Healthcare has always been complex. But as delivery models and patient expectations continue to evolve — and organizations become more reliant on third parties — that complexity is making it increasingly difficult to safeguard data.
Perhaps it’s time to simplify.
In fact, Jon Kimerle (Global Healthcare Strategic Alliances, Pure Storage) believes “the most innovative thing we can do is to eliminate waste within our environments,” he said in a recent webinar. In addition to housing hundreds of applications, many health systems — especially large IDNs — are also dealing with legacy data, which only adds to the complexity. “There’s a significant opportunity to simplify and rationalize the portfolio,” Kimerle added, calling it a “very strong IT strategy.”
During the discussion, he and co-panelists Sanjeev Sah (System VP, IT Strategy & Cyber, CommonSpirit Health) and Adam Zoller (CISO, Providence) talked about the risks of having excessive applications — particularly in terms of business continuity, as well as the keys to a solid cyber-defense strategy, and why ownership isn’t everything.
A great place to start, according to Sah, is tackling vendor sprawl. “When you simplify the architecture, you simplify business processes that can be supported by a common platform.” Going from 10 applications to one, for example, can help reduce the number of gaps and vulnerabilities, which in turn can improve resiliency.
Zoller agreed, adding that simplification should be “a core tenant of the IT strategy.” It’s been the case for a few years at Providence, where CIO BJ Moore has preached a philosophy of simplification, modernization, and innovation in the IT stack. “That trickles down into cybersecurity as well,” he noted, adding that this three-pronged approach can drive down costs while improving security.
Simplification, however, isn’t just about IT assets. “It also applies to how you manage your identities,” Zoller added. He believes a large number of cyber-incidents “could be mitigated or completely avoided by vaulting and rotating privileged credentials in your environment.”
And although reducing the number of applications is “absolutely important, it’s not going to be the silver bullet for the entire healthcare industry because we’re incredibly reliant on third parties to do the right thing.” Unfortunately, whether or not third parties are doing the “right thing,” breaches happen, as evidenced by the recent Change Healthcare outage, among other incidents. “In our vendor landscape, we’re seeing failures of the basics that lead to risks on their customer side which we then have to deal with as a business continuity problem.”
Back to basics
It may seem obvious, but by focusing on fundamentals such as multifactor authentication and attack surface management on everything web-facing, cyber teams can eliminate a lot of the opportunity for breaches. It’s constantly asking, “Am I modernizing my applications and systems to the point where they can utilize authentication and security protocols?” said Zoller. “There’s a direct theme of simplification throughout these concepts.”
Ensuring appropriate coverage of the network defense technology stack across the ecosystem, as well as adherence to security policies and practices to the letter of the law is essential, according to the panelists. Below, they shared more critical aspects of devising a solid cyber-defense strategy.
- Get resilient. Building resiliency begins with “having a good backup, having the ability to recover during an incident, and knowing who should be part of the conversation when you have an event — how do you communicate and what are the primary systems we need to bring back?” said Sah. “All of these components are articulated in good business continuity and disaster recovery plans.”
- Prioritize risks. As cybersecurity teams grapple with limited resources, leaders are forced to “risk-prioritize” by zeroing in on “the highest risk areas with the lowest effort” that can be addressed without having to collaborate outside of the IT team,” said Zoller. In other words, identify the low-hanging fruit opportunities that can “very quickly move the needle on risk reduction” before tackling complex projects that require resource allocation and can be quite costly. Kimerle agreed, advising leaders to “prioritize the gaps and the level of effort needed to close them, and work on the ones that produce the most benefit.”
- Stay current. Another strategy that may seem rudimentary but can get lost in the shuffle, noted Sah, is “making sure that current safeguards and controls are at the most effective place they can be while we make other improvements to reduce the risk.”
Doing so, said Kimerle, has become increasingly important as healthcare organizations move to modernize disaster recovery. At Pure Storage, where his team focuses heavily on outcomes, speed, resiliency, and energy usage, he has found that “multi-day restores are not necessarily best practice,” he said, citing a growing interest in revamping processes. “We’ve had instances of 18-hour backups and three or four restores” — and that’s for the main operational database for the EHR, and not the entire ecosystem. That speed, he noted, isn’t “acceptable to a modern business.”
However, shrinking down to the less than four-hour window that customers want is going to be a significant lift. To that end, some organizations are looking at a tiered resiliency architecture that protects snapshots from being deleted or changed. Of course, “you need the right technology to recover from that,” said Kimerle, who spent several years on the provider side (with SSM Health) prior to joining Pure Storage.
Also required? Collaboration across the organization to ensure leaders from various departments “have a stake in understanding, participating in, and figuring out how to mitigate the impact.”
Champions, not owners
Sah concurred, adding that improving business continuity and disaster recovery can’t happen without collaboration. “None of these things can happen in silos.” Devising a solid strategy requires “extensive stakeholder involvement” among CIOs, CFOs, and unit leaders and department heads from HR, legal, and compliance, as well as external stakeholders like law enforcement.
Similarly, Zoller believes that while business continuity planning should incorporate elements of cybersecurity, “this is a conversation that needs to be led and owned by operations. It needs to be led in part by your finance organization, and even at the CEO level,” he said, pointing out that the emergency response plan encompasses more than just cyber incidents. “It also needs to include elements of how you respond to earthquakes, wildfires, and other natural disasters,” along with catastrophic financial events that can impact the business.
Said Kimerle, “we’re seeing an evolving need throughout organizations for people to participate appropriately as opposed to just letting cybersecurity folks deal with this. It’s the responsibility of all.”
However, although security leaders do not — and should not — necessarily own business continuity, they can certainly champion the cause, according to Sah.
“We’re interconnected with a lot of partners and suppliers in our modern-day business construct. And internally, we’re equally complex in terms of IT and business process that our organizations rely on,” he said. Having a solid understanding of those processes to enable patient care and sustained operations is vital, regardless of who owns them.
“What we’ve been able to do is champion the cause without owning it,” noted Sah. “It’s our job to identify gaps and work with partners within the organization toward resilience.”
Zoller agreed, noting that the collaboration angle can’t be overlooked. “We can’t do this alone. We’re very much reliant on third parties in healthcare. There’s only so much Sanjeev and I can do from a direct ownership perspective to secure those systems and architect them in a way that safeguards our environment.”
And it doesn’t just fall on the organization, but also the industry as a whole, to more effectively assess third-party risk and push for stringent contract requirements that provide “an opportunity to audit and monitor,” he said. “That’s where we need to get better if we’re going to have decent control over cyber exposure.”
To view the archive of this webinar — Designing Cyber Recovery Strategies for Today’s Data-Heavy Enterprise (Sponsored by Pure Storage) — please click here.
Share Your Thoughts
You must be logged in to post a comment.