Wednesday, December 9, 2015

The State of Information Security 2015

When I wrote about the most important healthcare IT stories of 2015 (such as ICD-10 and Meaningful Use), I did not include a discussion of Information Security.   That’s because security deserves its own post. Increasingly complex threats and an array of new security technology, policy, and education projects consumed us all in 2015.

Last week, I met with the Department of Justice Attorney General for National Security.  His message was clear.  With state-sponsored cyberterrorism and organized cybercrime on the rise, every internet connected device will eventually be compromised.  The only question is when.  By the way,  he works in a safe room without an internet connection.

2015 has been filled with denial of service attacks, hard to detect malware, and a skyrocketing number of personal internet connected devices at the same time that HIPAA enforcement has expanded.   The traffic on my guest networks from visitors using mobile devices has exceeded the traffic on the business network.   Meaningful Use requires us to share more information with more people for more purposes, but the HIPAA Omnibus Rule requires us not to lose a byte.

How did we survive the security challenges of 2015?

First, it is important to understand the threats and mitigate those vulnerabilities with the highest likelihood of being exploited and doing the most damage.    What is the #1 risk?

People.

The cartoon below illustrates the problem.


We spend millions on new technology, countless hours on policy writing, and engage all stakeholders to enhance their awareness.    Yet, we’re as vulnerable as our most gullible employee.

The scenarios I’ve seen in 2015 include:

*a clinician downloads an infected copy of Angry Birds to an android phone then logs into email.   The username and password is captured by a keystroke logger embedded in the running game software.   Massive spam is sent and the email domain is blocked by commercial internet providers

*A carefully crafted email encourages clinicians to login to Oracle financials to claim their yearly bonus.  A hospital’s Oracle Financials site is mimicked at a reasonable sounding URL.     Usernames and passwords are stolen and are used to change direct deposit information in the real Oracle Financials application.

*Social networks are used to infiltrate home computers and steal credentials.

Not only have we significantly increased our education efforts, but we’ve also put various filters on incoming email to scan every embedded URL and every attachment before delivering messages.   We’ve implemented various filters to prevent outgoing mail and internet traffic from exfiltrating sensitive data.  We require attestation that every device used by every person is encrypted and physically secured.

Our tools and dashboards identify variance in device, software, and people behavior.

Our security staff has been significantly increased.

Boards and senior executives are very sensitive to the reputational risks around security.   Security is supported by committees that include working groups, senior management compliance groups, and Board groups.

I’ve signed several vendor contracts in 2015 that include new liability and indemnification language protecting BIDMC against third party claims around breach issues.

The bottomline for 2015 - the threats increased and the technology, policy, and education efforts were redoubled.    Although ICD10 and Meaningful Use work may be diminished in 2016, security work is likely to increase.   As I’ve told the Board, security is a process, not a project.   You’ll get better and better but will never be done.

No comments: