Information security, like so many components of healthcare, has seen quite a shift in recent years, with the focus evolving from “how do we keep threat actors out, to how do we manage systemic risk related to technology,” according to Sahan Fernando.
For CISOs, that means not just being up-to-date on the latest threats, which are constantly changing. It also means being able to communicate the importance of implementing security measures – and the consequences of failing to do so.
“Availability is core for us as providers,” he said. “If we can’t provide that, that’s a risk that really bothers me.”
During a recent Unhack the Podcast, Fernando spoke about the philosophy that he has adopted at Rady Children’s, breaking down how his team is addressing some of the most pressing challenges for CISOs and other leaders.
Sahan Fernando
The ability to safely and security share patient information is important across healthcare, but for pediatric organizations, the stakes are higher. “The community aspect is so critical in our sector,” he said. “At the end of the day, we’re not competitors. We’re all in this together.”
Fortunately, Epic – the organization’s EHR vendor – has been pushing hard to advance portability, which is fraught with hurdles in pediatrics, especially when state lines are crossed and different regulations factor in.
“This is an active discussion topic among CISOs and privacy officers,” he noted. “How do we do this in a way that we're not violating another state’s laws?” Fortunately, more organizations are leveraging CareLink and similar strategies to facilitate care coordination and push for better outcomes. “We need to think about how we empower patients to have more agency over their data and records, and more ownership of their care plan. I see that as very empowering, and I hope that continues to play out.”
One of the sticking points that Rady – and countless other systems – has run into is data retention. Although his team has the option of rolling off data when patients turn 23, as per Epic’s policy, they’ve opted to hold onto it.
“We have a business records retention policy that is completely separate,” Fernando stated, adding that the email communications have separate guidelines. Complicating matters is the fact that a growing number of organizations are using AI-powered tools to create transcripts.
“There’s some risk there from a legal standpoint,” he added, particularly when it comes to unstructured locations like email and chats. “If you can’t prove that they didn’t go through, then all the records are considered in scope, and have to then be reported to OCR as breached.”
And that, according to Fernando, can escalate a situation quickly. “If you have a trauma coordinator who sent out a spreadsheet of 600 patients, that can add up very quickly over a few weeks.” In fact, it can incur as much damage as a ransomware attack in terms of lost revenue and other costs. “You could be talking about millions,” particularly when considering the costs of corrective actions and plans that would need to be deployed.
This is where meticulous planning can make a big difference. “If you’re doing drills and informing your stakeholders of potential risks and how you would manage them, it's less of a surprise,” he said. “You need to have alignment from the beginning on the what, why, and how.”
Some of the steps his team has taken? One is ensuring certain tasks are pre-authorized, which can help expedite the remediation process. And if critical conversations haven’t yet occurred, “you need to ensure you have the right people on the call to ensure everyone knows what you’re doing. What’s the impact and who do you need to speak with about how that cascades down in terms of the staff and patients,” he noted. “That’s a big part of the CISO role.”
In terms of mapping out procedures, teams need to know if and when they can move to downtime procedures and how patient care will be affected, as well as the process for contacting patients and family members. “There’s so much nuance there,” Fernando said, emphasizing the need to clearly communicate plans long before an incident occurs.
Given the uphill battle security teams are fighting, having a comprehensive, overly cautious strategy has become must. For example, while dwell times for bad actors have reduced following a breach, the impact they can have has increased, which is why his team will continue to up their game. “We have high-fidelity telemetry, alerts and detection controls in place,” such as forcing bad actors through high-visibility channels. “Through these stealthier tactics, we have more opportunities to reduce dwell time and impact,” he said. “That’s part of our philosophy – to make it harder for them to do the low-cost stealthy stuff, and easier for us to catch them.”
The reality, unfortunately, is that the bad actors will never quit. And so, while administrative controls can go a long way toward stopping the spread, it’s the technical controls that can make a true impact by preventing incidents. “We need to think about how we can ensure we’re putting up the right gates and moats and other defenses while letting the right stuff get through.”
Of course, it will never be a perfect science. But with patient lives at stake, perfection is a goal his team will continue to pursue. “With technology and security things are always changing, and so, you don't get to just sit complacently on certain things and say, ‘well, we solved that.’ There’s always a new challenge to address.”
And Fernando, like so many CISOs, wouldn’t have it any other way. “You can still be satisfied that you’ve done a good job with the resources allocated and still have that pursuit of perfection,” he said. “That’s part of the fun – how we make it as good as possible.”
Questions about the Podcast?
Contact us with any questions, requests, or comments about the show. We love hearing your feedback.
© Copyright 2024 Health Lyrics All rights reserved
