John Gomez is CEO of Sensato of Asbury Park, NJ.
Tell me about yourself and the company.
Security has been a huge passion for me. It’s something that I was involved in earlier on in my career and then drifted away from and most recently got back into. Sensato is an outcome of that passion.
The unique part of Sensato is that it focuses specifically on healthcare cybersecurity and privacy, the entire ecosystem of healthcare and healthcare information technology.
How would you characterize the current state of security in healthcare?
It’s scary overall. People are trying, but healthcare is unique. I’ve talked at industry events outside of healthcare in finance and telecom, and when I talk to people about healthcare, they are often shocked about the challenges that a CIO faces.
When I put it into context for people, the average hospital has 300 to 400 systems between HR, finance, and clinical systems. Then you lay on top of that security like webcams and remote door controls and patient access systems and things like that.
It’s just such a huge attack surface for security that for it not to be overwhelming to any CIO would be surprising. That translates into what many would consider a target-rich environment, which translates into a lot of fear.
The Sony Pictures breach proved that any organization is vulnerable if someone decides there’s incentive for them to get into your systems. The FBI had already called out healthcare as being specifically targeted because PHI is valuable. Does that raise the stakes or the level of urgency to do something?
It does in some. If we step back, there’s multiple layers of cybersecurity and cyberterrorism. One area that we don’t talk a lot about is cyberwarfare. The challenge, and I think we’ll probably hear more and more about this from the Department of Homeland Security and the FBI, is that PHI is very valuable and very important. The challenge we have seen with Sony it that it’s almost cyberwarfare, where a foreign state attacks a corporation.
It opens your eyes to the fact that what if through cyberwarfare, hospitals, physician practices, labs, clinics, or retail pharmacies were attacked? What could be done there? It is scary when you think about the amount of systems in healthcare that are Unix-based and how many hospitals still run XP. Sony becomes wake-up call to what can happen if a foreign state decides to target the infrastructure of another country.
If someone wanted to cripple a hospital’s systems, what are the odds they could do it?
I would say it’s extremely high, whether it’s cripple the system or compromise it. The challenge of hospitals is to embrace patients and provide access to family members, that sterile vs. community-and family-oriented-environment. It does open them up to threats.
Also the entire concept that somebody that is disgruntled, whether that be a patient that feels that they were done wrong, a family member who was treated wrong, or an employee. In many communities, hospitals are the largest employers. That opens them up to a lot of challenges.
I get worried about stating things like this because I don’t want to give people ideas, but hospitals are extremely vulnerable in my eyes. I don’t think it would take much to compromise most hospitals, whether that be through electronic attack or a physical attack that leads to an electronic attack.
Physician practices don’t have a lot of security resources or corporate support, while hospitals have richer data but are better secured. Which is the bigger target for hackers?
If you step back for a moment and you look at the dynamics of what’s occurring in our industry, as physician practices are becoming more involved in patient engagement and putting patient portals out there, they’re suddenly going to become much more vulnerable. In the past, they didn’t have exposed systems. You had to get in the office to launch an attack in most cases. Maybe they’re doing some faxing and things of that nature, but today a lot of physician practices either have hosted systems or patient portals.
The challenge there is a lot of these practices also have affiliations with the hospitals and pharmacies. As we start to increase the concept of population health and coordinated care, we’re having more and more of the healthcare population touching electronic systems. The vulnerability of going after a small physician practice and that launching into an attack inside of a hospital is becoming very real and very possible. It’s a scary thing that as we’re doing the right things to provide tools to our caregivers to help them do much better quality care for patients, we’re also vastly increasing the vulnerability across the spectrum of care.
Are the tools sophisticated enough, even if employees themselves aren’t, to prevent someone from clicking a link that installs malware that compromises entire systems?
Probably the biggest weak link is the employee or the user. They click on something or download something and it becomes an exploit. There are tools out there, but the reality is that as we learned long ago, a good offense is your best defense. Educating employees, making sure they’re up to speed, and putting policies in place that hopefully restrict them make a ton of sense.
The challenge in this industry is that we do things to make things easier without realizing the ramifications. For example,a lot of hospitals use a “bring your own device to work” or “bring your own device” policy for the physician. That’s probably one of the easiest, fastest ways to become compromised. You have devices that you don’t know what’s on them. You have no clue what that clinician has loaded on their personal device and what that can do to your network.
It becomes scary when you start thinking about other secure environments. No other real secure environment with so much at stake like healthcare would allow a “bring your own device” kind of strategy, but yet we do it. That translates into a weakened posture overall.
Sony Pictures failed to enforce basic security steps, such as not allowing massive data downloads or remote, anonymous e-mail logins. Is the average hospital prepared?
The challenge to hospitals or Sony or whoever it may be is that there are a lot of myths or a lot of beliefs that “this is good enough.” There are a lot of myths about security and a lot of things that people believe make them secure, when in reality, they don’t make them secure or they don’t truly provide the coverage blanket that they need.
For example, many hospitals will hide the name of their wireless access points, their SSID. They think if you can’t see my SSID, you can’t see my wireless access point, so I’m secure and people can’t get to my wireless unless it’s a guest wireless network. That’s a myth. The reality is that within 5 to 10 minutes you can figure out a hidden SSID or a hidden wireless access point. From there, you can launch a “man in the middle” attack.
People take the basic steps and don’t realize those basic steps don’t do enough for you. In many cases, they don’t even take the basic steps, like not blocking anonymous email accounts or blocking or whitelisting certain websites or IT addresses. People just don’t know. They believe that they are doing everything they can and they don’t realize that it’s just not enough.
The attacks against Sony weren’t as sophisticated as everybody thinks. They were basic attacks. That’s scary because that continues to show that Sony just didn’t do enough to harden the environment and could have done some very, very simple things to get a much better return.
For many organizations, especially in healthcare, you feel more secure if you put things like DLP, firewalls, and intrusion detection in place, but then you forget that there are some really basic things you need to be able to deal with and do. If you don’t do them, you are susceptible to attacks.
How does the security exposure change if a hospital moves its EHR to a hosted system? Is it good, bad, or just a different set of issues when not running servers in a local data center?
It’s different issues. A lot the insecurity we see originates with the vendors. A lot of the products that have been developed in healthcare are old products — 10, 15, 20 years old in some cases — and never had to deal with these threats. Suddenly the base code, base logic, and approaches are moved to different environments, such as the cloud. We find that now they’re susceptible to attacks. The issues are a little bit different because we now are placing systems into environments that they may not ever been designed to support or designed to secure.
Certainly I don’t think you are more secure one way or the other. It’s a whole bunch of different issues. You really have to step back and start thinking about how is this designed and am I exposing something new or not exposing something new.
Heartbleed and the Sony Pictures breach were calls to action. How are healthcare users reacting?
Things are being divided into two battle lines. There is one group of people that are thinking that Sony’s an example of if somebody wants to get to you, they’re going to get to you. There is nothing you can do about it, so why bother? Which I think is absolutely the wrong approach, especially in healthcare, because ultimately a bad enough breach could cost somebody a life.
The other side of the equation, which I think is understandable and more appropriate, is that Sony is creating a very serious wake-up call for a lot of people in the industry. They are saying, I think I’ve done everything I can, but what more can I do? Because obviously there is always a way in. How do I continue to close down those opportunities to people?
There is a distinct parting of the ways. My hope is truly deep down that more and more people take the “what else can I do to protect the people that I’m responsible for, my employees and my patients” and less and less people take the “there is nothing I can do — eventually they’re going to get to me if that’s what they want.”
How does a provider make the decision as to where to focus knowing they can never be 100 percent secure?
There are some clear strategies and best practices around, how do I keep myself on top of things? How do I continually refresh my intelligence so that I can minimize the attack surface and the threats? What I would tell people — and we don’t do some of these things – is go to managed care. Think about outsourcing your security team.
The reason for that kind of stuff is that the space is so complicated that you want people who are continually the best of the best looking at your systems and looking at your security strategy on a continual basis and looking for things that digital protection strategies can’t capture.
The other thing is rotating who is doing your assessments and penetration tests. If you’re always using the same organization to do your assessments and your penetration testing, chances are your going to get the same results or very similar results over time. Mix things up. Try to use different assessment organizations and strategy consultants around security. The more you can do to get different people, different organizations to look at what’s going on in your environment, the more perspective you’re going to get.
There are a lot of people out there who are doing these kinds of things. There are a lot of good people and a few great people. The more you can change up the people that your working with and partnering over time, the better chance you’re going to find great people who can say, here’s something that you didn’t think about and you need to address it because it’s a big, big problem for you.
The other thing is as organizations are looking at their security strategies is there seems to be a separation of church and state in the hospitals. The CIO is looking at technology systems and then you have the physical security people who are looking at things like cameras and remote monitoring of infrastructure. Those two teams need to come together.
We need to learn that from a hacker’s perspective, the hospital is one big target, whether they are coming from a physical attack and place a USB drive on a machine and gather things or hack your remote cameras or directly go after your patient portal, EMR, or lab system. To the hacker, it’s all one thing. Within the hospital, it’s important that cybersecurity and physical security worlds come together and think about a cohesive and holistic strategy.
Health systems worry about international hackers, yet run unencrypted laptops. Would you focus more on employee and guest defenses that are based on physical security?
I would take a leapfrog strategy where I would try to cycle through things if I were the CIO responsible for hospital security. I would try to cycle through things where there’s a period of time where we focus a lot on end user education, minimizing end-user disturbance of systems, and thinking about how do we minimize that threat. Doing things like we need to encrypt our laptops. We need to or catalog our data at rest because we don’t know what’s really out there and scan for data at rest. Because that is a big vulnerability and that’s something that an employee is going to walk away with and now we’re at risk.
The second cycle is to keep thinking about is there a external threat that’s going to compromise this, and if so, how is that going to happen? The challenge to a hospital system is that it’s such a big target compromising so many different areas.
You’ve got to continue to look at both sides of that equation. If you could cycle back and forth and say, look at the human element of this and what’s that threat from inside the four walls and what’s the external threat, it probably would pay dividends over time.
Do you have any final thoughts?
Some short, quick hit strategies. Educate boards let them know what’s going on. Don’t be scared of what’s occurring. Like anything else that’s big and scary, it’s better off to face it and be very aggressive about it and deal with it. At the end of the day, nobody is ever going to regret trying their best. The only thing that you’re ever going to regret is not having tried your best.
In this world, given the stakes of patient lives, it’s something that’s important that those in charge of cybersecurity and physical security in hospitals do everything they can to try and minimize that risk.