Hardening The Security Posture While Enabling Your Healthcare Organization
By Connie Barrera, CISO, Jackson Health System
When you peel away the layers and minimize the noise, the ultimate goal of the IT Division, should be, to enable the business. This requires business operations to optimize people, process and technology. Despite competent people and robust processes, way too often, the integration or infiltration of technology causes havoc and an undesired increase to the organization’s risk posture.
Inherently, healthcare organizations face substantial hardship when it comes to technology because historically third-party vendors, both software and hardware manufacturers, often times lag behind best practices and leading edge solutions. Last month (February 18, 2020) was marked the 11th year anniversary of when HIPAA HITECH became effective and yet, IT Security is still battling with vendors on password complexity, patching and fundamental requirements such as running a solution on a supported operating system. It’s time to stop the insanity and take back control of our digital environments!
Each organization should establish a business appropriate strategy and require vendors to integrate into the established architecture and not the other way around. The practice though has been, enterprises spend quite a lot of money to purchase many point solutions, (along with all of the training, project planning, etc.), only to wind up punching holes into the very fabric that is meant to protect the organization’s digital environment and data. In 2020, we must resolve to squeeze every benefit from existing security controls by taking a stance on basic requirements. When it comes to technology and bringing in new solutions, the following keys to best practices are recommended.
Stop the pipes from leaking:
Taking control over technology acquisition requires being part of the procurement cycle. In some organizations, departments and their vendor partners are quite creative with documents for technology purchases by obfuscating the language, making it difficult to impossible to realize the IT environment is about to be impacted. This business problem requires Sr. leadership sponsorship and commitment to solve. Once this core requirement is established (executive support and relevant governance structure) the following practices should be incorporated:
- Establish committee based oversight of all projects for approval and prioritization (IT needs a seat on this committee)
- Initiate an organization-wide/centralized procurement process. All purchases should be centrally authorized.
- Procurement officers and IT should collaborate on contract boiler plate language to cover key considerations such as patching, data ownership, data sanitation upon contract termination, etc.
- Engage IT (CIO and CISO) on all contracts with an IT component.
- Don’t be too quick to cave into vendor demands. Organizations have done this all along, causing the environment’s security to fracture and ultimately putting the systems and patient data at risk.
It’s time to stop the insanity and take back control of our digital environments!
Identify requirements and stick to them:
Having robust security vetting is essential to the confidentiality, integrity and availability of every digital environment. If I had a dollar for every time someone told me, I had nothing to worry about on a particular Tech project, I’d be traveling the world right now. Ironically, most of those times yielded the most egregious security flaws and fortunately or not, each day IT Security brings a new opportunity to be shocked.
The first step in preventing the elevation of risk in an organization’s security posture (assuming the organization has fundamental security technology in place: firewalls, IDS/IPS, malware detection, email protection, etc.) is to identify and document requirements for new technologies. For instance, does your health system require an on-prem solution over a cloud-based? Do you require Active Directory integration for authentication? Once those basic/core requirements have been codified, the following should be adopted:
- Develop a security questionnaire- this is the starting point for gathering technical information on every solution. Do not bypass this step, even on emergency requests!
- This should include questions from the type of data that will reside within each environment, such as whether the software will house, MRNs, SSNs, credit card information, to questions related to hosted platform/OS, interfaces, authentication, auditing, etc.
- The questionnaire should also request vendors to provide a data flow diagram. The data flow is not how the application works for end-users but instead a network like that shows all relevant software/hardware components, protocols, ports, interfaces, etc.
- The third-party should be the one filling out the questionnaire, as only they know their solution best.
- Existing vendor documentation is not a replacement for filling out your security form. I always encourage vendors to send any documents they may already have to compliment my security review but they still need to complete the form.
- Once the form is returned, closely analyze any areas of concern where the vendor’s solution may be in conflict with the organization’s security architecture and requirements. If any such items exist, collaboration with the project sponsor, the vendor and any other relevant IT resources should take place until arriving at a final determination
- This should include questions from the type of data that will reside within each environment, such as whether the software will house, MRNs, SSNs, credit card information, to questions related to hosted platform/OS, interfaces, authentication, auditing, etc.
- Require appropriate evidence of security controls from vendors whenever contracting with a third-party for any hosted solution. Third-parties should be required to share SOC-2 reports and/or some meaningful security report/attestation on a yearly basis. The later would apply especially to organizations that are hosted by a cloud provider such as AWS, Azure, Google, etc.
- Test every aspect that can be tested. Many organizations have great reputations built on a track record of good solutions and performance. That being said, this does not replace due-care and due-diligence for IT or especially the IT Security team. Countless times, we find weak ciphers whenever dealing with third-party websites, no matter the amazing reputation of the said party. Testing should occur prior to go-live and at least bi-yearly.
- Identify and execute appropriate logical network placement for this environment. Flat networks pose substantial risk and issues. Ensuring the new environment is logically isolated from irrelevant assets and traffic flows where it’s needed, is essential to success.
- Perform vulnerability assessments on all in-scope assets (supporting the new solution) prior to go-live, ensure all necessary items are remediated before providing security clearance and incorporate these new assets into a quarterly vulnerability assessment exercise.
- IT Security should be required approval within the organization’s change management process. This ensures technologies do not go-live without having gone through the proper security review.
Leveraging the recommendations above will help establish a framework that preserves sound security controls and enables the organization to minimize security risks and ward off evolving threats. Let 2020 be the year that health IT Organizations take back control and make headlines, not because of another breach but because of their ability to ward off the next attack!