Of the myriad challenges Erik Decker has faced in the two decades he has spent in IT (including 12 in information security), perhaps none was more daunting collaborating with some 150 colleagues to develop a set of best practices for managing cybersecurity threats. Beyond that, the goal was to provide an answer to the often asked question, “What do we need to be doing,” and tailor it based on the size of the organization. After a year and a half of discussions and “healthy debates,” the group has come to a consensus, which will be detailed in a report due out later this year.
In this interview, Decker, who serves as Chief Security and Privacy Officer at University of Chicago Medicine and is wrapping up a term as AEHIS Board Chair, talks about the “awe-inspiring” experience of being part of 405(d), how the relationship between providers and device manufacturers has evolved, and the key challenges facing CISOs.
- Providers and device manufacturers – “This is a shared responsibility.”
- Biting it off in ‘bits and pieces’
- Identifying top cyber threats & 10 recommended practices
- Device security – “There’s a litany of controls organizations should implement.”
- Getting organizations “on the right path”
- 405(d) guidance: “Coming to an agreement has been awe-inspiring.”
- Wrapping up term as AEHIS Board Chair
- Working with HHS – “We don’t have ulterior motives. We just want to help move the needle.”
The Hill has been very helpful at bringing people to the table to acknowledge that this is a shared responsibility; to get us over that hump of pointing fingers at each other, and really starting to think about, ‘how do we solve these problems?’
It answers the question which can be an incredibly daunting for under-resourced organizations: ‘What should we be doing?’ This gets them on the path. And beyond that, it tells them how to proceed along the path.
You have 150 very smart people with different perspectives who are all trying to do the right thing. Everyone is providing input to try to determine the best option forward. And so, as you can imagine, coming to an agreement about how and what we’re delivering, has been awe-inspiring.
Going through that level of scrutiny and vigor is what I believe is going to make this an amazing deliverable and an amazing tool for the industry. It has been vetted over and over again. It’s like peer-reviewed science on steroids.
Gamble: When it comes to medical device security, I can imagine it’s really important to have a solid relationship with your vendor, and be willing to push back when you have to.
Decker: Absolutely. You do have to have a strong relationship. That’s why I’m glad to see that the tone has changed. Five years ago, it was a very contentious relationship, but there’s been progress. Now, that’s not to say everyone is completely happy — we’re not there yet. As we go through these processes, both sides are negotiating for the best interests of their institution, and that’s to be expected.
The FDA has been very helpful and the Hill has been very helpful at bringing people to the table to acknowledge that this is a shared responsibility; to get us over that hump of pointing fingers at each other, and really starting to think about, ‘how do we solve these problems?’ And there are a lot of problems to solve. We’re going to have to bite this off in bits and pieces, and we don’t necessarily need regulation to do that. In fact, regulation might have the opposite effect. Although there does need to be checks and balances associated with this, and there needs to be consequences for the people that don’t play ball. So that’s the soup that’s going on right now.
Gamble: It’s encouraging to hear that there’s been progress. What about smaller organizations — any advice on how they can try to negotiate these relationships and discussions?
Decker: Sure. And actually, that was a key part of the 405(d) effort. We — and by that, I mean both HHS and the industry — have spent the last year and half building a set of best practices, methodologies, and processes to help healthcare organizations manage the five threats that we feel are most relevant to the industry at large. We’ve also identified 10 practices that will mitigate those five threats.
One of those threats, of course, is connected medical devices, and so we’ve pinpointed security practices that include a cross-section of things like network segmentation, asset inventory, proper access control, encryption, application whitelisting — there’s a litany of controls that organizations should implement.
The guidance is very clear. There are 10 practices, and sub-practices underneath each of those, and it’s been stratified to organizations that are small, medium and large in size. And so if you’re a small organization, you have a main document that will introduce you to this whole topic and then a technical volume written just for you about how to implement cyber practices and mitigate these threats. That’s the goal.
These practices don’t necessarily require a financial investment. For example, people who are already inside your organization can do configuration management. They can implement processes and policies, and they’ll be able to help move that needle across all three of those vectors: prevention, detection and response. And it answers the question which can be an incredibly daunting for under-resourced organizations: ‘What should we be doing?’ This gets them on the path. And beyond that, it tells them how to proceed along the path.
Now, it doesn’t get into things like, ‘how do you configure an exchange system to best do spam prevention?’ But it does say, ‘in your mail environment, you need to have these types of security elements in place.’ And ‘if you need more information about how to configure that, use this reference guide.”
It’s an index, and it’s a catalyst that will help them deal with the immensity of the problem. We’ve also provided a prioritization tool so that they can take these practices, look at the threats, and prioritize the threats they believe are most important to their institution. Based on the threats they’re most concerned with, we’ve weighted the various control that we think we’ll mitigate them most effectively, and provide a recommendation schedule. The important thing is not to try to do all 10 at once, because it’s too much.
We did the same thing for medium and large organizations, so it really does cover the provider spectrum. We’re very excited for this guidance to be released. It’s been a labor of love. About 150 individuals have been involved in developing the guidelines, and we’ve had more than 100 people help pretest them through focus groups across the country. They saw the work we did and gave us comments and feedback to make sure it really a consensus-based agreement on how to move the needle with cybersecurity across the industry.
Gamble: It seems like it’s addressing a need that’s been there for a while in terms of practical advice tailored for different organizations. And that’s coming out at the end of the year?
Decker: Yes, that’s the plan. It was a requirement under the Cybersecurity Act of 2015 for HHS to organize and deliver this. The reason we call it 405(d) is because Section 405(d) of that act specifically calls for an effort to move the needle and align best practices around cybersecurity. Under that, we have to provide a copy and report back up to Congress before it can be released to the public.
Gamble: I can imagine it’s been a really interesting experience from your standpoint.
Decker: It’s been an amazing experience. I thought it was difficult to get consensus inside of an academic medical center. But with this, you have 150 very smart people with different perspectives who are all trying to do the right thing. Everyone is providing input to try to determine the best option forward. And so, as you can imagine, coming to an agreement about how and what we’re delivering, has been awe-inspiring. It’s been a great process.
Gamble: Did it take some time just for people to get to know each other and get a feel for things?
Decker: Definitely. The good news is that is everyone who has been participating in this is there because they want to help — there’s a shared vision. Everybody’s trying to take the hill. There aren’t people at odds with one another saying, ‘we shouldn’t be doing this’ or ‘that’s not happening.’ The only place we had different opinions were in the approach and the content — how are we going to achieve it? There was a lot of good, healthy debate about how to create a product that’s going to be meaningful, practical and actionable. And frankly, even though it took a year and a half to do this, going through that level of scrutiny and vigor is what I believe is going to make this an amazing deliverable and an amazing tool for the industry. It has been vetted over and over again. It’s like peer-reviewed science on steroids.
Gamble: It wouldn’t be as complete if everyone would have agreed on everything up front.
Decker: Right. I mean, I could write 250 pages of what I think is the best thing to do, but that’s just one person’s opinion.
Gamble: Did you find you were able to leverage the experience you’ve gained from being in academic medicine?
Decker: I was. We are a consensus-type of institution, so that definitely helped.
Gamble: And in terms of your position as AEHIS Board Chair, you’re about to complete the term, correct?
Decker: Yes, I’ll be rolling off of chair at the end of the year. Sean Murphy, who is my vice chair, will be taking over. It’s been an incredible year. The focus for AEHIS has on education for CISOs and professional development. We want to make sure we’re getting good content out to our 900 members about issues that are meaningful to them, and providing them with resources.
We’re working on a CISO Certification, similar to what CHIME has created for CIOs. We put together a workgroup focused on identifying the elements that make a good CISO, and how we can create a rigorous program that’s meaningful. And that type of thing takes time, but we have some great minds focusing on it, and hopefully next year we’ll be able to develop that out.
Another important priority is advocacy. It’s been an incredibly strong year for AEHIS on that front. We have a lot of CISOs who are very engaged and will go and speak at events. We do a lot of responses to HHS on requests for comments, and we do a lot of proactive advocacy to let folks know what the issues are.
One great example is medical device security. Last year, we sat down with folks from Energy and Commerce explaining the situation to them and giving them the boots-on-the-ground reality so they could wrap their heads around these issues. It’s so important to be able to do that. Through these discussions, AEHIS has made incredible inlays with them and demonstrated that we don’t have ulterior motives — we just want to help move the needle. And this is all volunteer work; there’s no compensation. These are practitioners with day jobs who want to be thought leaders and help solve these problems. We have about 30 highly engaged members that really drive the work we’re doing.
Gamble: Sure. There’s certainly a thirst for information when it comes to all issues relating to cybersecurity, especially with devices. I want to thank you for your time — I’ve really enjoyed this. And I look forward to speaking with you when the guidance is released.
Decker: Definitely. I’d be happy to do a deep dive into that when it comes out. We want to educate as many people as possible.
Gamble: Sounds like a plan. Thanks again!
Decker: Thank you.