For cybersecurity and IT leaders, protecting patient data has become a daunting task. And while there are myriad contributing factors, two seem to stand out: the continued growth of health systems through mergers and acquisitions, which has resulted in increasingly diverse technology environments; and the permanency of remote and hybrid work models.
“There are a lot of advantages to remote work, but the reality is that it adds another layer of complexity, especially from an insider threat perspective,” said Nick Culbertson (Co-Founder & CEO, Protenus) during a recent discussion, which also included Nate Lesser (CISO, Children’s National Hospital) and Paul Curylo (CISO, Inova Health System). But it’s a risk that organizations have to accept, according to Lesser.
“We are constantly focused on rising threats both inside and outside of the hospital,” he said. And with the demand for cybersecurity talent strongly outweighing the supply, keeping up with those threats means being willing to hire any “high-quality worker,” regardless of their proximity to the Washington, D.C. area, where Children’s National is located.
The same holds true at Inova, where hybrid models have proven pivotal for recruiting and retaining top people. “We’re seeing some flow back to the office, but there’s still quite a mix,” said Curylo, who expects it to continue “for the foreseeable future.”
The tricky part, especially for CISOs, comes in managing access and identity among remote teams, he said. Whereas onsite employees go through traditional onboarding steps with human resources to validate identity and previous employment records, the same standards don’t always apply to those working offsite. One way to even the scales is by requiring “at least one onsite visit to confirm identities and have that engagement,” which his team has employed at Inova. “It’s something we need to challenge ourselves with.”
Of course, insider threats are by no means limited to those working offsite, said Lesser. In fact, he believes leaders can get “lulled into a false sense of security around the idea that if someone is working inside the four walls of our building, they’re more secure,” he noted. “Turns out in the digital world, that’s just not true. And so, we should be constantly looking for controls that help secure our staff and the systems they touch, regardless of where they work.”
A multifaceted approach
And while there’s no panacea for eliminating insider threats, there are critical steps leaders can take, according to the panelists, who described a multi-faceted approach to managing threats that focused on three key areas: technology, education, and governance.
The first step, they agreed, is identifying a solution such as the one offered by Protenus. The platform, according to the company’s website, leverages artificial intelligence and analytics to detect inappropriate access and behavior patterns to stem damage and mitigate risks.
“Having those tools in place is vitally important” in detecting insider threat behaviors and responding accordingly, said Curylo. But it’s only the beginning. Oftentimes, “people will put in a tool and assume it will take care of the house,” he added. “That’s not true. We need to spend time understanding the information that the technology is producing in order to understand whether we have a situation.”
And, if there is a situation in which data has been inappropriately accessed, organizations need a solid plan for how it will be handled.
“There are a lot of elements to the Protenus platform that focus on end-user behavior,” said Culbertson. “I think the important part is to ask, what are you measuring? What are you going to do with the information?” Leaders need to determine the protocol for detecting and enforcing problematic behaviors, he added.
This is where having solid policies in place that are both easy to understand and enforceable can play a critical role. “If you’re asking someone not to do something, but you’re not monitoring it, and you don’t have a response on how to handle it, then it’s not really a policy,” Lesser said. Instead, leaders need to “map policies to procedures,” which involves a great deal of collaboration and communication across different departments. “What are the sanctions? How are we going to include folks like HR to make sure we’re equitable in our handling of breaches? All of this needs to be part of the conversation.”
It’s important to avoid punitive discipline and to communicate expectations in terms of engagement, according to Curylo. At Inova, the strategy is to “posture the policy in a positive tone to drive the behaviors we expect,” which is for employees to follow the rules “even when no one is watching,” and of course, find ways to reward those behaviors. “You have to completely flip the equation,” he said.
One of the quickest ways to foster engagement and build buy-in is by creating a partnerships, according to Lesser. His team’s approach is less about preaching the dangers of insider threats, and more about asking, ‘how can we help protect you and your accounts?’ and ‘how can we help ensure the threats we’re facing aren’t successful?’ Doing so, he noted, can assuage ‘big brother-type’ fears while providing much-needed “visibility into digital activity in their environment.”
The greater the visibility, the more likely cybersecurity teams are to catch minor infractions and prevent them from becoming full-on threats, according to Culbertson. “We know that the worst incidents don’t just come out of nowhere. They build up over time.” Being proactive not only can prevent damage, it can also promote safe behaviors by helping to educate users on what they can and cannot do. “Being able to educate and say, ‘this is against our policy’ has had such an impact on reducing the overall risk landscape,” he said. When left unchecked, “those individuals could continue to build up that behavior and push the limits. And that’s where you get some of the more egregious incidents.”
On the other hand, when leaders are able to provide consistent training, individuals become more prepared to respond to challenges, noted Lesser, and that’s not the only benefit. “It breeds confidence and helps build the workforce you need.”
Finally, it’s critically important to start engaging with teams about how to protect data long before an incident occurs, noted Culbertson. “Don’t wait for something bad to happen to go out and talk with folks. If you do, what ends up happening is you then have to build those relationships in the middle of a disaster, and that’s very difficult to do.”
To view the archive of this webinar — Managing Insider Threats in an Era of Remote Workers & Increased Turnover — please click here.