Dan Dodson is president of Fortified Health Security of Franklin, TN.
Tell me about yourself and the company.
I’ve been in healthcare for most of my career. I have always been inspired to give back to healthcare and patients. I have an MBA in health organization management and have always been intrigued at the concept of using my business degree to help provide better patient experiences. I’m blessed to do that at Fortified Health Security.
We are a cybersecurity company, a managed security service provider. We provide a wide range of managed services to healthcare organizations to help them combat threats and comply with regulatory requirements.
How does a health system decide where to focus their cybersecurity efforts and funding?
I have that conversation with organizations every day. The majority of healthcare organizations understand that it starts with a risk assessment. Pick a framework and do an assessment. From there, figure out where you have deficiencies or opportunities for enhancements. Every health system is different on what their next step will be, but the core of every good cybersecurity program requires performing an assessment of where you are, then driving your strategy from that.
Then, think about the perceived value of your cybersecurity spending and the actual value that you are receiving. A lot of organizations look to buy the next shiny security tool. The board and C-suite perceive that the purchase of that technology will better protect them from adversaries and from hackers. That is true to some degree, but when we implement those technologies within a healthcare environment and its many nuances, we lose sight of what we actually need to do to operationalize that technology.
I encourage organizations to think about not only how they are deploying capital for buying new technologies or implementing new services, but how they are making sure that they are working in concert with prior investments whether they are supporting them operationally to extract the value that they perceive those tools provide. Tools can be quite sophisticated, but they require people and process to extract their full value. We see a lot of under-implemented, underutilized technology in healthcare organizations that we work with.
Sensationalistic headlines talk about theoretical risks that have never actually happened in the real world, such as medical device hacking and inserting malware in medical images, which doesn’t seem to offer much incentive for a hacker. Are hospitals chasing those hypothetical problems instead of the duller but more dangerous ones that don’t make headlines, such as the usual email-launched attacks?
Certainly some companies and folks are chasing those headlines with their solutions. No single bullet will protect you and secure you 100%. You have to take a layered approach that is appropriate for your organization.
We do a lot around medical device security. The threat to medical devices is real, but we are seeing it manifested by adversaries and hackers using them as a jumping-off point to get to the valuable data, not necessarily to disrupt the clinical performance of that device. They use the medical device to get to EPHI.
What new cybersecurity threats have you seen recently that are most worrisome?
We are seeing a lot of just the fundamental attacks, such as insiders and users and clicking on bad links in email. Those are still some of the highest threats that face organizations. Attacks such as phishing and vishing are increasing and becoming more sophisticated.
We encourage people to think about the fundamentals of a security program. The unsexy things — patching, making sure that they are doing vulnerability scanning, making sure that they are identifying where they have EPHI, monitoring the networks, and looking at logs. The traditional core fundamentals. Often when we peel back the layers of what happened in a big breach, a user inadvertently or purposefully did something, or there was a lack of internal blocking and tackling for security. We encourage folks to think about whether they are executing a good, solid fundamental program before investing in the latest and greatest gear and tech.
Organizations that are forced to admit that they have been breached always claim it was a sophisticated attack and sometimes imply that a state-sponsored hacker was involved, perhaps to make themselves seem to the public to have been more security-aware than they really were. That can lead the organization’s cybersecurity insurers to refuse to pay their claims because they can say that implicating state hackers suggests an act of war that their policy doesn’t cover. What is the level of threat from state-sponsored hackers in healthcare?
Healthcare is vulnerable. ARRA and HITECH spurred rapid digitization that wasn’t always implemented on modern, secure networks and infrastructure. The increased amount of valuable electronic health information is stored on the path of least resistance. State-sponsored attacks and hackers look for the path of least resistance, so we are vulnerable at the onset.
You brought up cyberinsurance, which is important to understand. Procurement of cyberinsurance in a healthcare organization may or may not involve IT or security. It might be procured by the legal or compliance department. A cyberinsurance policy’s actual insurance binder contains the requirements for that policy to be in force. It is important that organizations know what’s in that binder so if they have an incident, they actually get paid.
We are seeing that during the claim review process, cyberinsurers are doing claw backs or denying claims because the organization wasn’t meeting the requirements contained in the insurance binder. That’s a critical area of focus. Don’t get a false sense of security just from having cyberinsurance. You have to make sure you are doing whatever the binder requires. It has gone unfavorably for healthcare organizations that failed to do that.
Why do we keep seeing major information exposure from unsecured servers that are open to the Internet?
Networks have sprawled over time with health system acquisitions and consolidation. We see that every day. This cobbled-together infrastructure and process allows it to happen. We are all shocked when it happens and of course we want to avoid it.
It goes back to the fundamentals and looking at root cause. We need to have asset inventories, know where our EPHI is stored, and understand how it is performing on our network and within our environment. Spending time on the blocking and tackling fundamentals reduces the chance of finding yourself in that situation.
Quite a few breaches were caused by a health system’s third-party vendor. Has anything changed with regard to the role of business associate agreements in a security plan?
It is important to understand third-party risk, the types of data you are sharing, and how you are sharing it. The lines of responsibility have become blurred within the context of those types of relationships.
It’s important to have business associate agreements in place. I always chuckle when I say that because we still find people not doing that. Then it’s important to have risk stratification of those third-party partners to make sure that you understand what they’re doing from a security perspective to better isolate the data that we create and that we’re responsible for safeguarding.
How common is it for a health system to have a chief information security officer position that is staffed by someone whose credentials would qualify them to work outside of healthcare?
There’s a human capital problem in cybersecurity for all industries. Depending on what rags you read, millions of cybersecurity jobs are open worldwide at all levels. As you narrow that down to healthcare specifically, we see that a lot of the larger organizations have a CISO on staff full time. When you get to the mid- market, they probably have a person who is dedicated to security, but who has other functions as well. The organization may engage in some type of virtual information security offering to offset that, to bring in expertise and guidance without necessarily keeping somebody full time.
The big challenge is that the role turns over every couple of years. Folks do not tend to stay long in this job. That can cause challenges for the healthcare organization because they’re changing strategy every couple of years when the leader changes.
Do you have any final thoughts?
We are in an interesting time with cybersecurity and the threat landscape. I’m encouraged by the progress that most organizations are making in this space. I encourage everybody to continue to focus on the fundamentals. To those who have partnered with Fortified and our employees, thank you for driving our mission to increase the security posture of healthcare.