Logan, Aruba Networks' founding intent and strategy are to operate on top of third-party environments seamlessly. This allows for customers to install software that works well on top of what is already there.
In hospital settings, many people are visiting and utilizing their mobile devices. Aruba has a way to authenticate these devices as well.
"It should be easy for a patient or family or a guest or a vendor to come into a healthcare facility and get easily connected to the guest network, which we all are operating these days, easily and seamlessly," he said.
Many organizations utilize portals or open guest networks. There are other options like a mechanism to register guests with temporary credentials fully. To have good user experience with guest-management systems, typical security and safety processes can prove cumbersome.
"If the cellular coverage in a building is good enough, the users aren't going to do it. They’re just going to use their cell provider because data plans are pretty cheap these days. A lot of organizations don't have good cell coverage throughout their entire facility. Getting easy access to a wifi network is a really nice benefit for these types of individuals," he explained.
Aruba is implementing a solution that partners with the cellular wireless industry, Logan explained. The program, Passpoint, is for enabled phones. With a wifi network supporting the PassPoint protocol, the deceive can authenticate carrier networks.
Aruba Central, the cloud management and service platform, has been forming relationships with carriers. Therefore, end organizations and health systems can subscribe to the Passpoint authentication service to enable the safe usage of personal devices. Currently, Logan said, Aruba Networks has a valid subscriber relationship with Verizon, AT&T, and T-Mobile.
This aspect of organizational services is federating networks through a third party, using carrier trusts.
"This ability to federate user knowledge and subscriber knowledge and security policy knowledge from one party, but then allow access into another party's environment [is] this Federation process. This is what's going to drive innovation over the next ten years," he said.
Logan believes that federation and orchestration will be the two keywords making innovation happen.
Several hospitals have recently been taken down by ransomware. There are two angles to address: risk management and security architecture.
According to Logan, every organization has a digital and non-digital operating culture. Its ability to fall back into a non-digital process can reduce concerns about security architecture.
"It really does come down to first asking and answering the question of how critical are specific digital processes and digitally-enabled functions to our day-to-day practice. Be methodical and analytical about it," he said.
Because of the needs of digital processes like telehealth and hospital-at-home, digitally-enabled telemetry active control systems are necessary to ensure care is within the protocol.
"There are going to be plenty of environments where it's simply not possible from a risk management perspective to ignore the possibilities of the network being used to attack the infrastructure and deny service," he said.
From a security architecture perspective, Aruba's applies segmentation as a strategy for the network. According to Logan, by using finer grain policies and adding this segmentation, the network will be less permissive.
Environments need to be non-permissive to ransomware. This happens when the ability to execute reconnaissance in the environment moves laterally, Logan said.
It is a frightening concept that someone can take down an entire system through a click in an email. Aruba Networks Healthcare has used concepts like role-based access controls and escalating privilege management through multi-factor authentication in previous years.
With increasing financial motives for attackers, there is a need to take action, said Logan.
"The potential rewards are so great that we really just don't have a choice anymore as IT professionals. We have to create a multi-layered security architecture network application, endpoints detection, response, and the like," he said.
The country has been experiencing cyberattacks for the last 20 years, but the rise of cryptocurrencies making ransoms and extortion a more lucrative practice. With the increasing pay-off potential, the cybersecurity risk in healthcare has escalated, with bad actors looking to make a profit.
Mitch Parker, CISO of IU Health, spoke with host Bill Russell about the foundational aspects of cybersecurity programs. Located outside of Indianapolis, Indiana, IU Health is a 17-hospital system with various outpatient facilities; their lifeline ambulance service also covers the entire state. The health system is affiliated with the IU School of Medicine and its campuses, where they work towards advancing their communities’ health and well-being.
Because many networks have not been updated since the XP service pack in 2004, bad actors can more easily hide their origins and actions, Parker explained.
"We need to look at what we're doing, how we're doing it, look at security better, and, honestly, get rid of a bunch of legacy applications that we have that open up our networks to make it so easy for a lot of these people to succeed," he said.
The Biden Administration has put in place an Executive Order to fight against cybersecurity risks, including in healthcare. There is increasing pressure to adhere to certain guidelines for software vendors selling to government agencies. According to Russell, these criteria would require suppliers to keep their software operating at specific security levels.
Parker is concerned about that the follow-through on the order will take a significant amount of time and effort.
"To make that executive order succeed, we have to put people in place in CISA, Homeland Security, and HHS to really ramp up what we're doing very quickly. And that's going to be a significant challenge," he explained.
For healthcare to efficiently address cybersecurity risks, systems need to rethink their applications. According to Parker, it is not an EMR vendor like Epic or Cerner that pose an issue. Instead, small bespoke apps, which complete tasks that EMRs cannot, can be unsecured. Additionally, things like the 21st Century Cures Act with FHIR APIs are opening the door to cyberattacks.
According to Parker, the first step of the process following a breach is to start at ground zero by assessing the risk within the organization. This is done by interviewing employees, understanding the environment, and performing a quantitative risk assessment.
"One of the big challenges you find in security is that the issues aren't where you think they are. You have to do deep analysis and deep research," he said.
This detailed analysis goes to senior leadership teams to determine what issues need to be first addressed.
"You are basically telling your leadership that this is the path we need to take forward. I'm going to need cooperation from your entire organization. These are the goals we have to meet as defined by the assessment. And these are the changes we're going to have to make," he said.
Parker explained that this process is collaborative. However, health systems utilizing contracting outside help may struggle as consultants are not intimately aware of the business.
"You have to do that first as part of your risk assessment before you do anything else. Because if you try putting anything in with security that doesn't meet the customer's needs or doesn't meet the business's needs, it will get thrown away," he said.
A common risk in most healthcare systems' cybersecurity is lack of due diligence, according to Parker. He explained how this leads to detriments of systems and a lack of security overall.
"Security has to be more pervasive than it ever was, and it needs a different type of professional than it did 15-to-20 years ago to make this work. And in nowhere is this more relevant than healthcare," he said.
Some health systems have set their CISOs as a peers to the CIO. Parker explained the need for this model varies depending on the structure of individual organization. However, also according to Parker, security needs to be in a quasi-independent function within any organization.
Quantitative risk assessment should inform cyber program funding, Parker explained. The funding is the function of a long-range, strategic IT plan, according to Parker, and security should be part of every project and internal process.
Mitch Parker, CISO at Indiana University Health
"The amount of funding security gets needs to be commensurate with the ability to protect the assets, people, processes, and technologies that you're utilizing to facilitate the long-range plan for you," he explained.
An IT budget should have five to ten percent of its budget focused on security and its measures, Parker explained. He gave this helpful guideline: the security budget should be built into the ROI of every major project.
However, when ROIs get cut on long-term projects to look better and have a higher investment is the most pressing concern for Parker. Cutting out cybersecurity measures in your health system's projects ROI is one of the biggest risks.
"We need to have leadership that says you're going to have the security as part of your project costs. You're going to have the proper operational staff as part of project costs... The second you have a data breach, your ROI is going negative," he said.
It is possible for small, rural health systems to keep pace with the sophistication of cyberattacks, according to Parker. He explained how managed security providers can help support a small-to-medium provider. However, there needs to be a shift in order to create access to more extensive features, which larger providers utilize.
Third-party risk is critical roles for security team to consider no matter the size of you health system. According to Parker, there is a need to have a team dedicated to risk assessments like HIPAA and PCI.
"I don't care if you're a small community hospital in the middle of Nebraska or one of the larger health systems; you’re going to take credit cards. You have to make sure you maintain some degree of PCI compliance or, if not, outsource it to someone that will," he explained.
Furthermore, security needs a strong operational team to keep services dispatched and check-up on vendors. Additionally, a security operations team would maintain equipment.
Looking towards the future, Parker desires to see advancement in medical device security. When not working at IU Health, Parker partners with the IEEE Underwriter Laboratory Group, trying to create the standard for the internet of medical things.
By looking at trust, integrity, privacy protection, safety, and security of IoT, devices, data interchanges, and architecture can be more secure. According to Parker, an architecture-level and engineering-level solution would provide significant traction.
An important aspect of this process is talking about security as it works with the rest of the delivery organization and how to integrate it more with privacy.
"Ultimately, security is an incredibly good function. We align with the mission and values. We love doing what we do. However, we need to have that 'force multiplier' to be able to be more effective. And that is working with our customers and more of a cross-disciplinary matter," Parker said.
Ten percent of health systems said they did not have rudimentary security controls like antivirus protection and firewalls, in HIMSS 2020 cybersecurity survey. With growing concern for cyberattacks, Ryan Witt, Managing Director and Resident CISO at Proofpoint, and Julie Hubbard, VP of Enterprise, IT, and Information Security at AMN Healthcare, addressed supply chain cybersecurity risks and Proofpoint's solution against phishing threats.
Julie Hubbard, VP of Enterprise, IT, and Information Security at AMN Healthcare
Conversations have sparked following cyberattack incidents at several health systems and new rules from the Biden Administration.
"I'm now seeing a change where people are starting to talk about security and patient safety in the same conversation... And they're now realizing they have to go hand in glove," she said.
Witt explained that healthcare has been under attack for years; while he wishes these latest breaches were the inflection point to spark change, he knows action could have started with the WannaCry ransomware attacks in 2017.
"I hope healthcare learns from it. I suspect maybe we have to go through this cycle a couple more times before we truly get it," he said.
With 53.7% of malicious URLs originating from legitimate file shares, attackers must infiltrate organizations and become increasingly sophisticated.
Attackers focus on security knowledge to determine vulnerabilities in network design or un-deployed patches, Witt explained. Additionally, there is an altered approach to phishing attacks that is fixated on social engineering. Those behind cyberattacks are willing to take their time; after breaking into file shares, they observe and navigate the network secretly to distinguish the best ways to attack.
Bad actors can be in networks an estimated six months before discovery, potentially even impersonating supply chain vendors to develop a connection. Then, when the time is right they will send a phishing email from a seemingly legitimate source.
"They're hanging out on one of your fellow chairs for six months. They are observing your activity. They're reserving your organization before they decide they want to strike," Witt said.
Supply chains are increasingly a target for cyberattacks and hackers because they present a higher financial incentive, according to Hubbard. By compromising one vendor, phishing attacks can be sent to unlock information of other systems. Additionally, supplier risk management is often a neglected area--something she has discovered through AMN Healthcare questionnaires from partnering companies.
According to Witt, another factor is that phishing attacks by nature are reliant on unsuspecting e-mails. For example, if an email comes from within the organization and penetrates a business associate, they can pretend to have a business relationship with others.
"That's all they need. As the old saying goes, they just need to be right one time. The defender has to be right every single time. Where that guard goes down, they have an ability to attack more aggressively," he said.
Ryan Witt, Managing Director and Resident CISO at Proofpoint,
For successful phishing, hackers often befriend victims over time to build relationships. By the time they make their move, the request can seem natural.
"By the time that sort of email or request comes through, it appears to be natural because you think the person you're talking to works with the supplier you're working with. It appears to be a very natural sort of requested conversation. So in many cases, you just don't think anything of it, and you just do it," he explained.
According to Witt, as long as hackers have credentials, they can read emails. Thus, within the estimated six months of hidden activity, attackers hold a valuable foothold within an organization
"If somebody is in your network undetected for six months, this is essentially the equivalency of them living in the closet of your spare bedroom for six months and observing your family... You could imagine the impact that would be on your household. There's a similar impact happening to your institution," he said.
According to Witt, Proofpoint starts at the email gateway. Most attacks come from emails or other messaging channels, and a sophisticated gateway can block 90% to 95% of suspicious messages from users. Another critical security component is introducing DMARC capabilities for authentication for fraud defense.
Isolation is a valuable piece of technology to keep interactions in bigger supply chains within a containerized environment. According to Witt, this minimizes risks related to downloading documents, clicking on links, and using third-party cloud applications.
"Technology is an important part of the component. Training's also important, but you can't train your way out of this. I think your best sort of safeguard here is to make sure that as much of this traffic does not get through to users. So you're not forcing them to make a judgment call," he said.
While training is helpful, it won’t eliminate 100% of phishing attack success. According to Hubbard, Proofpoint helps their company by giving intelligence on how phishing attacks happen and who is targeted. This allows for customized training for high-risk individuals, increasing value and decreasing risks.
"Don't underestimate the power of what Proofpoint can bring to the table, which was very helpful to us about people that we would not have thought would have been targeted in our company. And they are, so now we're putting extra training in place to protect those individuals," she said.
According to Witt, there is strong insight and research into who is attacked on a personal and departmental level. By looking at departments, new controls can be put into place.
Last year, Proofpoint warned hospitals in the New York Metro about cyberattacks by the Hafez organization. With this information, they helped institutions put controls, training, and other procedures to mitigate attacks.
"We're not going to achieve the gold-standard cybersecurity for all parts of your organization. That's just not practical from a budget standpoint or from a resources standpoint. But if you can figure out what 10% of your organization is more vulnerable because of their job functions, then you can layer in extra controls and have a much more reasonable approach from a budgetary resources dashboard. I'm going to defend these particular places," he said.
The first step to building a foundation to protect against email attacks is starting with technology. According to Hubbard, Proofpoint gave a list of resources needed.
Another integral step is finding a partner to protect emails. AMN Healthcare worked with Proofpoint to slowly build their partnership.
"Now, it's actually easier for me [because] I have a lot of capabilities within one vendor," she explained.
With Proofpoint, they have a protected email gateway, insights on deflected attacks, built-in training, phishing campaign management, and other tools.
In five years from now, the best-case scenario is no longer having the same conversations. According to Witt, it is achievable and comes from investing in e-mail.
"It's not like other industries where we're waiting for roadmap developments to bring next-generation solutions to the marketplace. What healthcare needs to acquire is readily available today," he said.
According to Hubbard, a challenge of this process will be defending this front.
"There's going to be a new avenue; that’s going to be a new foothold. And the challenge of sitting in this chair is that they're not just coming at you from one angle. And even though that's the number one angle, you've got to keep your eyes on the ball," she said.
Rubrik Principal Architect Bill Gurling, Sirius CTO Vik Nagjee, and Chris Knapp (System Engineer) and Brian Farmintino (System Infrastructure Manager) for New Hanover Regional Medical Center discussed the importance of cloud data management strategy and Rubrik’s cloud-based solution with host Bill Russell.
Vik Nagjee - Healthcare & Managed Services, Sirius Computer Solutions
Rubrik is a cloud data management company. According to Gurling, the philosophy is security and resilience at the point of data, which he believes brings significant value to customers.
When the company interacts with protected data sets in a cloud platform, they utilize API-driven integrations for security data protection and resiliency. Customers appreciate this because it can operate on hybrid and multi-cloud environments, Gurling explained.
Rubrik allows customers to have a multi-cloud environment, multiple data centers, and various environments and can be applied with similar data tiering data, security models, and frameworks.
“We've got a control plane that actually lives in SAS, and you can link that control plane to things that SAS would naturally interact with,” Gurling explained.
As explained by Russell, Rubrik is not a security, DR, or automation platform but has those elements built into it. Essentially, it is a classification data management platforming providing these additional services.
"We're trying to just produce additional value drivers out of this object or this capability that our customers sort of felt like they had to have," Gurling said.
Now, according to Gurling, business value can be extracted from these factors, as it can be automated for test development or rapidly orchestrate ransomware recovery.
"All of a sudden, it goes from a sunk cost to a value driver. And that's really what we're trying to do as a company, take this idea of data protection expanded across all of these boundaries and turn it into a value driver instead of a call center," he said.
Addressing ransomware, security at the point of data is a significant driver for their value, according to Gurling. Rubrik was engineered where the file system is immutably built to the lowest primitive, extending to the file system layer where APIs do not accept any override.
Chris Knapp - Systems Engineer, New Hanover Regional Medical Center
More than this, the software utilizes metadata to track good patterns in the data set. This allows for them to detect anomalous behavior. The end-user is alerted if an abnormal pattern is detected, provided with the blast radius (what has been affected and the last known good point of data), and given a workflow for rolling back and recovering data.
One health system that has taken advantage of Rubrik’s offerings is New Hanover Regional Medical Center, a not-for-profit community hospital located in Wilmington, North Carolina. The team supports multiple hospitals and medical practices. According to Farmintino, when the hospital began its cloud journey, they were inexperienced. Deciding to jump into the process anyways, they soon realized the need for assistance.
"We realized that this is new to us, and we really need to partner with a vendor to help us, at least guide us through the basic foundation and the processes that just we weren't familiar with," he said.
One of the first steps was developing a Cloud First Strategy, according to Farmintino. These benefits allowed for increased ability to serve bursts in demand,
Bill Gurling - Principal Architect, Rubrik
as well as exceed provision capacity. An additional goal was to shift IT personnel from managing data to concentrate on higher-value tasks.
They worked with Amazon Web Services (AWS), according to Farmintino, because of a previous project using Alexa, which had been a huge success.
"That was the kickstart to reducing our data center and getting our IT staff thinking in a different way. It was the start of our journey into the public cloud," he explained.
As the hospital continued to acclimate to cloud computing, they moved environments into AWS with hope to increase their cloud footprint.
According to Farmintino, his team is becoming increasingly agile and is developing skills to help the organization become a multi-cloud environment.
A governance strategy is needed first when looking at the challenges companies have experienced with a data management strategy in a multi-cloud environment, Nagjee explained. This runs parallel with data management and data protection strategies, which focus on safely backing up and restoring data.
According to Knapp, when his team first began searching for a new backup solution, they wanted something easy to use. Additionally, he wanted something that started the organization's cloud journey to leverage cloud functionality to offload workload and storage issues.
While the team experienced a long proof of concept (POC) to validate older systems’ overall functionality, after receiving hardware, they were "racked and stacked" in four hours, according to Knapp.
Nagjee, who runs large managed service programs around EHR, has found Rubrik works well in this environment. The first thing a cloud-based solution needs to be able to do is protect data across all systems.
The protection of data is paramount, according to Nagjee. However, recoverability is also integral if bad action occurs. As teams address this, building automation and orchestration into the workflow is another step.
As for service provider challenges, they must not have inefficient processes that require a lot of manual intervention, nor require team oversight to address one-off concerns.
"When you have a platform like Rubrik that was built for the cloud, you can take advantage of what it offers, that you may not already have, in your regular day-to-day operations,” Nagjee said.
According to Nagjee, these additional features allow customers to optimize COGS (Cost of Goods Sold) and be competitive on pricing.
Being built and designed from the cloud, the platform can be flexibly scaled. This means the software can be applied to various environments, regardless of size or complexity, according to Nagjee.
Automation is another aspect of the Rubrik platform. It is offered because it is part of the user experience and approach to data protection, according to Gurling.
Hooks and integrations are provided for customers to utilize to extend and disintegrate deeper into their environments and processes. Gurling explained customers can enter at any level of the stack. This flexibility is a large part of their philosophy.
When there are mergers and partnerships, Rubrik works as a strong tool. According to Gurling, a reason for this is because of affirmation automation. Their ability to come into any workflow through automation is helpful for daily managing, operating, monitoring, reporting, or altering.
Regarding cloud initiatives, Rubrik describes themselves as a bridge to the cloud, no matter the level of skill a customer is at, according to Gurling.
"The whole idea is just being flexible and multifaceted and really trying to do one thing well, which is tie data sets together and provide insights. I think it goes over really well during M&A [mergers and acquisitions] type scenarios," Gurling said.
To learn more about this episode of This Week in Health IT, watch the full interview at www.thisweekhealth.com.
Tess Kellogg – Editor-in-Chief
Katie Talpos – Staff Writer
© Copyright 2024 Health Lyrics All rights reserved
