There’s no gentle way to put it: hackers are going after health systems. It’s happening at all types of organizations, all around the world, and the threats are getting harder to detect. And as sophisticated as the technology gets, we may never move faster than the bad actors. But what we can do is move the needle, says Anahi Santiago, CISO at Christiana Care.
What does it take to do that? First, education has to be a priority, and it needs to go far beyond annual training sessions. Secondly, cybersecurity must be part of the organization’s culture and it must be driven by leadership. In this interview, we spoke with Santiago about these critical issues, as well as her team’s risk management strategy, why advocacy is so important to her, and how organizations without a CISO can improve security.
Chapter 1
- “My focus is on risk management”
- Vulnerability assessments for vendors
- “There’s a long list of things we expect them to comply with”
- Cloud concerns – “Some tools don’t provide the level of security we need”
- Working closely with other departments
- “No technology is agreed upon until my team has assessed it.”
- A culture of security – “It starts with leadership.”
Bold Statements
Risk management touches almost everything. And our team leads the way in making sure we’re engaged with everyone else who is part of security, IT, or the business in keeping our environment safe.
We see the cloud as a tool that will enable us to be more innovative in how we deliver care, more competitive, and more agile. It’s a core component of our strategy. For my team, that means making sure that as we look at cloud providers, we’re assessing the potential security risks.
As they move projects forward, we have a seat at the table. We’re part of those project teams. As they’re looking to implement solutions, we’re looking at the security implications. No technology is agreed upon until my team has assessed it and given it the green light.
We want to be innovative. We want to use technology to drive healthcare delivery forward, while at the same time emphasizing the need for security. And the way to do that is to build a culture where IT, security, and business are partners.
Gamble: As CISO of a large healthcare system, what is your primary focus?
Santiago: Most of my focus is on risk management. I know that’s a far-reaching statement, but everything we do is centered around looking at the risks that we might be consuming as an organization, communicating those risks to executive management as well as the organization, and making sure we’re managing them to an acceptable level. And where we can’t manage them, for whatever reason, we’re looking at compensating controls to help to ensure we’re not incurring risks that could create a threat to the organization.
Gamble: Of course there’s a lot that goes into that strategy, starting with determining where the risks are. Can you talk about that process, as well as the team you have?
Santiago: We have a team of 13 people who are focused on different areas of information security. I have a risk management program manager, Vince Fitzpatrick, and he has an analyst who works very closely with him. Our primary goal is risk management. When there are new technologies that people want to onboard, before we even look at a contract, we have a process for assessing those technologies for any significant changes in the environment. It starts with a questionnaire, and then we reach out to the third parties to discuss their policies.
If it’s a hosted environment, we look at things like the SOC (Systems and Organizations Controls) 2 type 2 report, an independent third party assessment that used to determine a vendor’s information security controls. We look at how they’re doing vulnerability assessments, and we’ll communicate back to the organization on what we think their security posture is, and where we believe there might be potential concerns. We’ll do what we call a ‘go’ or ‘no-go’ — if we think it’s too risky, it’s a no-go.
In some cases it’s a ‘go,’ but there might be areas where we’ll work with the vendor to either add components to the contractual agreement, or add compensating controls in certain areas. For example, we might provide additional education and awareness, or we might want to apply technologies that we own, such as data loss prevention or encryption, to reduce the risk of threats.
In addition to that, we do ongoing assessments of high-risk areas. If we suspect there might be emergent threats — like EternalBlue or Krack Wi-Fi attacks — we address those immediately. Last year when we learned that HP found keyloggers that had been installed on some of their hardware, we did a risk assessment to find out if we had them in our environment, and what updates we could quickly deploy.
Risk management touches almost everything. And our team leads the way in making sure we’re engaged with everyone else who is part of security, IT, or the business in keeping our environment safe.
Gamble: Being part of a health system that is heavily invested in IT, is a lot of your focus on cloud computing as well?
Santiago: Absolutely. As an organization, we see the cloud as a tool that will enable us to be more innovative in how we deliver care, more competitive, and more agile. It’s a core component of our strategy. For my team, that means making sure that as we look at cloud providers, we’re assessing the potential security risks.
We’re looking at the tools and technologies that can complement our cloud service providers, because oftentimes they don’t necessarily provide the level of security we need. And so we’re looking at partners — such as cloud access security brokers — that can help us as we think about moving our data loss prevention, web security, and email security tools into the cloud.
From a risk management perspective, when we have third parties that are looking to host services, we have a defined set of criteria we expect them to have, such as SOC 2 type 2 reports, vulnerability management tools, and other measures to help manage risks.
We have an addendum of data security hosting terms that we apply to any cloud service provider agreement which includes a long list of things we expect them to comply with.
Gamble: That must create an interesting dynamic when working with IT. You understand that potential that cloud offers, but your first priority is to keep data safe. Does that make it all the more critical to have strong relationships with other leaders.
Santiago: Most definitely. I report to the CIO, Randy Gaboriault, who is also senior VP of Innovation and Strategic Development. He not only leads IT; he sits on top of the organization that sets the overall strategy for Christiana Care. With the governance structure we have in place, I’m able to work very closely with the infrastructure team and the application analysts that are housed within IT to make sure that as they move projects forward, we have a seat at the table. We’re part of those project teams. As they’re looking to implement solutions, we’re looking at the security implications. No technology is agreed upon until my team has assessed it and given it the green light.
Gamble: So the idea is that by addressing security concerns right away, you can prevent problems down the road?
Santiago: Correct. The best way for security to be successful is for it to be baked into a solution set, rather than being bolted on after the fact. And so we really rely on our IT partners and our business partners to help us understand the problem we’re trying to solve. And so we can determine how can security become part of that solution, as opposed to creating controls after the fact that can create a barrier. That’s really important.
Gamble: And so those close relationships have to be established up front.
Santiago: Yes, and that can be difficult in some organizations. We’ve created a culture here — and it starts with leadership — that security is important, but at the same time, we want to deliver the best care possible. We want to innovate. We want to use technology to drive healthcare delivery forward, while at the same time emphasizing the need for security. And the way to do that is to build a culture where IT, security, and business are partners.
And it’s not just IT; our clinical engineering team is responsible for medical devices and some devices connected to the Internet of Things that don’t live within IT. But they partner closely with us so that as they’re looking at an MRI machine or a wearable that’s going to help patients manage their care, we’re having a dialogue before anything is purchased.
Gamble: One of the key components of any security strategy is education, which I can imagine is getting more challenging as new threats emerge. Can you talk about how you approach this?
Santiago: To start, there are different education sectors we need to take into account. There’s educating the entire organization around emergent threats and teaching the basics of protecting patient information, employee information, and company-sensitive information. We do standard employee orientation and annual training, but we recognize that’s not enough, and so we augment it with things like phishing exercises. These are done on a quarterly basis, but we’re looking to make it monthly, because we think it’s so important.
What happens with these exercises is that inevitably, a small proportion of people click on the links. We’re trying to get those percentages down, but even one click is too many. So when this happens, we provide education to those individuals. If it happens more than once, they get even more in-depth training. The goal is to continue to reinforce the dangers of phishing emails.
In addition to that, we’ll send dedicated email educational campaigns during times when threats are more prevalent. For example, during the month of December, we’ll see holiday scams, so we educate people on how to protect themselves and their families. We do the same thing around tax season.
In October, which is Cybersecurity Awareness Month, the security team sets up tables in our hospital cafeterias and speaks with individuals about data safety. We offer giveaways as incentives, which always helps. Basically, we use any opportunity we can find to get in front of end users and educate them.
Share Your Thoughts
You must be logged in to post a comment.