We’re pleased to feature Martin Littmann, the Chief Technology & Information Security Officer for Kelsey-Seybold Clinic, on the Proofpoint blog today. He is responsible for IT Architecture & Strategy, Infrastructure, and Information Security.
I regularly give internal presentations for our organization, Kelsey-Seybold Clinic, to discuss the state of our internal security and my perspectives on what we are seeing in the healthcare threat landscape as well as cross-industry threats.
So when I gave my Q1 update to the clinical operation leadership team, I was not too surprised to find them echoed in the recently published 2018 HIMSS Cybersecurity Survey. The HIMSS survey—released annually for several years running—solicits responses from healthcare information security professionals at all levels, ranging from analysts to CISOs.
Following are three key points from the HIMSS findings that organizations in healthcare—and all other industries—should take to heart. But I’ll start with an opinion of my own:
1. Trust is the cornerstone of cybersecurity.
Cybersecurity incidents are issues of trust. Our patients and other constituents trust we will take appropriate steps to protect them and their data. Our executives trust that we, as security professionals, will take appropriate action to implement programs and processes worthy of that trust, and the malicious actors depend on our trust in the Internet and email to dupe us into falling for their tactics.
2. People-centered security is critical.
In my own presentations, I point out that staff are often the first line of defense in the war on cyber threats. Not only must we empower our people with the right information around internet hygiene and appropriate email handling, but we must also implement technology that focuses on protecting them rather than just our network technologies.
The HIMSS survey bears this out: most security incidents are attributable to online scam artists, negligent insiders, or hackers. (And let’s not forget hackers typically leverage naïve insiders to execute their craft!)
3. Email is the number one threat vector for healthcare.
So what is the number one vehicle for malware to attack a healthcare institution? Email. 61.9% of the survey respondents identified phishing emails as the most popular form of compromise. Combatting these threats effectively requires a multi-layered approach.
At Kelsey-Seybold Clinic, we leverage a lot of email-related tools. In addition to our basic spam and malware protection, we re-write links in email and our Proofpoint solution continually evaluates links in the background to block known bad links as well as others as they are identified. Our solution evaluates attachments in the same way. We have also implemented comprehensive defenses to combat email fraud and business email compromise. And in addition to these reactive solutions, we are executing on-going phishing testing to hone our users' awareness and improve their ability to recognize phishing email.
Tools such as these, along with our zero-day and other sandbox technologies enable us to quickly spot security incidents in our environment. 47.1% of HIMSS respondents indicate they identify incidents within 24 hours and most identify within a week. But I would also suspect this survey doesn’t cover the embedded hacker incidents that are often uncovered after other events come to light (think Target and others) months after a secretive infection.
On-going investment is essential.
As the HIMSS survey indicates, many organizations like ours are increasing their IT Security spend and maintain dedicated on-going funding for an effective security program. This investment is essential and as long as executive and physician leadership see the wisdom of maintaining and sustaining such programs, I believe entities can avoid becoming part of the same old story: a data breach because someone wasn’t minding the store.
Subscribe to the Proofpoint Blog