There’s no gentle way to put it: hackers are going after health systems. It’s happening at all types of organizations, all around the world, and the threats are getting harder to detect. And as sophisticated as the technology gets, we may never move faster than the bad actors. But what we can do is move the needle, says Anahi Santiago, CISO at Christiana Care.
What does it take to do that? First, education has to be a priority, and it needs to go far beyond annual training sessions. Secondly, cybersecurity must be part of the organization’s culture and it must be driven by leadership. In this interview, we spoke with Santiago about these critical issues, as well as her team’s risk management strategy, why advocacy is so important to her, and how organizations without a CISO can improve security.
Chapter 2
- Security education through conferences, training & webinars
- Delaware breach notification act
- Value of devoting time “to help move the needle”
- Cybersecurity Task Force report findings
- Lack of CISOs – “It’s part of why healthcare is a big target”
- Resources for organizations with smaller budgets
- “To do nothing is not acceptable anymore”
Bold Statements
The reality is that hackers are going after people. And all the technology in the world isn’t going to really help drive information security if we don’t take education and awareness into account, and make it a priority.
It’s really important for cybersecurity and privacy leaders, both in healthcare and across all industries, to devote time to helping move the needle, whether it’s speaking with federal regulators, or sharing threat intelligence.
What surprises me is the number of healthcare organizations that still don’t have a dedicated CISO, or even an information security team. I think that’s part of why healthcare continues to be a big target for hackers; it’s still very porous.
We need to rethink our strategies and make information security an investment priority. I’m not sure we’ll ever move faster than the hackers, but I believe we can move the cybersecurity needle so that we have a better chance.
Gamble: What type of training are you doing for the IT and security teams?
Santiago: We’re investing time and resources to send our teams to conferences and training sessions that add value, and allotting time for webinars focused on the latest trends and techniques around information security. We train our IT folks on security so that they’re mindful of it when they’re implementing technology. It’s a constant effort.
The reality is that hackers are going after people. And all the technology in the world isn’t going to really help drive information security if we don’t take education and awareness into account, and make it a priority.
Gamble: Another important area is the state and federal regulations when it comes to security. There’s always a need for input from those who are in the field. What type of work are you doing to provide feedback to governing bodies?
Santiago: We have a regulatory area within Christiana Care that’s responsible for communicating with state and federal regulators, and I work very closely with them on cybersecurity. For example, last summer, I was part of an effort to amend Delaware’s breach notification law, which was enacted in 2005. We drafted a letter giving our perspective on the risks it posed and how the law impacted the community. An amendment was passed that gave more specific direction on how and when breaches need to be reported. By speaking out, we were able to effect positive change.
I also sit on an advisory board for the eHealth Initiative, a nonprofit organization that helps to drive health IT at the federal level. We meet with members of several federal agencies, including the Office for Civil Rights, the Food & Drug Administration, Federal Trade Commission, the National Institute of Standards and Technology, and the Federal Bureau of Investigation to share dialogue about what we’re seeing from an information security perspective, and to provide guidance on what needs to happen. They give us their perspective and talk about the laws they’re looking to push forward. It’s a proactive dialogue to help to improve the overall posture of cybersecurity in healthcare.
Gamble: I’m sure it’s not easy to carve out the time for advocacy efforts, particularly when you have so many priorities on your plate. Do you view as part of your duty?
Santiago: Absolutely. I think it’s really important for cybersecurity and privacy leaders, both in healthcare and across all industries, to devote time to helping move the needle, whether it’s speaking with federal regulators, or sharing threat intelligence with organizations like HITRUST or NH-ISAC. It’s so important to have those conversations.
We’ve done a lot of that at Christiana Care. Last summer, Louis Tomczak III, one of our information security analysts, was invited to the White House to talk about cybersecurity. He was part of a team that took first place in a competition that gives participants experience in protecting and responding to cybersecurity threats. That was exciting for our organization.
I also think it’s important to spend time talking to students, whether it’s at the middle school, high school, or collegiate level, to drive awareness about information security issues. This is a field in which there are a lot more open positions than there are qualified people. As leaders, it’s critical that we get out in front of this problem and talk about the roles that exist so that young people can get excited about it and consider entering the industry.
Gamble: I’m glad you touched on that. There’s a huge demand for cybersecurity talent, and it’s so beneficial to educate students about this field, and help them understand why it’s so critical.
Santiago: It is. You’d be surprised. When I go to middle schools and high schools and ask kids if they know what cybersecurity is, the majority of the time, I see a lot of headshakes. They don’t know what it is. They’re so used to putting their information out there. They have no concept of privacy and security, and so they don’t understand why this is so important. But when I talk about breaches and hackers and what my team does, they get excited. And so my hope is that at least a few of these students will get excited enough to consider a future in this space. If I can get one person interested, whether they come to my organization or not, I feel it’s time well spent.
Gamble: It’s interesting because a lot of young people are so savvy when it comes to how to use technology, but security and privacy are areas where they lack understanding.
Santiago: They really are savvy for the most part. They want to design games and do programming, and so I talk to them about how they can apply those skills in the security space.
Gamble: Very interesting. Now, looking at a national level, the Healthcare Industry Cybersecurity Task Force came out with some findings last year that highlighted the need for a NIST framework focused on the healthcare sector, and touched on some other key areas. What were your thoughts on what they found?
Santiago: First, I would say that the Task Force was something the industry really needed. And I thought the report was on point. It aligned pretty well with my perspective of where the healthcare industry is, and where we need to get to. I’m hopeful that organizations will apply those findings to their cybersecurity strategies.
What surprises me is the number of healthcare organizations that still don’t have a dedicated CISO, or even an information security team. I think that’s part of why healthcare continues to be a big target for hackers; it’s still very porous. The Task Force did a great job of illustrating the importance of risk management, threat intelligence, the need to implement technical controls that are aligned with emergent threats, and the fact that we need to invest more in information security.
Back in 2009, organizations were given large financial incentives as part of HITECH to digitize records. And so they rushed to invest all this capital in EHR systems, and information security was an afterthought. Now what we have is a ton of technology that never took security into account, and it’s become a gold mine for bad actors. We need to rethink our strategies and make information security an investment priority. It’s hard to predict whether we’ll ever move faster than the hackers, but I believe we can move the cybersecurity needle so that we have a better chance.
Gamble: For organizations that don’t have a CISO or even a dedicated information security leader, do you have any thoughts on how they can help limit threats?
Santiago: One thing they can do is leverage third parties. There are a lot of managed security services providers that can help to augment an information security program at a relatively manageable cost. There are also third parties that come into an organization and provide advisory services on a quarterly or monthly basis — almost like a CISO for hire. So there are steps you can take if you’re on a tight budget, but to do nothing is not acceptable anymore.
There are even free resources out there. The Office for Civil Rights has a risk assessment tool, which I highly recommend. In addition, they provide guidance on how to comply with HIPAA security rule, on managing mobile devices, and where to focus training and awareness.
I would also advise leaning on your peers. Reach out to a large organization and ask to speak with the CISO. I know CISOs from across the country, and I have yet to find one that isn’t willing to help another organization. I’m co-chair of the Delaware Healthcare Cyber Security Alliance, which meets every few weeks to discuss the issues we’re seeing and share solutions. We welcome any organization to join us.
Leverage your peers, leverage the vast amount of resources offered by Office for Civil Rights and the National Institute of Standards and Technology, leverage opportunities like Carnegie Mellon University’s CERT program. There are so many resources out there. I strongly urge everybody to make this a priority; don’t ignore it, because no one is getting a free pass. Even if physician practices are breached, they’re getting fined.
Gamble: Absolutely. That’s a perfect way to wrap things up. I want to thank you so much for taking the time to give your perspective. I think this will be very enlightening for our readers.
Santiago: Thank you for the opportunity.
Share Your Thoughts
You must be logged in to post a comment.