Does Your Cybersecurity Program Have What It Takes?

At a time when the risks of hacking into our health data has never been higher, we catch up with Dan Dodson, President of Fortified Health Security – to give us his views on where the risk is – and what you can do about it. This is what Dan says:

Hackers have clearly placed a bullseye on healthcare organizations. Cybersecurity breaches continue to occur among healthcare providers so pervasively that their numbers exceed those of health plans and business associates combined. Steps must be taken to protect patients, whether from ransomware or connected medical devices attacks, the stakes are simply too high.

Any significant cybersecurity breach results in a big drop in patient confidence. Pressure for patients, as well as inside organizations, are forcing healthcare providers to guard their reputations, develop strategies for better patient engagement and provide increased amounts of sensitive data to multiple interconnected devices.

It’s important for a healthcare organization to recognize the potential impacts of a breach on their organization before one occurs instead of only investing in cybersecurity after they have been negatively impacted by an incident. Yet, at that point, it may be too late for some patients. Reports suggest that nearly forty percent of consumers would abandon or hesitate using a health organization if it is hacked. Fifty percent of consumers would avoid or be wary of using a medical device if a breach was reported and thirty-eight percent would be wary of using a hospital associated with a previously hacked device.

The best prevention against any attack is understanding the fundamentals of a strong cybersecurity program. With proactive employee involvement, a clear process to identify and prevent cybersecurity threats, and understanding that technology is only part of the equation, healthcare providers can better serve and protect patients.

In my view, there are three simple steps that you can take.

Employee training is the first line of defense against hackers.

Your employees are your first line of defense to prevent successful attacks and/or breaches. Educating your employees/users on threats to your organization, safe web browsing practices, the hazards of clicking embedded links or opening attachments in unverified emails, and to scrutinize emails before opening them are just some of the basics.

In order to take your employees’ education to the next level, you should conduct simulated social engineering exercises and campaigns. This will give employees “real world” experience in dealing with such attacks. Social engineering is still the easiest and most effective way that malicious individuals are able to access sensitive information.

Have a process to identify and prevent cybersecurity threats.

Cybersecurity starts with people, but must be strengthened by processes for backups, incident reports, breach notifications, and disaster recovery. It is critical that organizations develop a multi-phased vulnerability management process that includes vulnerability scanning, risk acceptance, and remediation for security risks.

This process is critical to recognizing the potential impacts of a breach on your organization before one occurs so it is clear what steps your team will take to protect patient data. Far too often, healthcare organizations only start investing in a cybersecurity process after they have been negatively impacted by an incident, and at that point, it may be too late for some patients.

Cybersecurity is more than just technology.

Technology by itself is not the answer to protect an organization from a cybersecurity attack, but combined with dedicated people and a defined process, it completes the cybersecurity prevention trifecta.

Technologies such as Security Information and Event Management (SIEM), Data Loss Prevention or Intrusion Prevention Systems (IPS) can be leveraged to identify and even react to a ransomware attack as it is happening. Custom policy and rulesets can be utilized to alert in real time that there is something awry within the operating environment. Additionally, Network Access Control (NAC) platforms could make the isolation of infected devices quicker and easier.

Stakes are too high to put patients at risk.

Cybersecurity threats at their core are patient safety risks. The stakes are high and if you wait until after a breach or attack to take action, it’s too late. The best prevention against any attack is a proactive security strategy built around people, process and technology. Now that you know the fundamentals, lead your healthcare organization through a HIPAA Risk Analysis to see if your organization has what it takes. Remember, protecting your organization from a cybersecurity threat is a journey that requires constant attention and never stops.

About the Author

Dan L. Dodson serves as President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique situation. Dan currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds a M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.

Cyber Security in Healthcare.

It is commonly understood that the recent UK hacking situation in the NHS, was via its connected machinery, rather than direct into the hospital servers. We focus on what’s up at the forthcoming conference in San Francisco, with this  timely announcement from Tel Aviv based company Cynerio, who today announced its mission to protect the future of healthcare by focusing on its weakest link – the connected medical device ecosystem.

What they say is, by building a tailor-made solution for healthcare providers, they deliver  complete visibility into a healthcare organization’s medical device ecosystem, protecting it from cyber threats and helping the organization meet HIPAA regulatory requirements.

The company was founded by cybersecurity experts Leon Lerman, CEO, and Daniel Brodie, CTO, to deliver a cybersecurity solution specially designed for healthcare providers, based on the industry’s first technology that combines device behavior modeling with medical workflow analysis to provide full visibility into medical device behavior and activity on the network, accurately detect anomalies with deep understanding of the medical context and stop the threat to ensure patient safety and data protection.

“Connected medical devices are delivering a new level of patient care, but present new challenges of managing and securing the growing clinical ecosystem. For attackers, medical devices are easy targets, as the devices aren’t built with security in mind and healthcare security teams have limited ability to protect these devices with traditional IT security solutions that are more focused on standard platforms. Our technology offers a comprehensive solution, purposely built to protect the medical device ecosystem and their sensitive data,” explained Lerman.

Cybersecurity again in the News…

We look briefly at two companies that have got in touch…

Fortified Health Security have recently recently partnered with Beacon Health System to strengthen the health system’s overarching cybersecurity program. Their Kristin Deuber writes to us to say:

“The program kicked off in April 2017, during the formation of Beacon, which required the health system to consolidate policies and to implement a more unified and centralized cybersecurity program. Fortified discovered through its baseline research that the health system had moderate cybersecurity system development with data loss prevention, and had deployed a SIEM solution on limited systems. In addition, like most healthcare organizations today, there was zero SIEM visibility into their medical device inventory, as well as the risks associated with those connected devices.”  She attached some deeper info, which is available on demand from us here at ProfoMedia. And we have invited their President, Dan Dodson,  to write a guest article – so watch this space.

Also out of the blue, is the Proficio company, whose Tamara Yaravoy says that they have won some eleven Cybersecurity Excellence Awards. This is clearly better than my 200 mtrs  swimming certificate when I was a kid.  She goes on to explain in more detail:

“In the Cybersecurity Excellence Awards, Proficio won gold in the Best Managed Security Services and Cybersecurity Team of the Year – North America categories. The company was also recognized with a bronze award in the Best Cybersecurity Company category, where they had competed against forty other cybersecurity companies.

Proficio secured top honors in the Info Security PG’s Global Excellence Awards, placing in four different categories. The company won gold in the Cyber Security Vendor Achievement of the Year category for significantly expanding its operations in North America, EMEA, and APAC, silver for Best Security Company of the Year (Services), bronze in the Best Overall Security Company of the Year category, silver in the Managed Security Services category for its SOC-as-a-Service offering, and bronze in the Managed Security Services category for its Splunk Enterprise and Splunk Enterprise Security services. Proficio was the only cybersecurity company to be recognized with two awards in the Managed Security Services category.

In the Cloud Computing Excellence Awards, Proficio was recognized for excellence and innovation in their SOC-as-a-Service offering. Proficio was one of only nine companies selected for this award which honors vendors that have most effectively leveraged cloud computing in their efforts to bring new, differentiated offerings to market.

Proficio was once again awarded a placement on the Security 100 of CRN’s 2018 MSP 500 list as well as San Diego Business Journal’s Top Cybersecurity Organization List. The CRN Security 100 list is designed to help partners wade through the ever-expanding security market, from the long-standing legacy vendors to the niche players, and navigate the fast-growing security vendor market.”

Cyber security in healthcare,  is expected to be the target of choice for those malovelences trying to destabilise how our services work. Last year’s attacks on UK hospitals showed the issues of Windows XP reliance, and that was just a baseline start.

You can look back at our earlier pages on other cyber vendors. Do contact these and the above vendors as this topic will become more visible as the year goes on.

….They Put Up a Parking Lot

We interview Shaz Ahmad, Nextgate’s VP of Cloud Operations to find out why people don’t miss something until it’s gone.

It is 02.00am Pacific Time and this is the preferred hour of the day for Shaz Ahmad, in his T shirt, to handle an interview. He is a self confessed night owl, but I would’ve thoughts there are limits. For me, it is 10.am GMT and there could be no worse time to make a constructive assessment of why Nextgate’s time has come. I have told my office to hold my calls.

But Shaz is as eloquent as I am even in mid morning, and he needs to be. Nextgate identity management technology is the secret sauce that make your hospital data work, seamlessly, that you do not realise you ever needed, until something goes wrong. It is the one line of code you never appreciated, but which makes your data work. As they say in the song, isn’t it the way it goes, you never realise what you’ve got – until its gone.

Except that with Nextgate – the thing that you don’t “get” – is the problem that you’ve got. As we move more and more into a connected and multiple data source environment, where patients not techies are driving that source of data, so (to paraphrase). Hospitals increasingly cannot map or match the data that they have. In short, the HL7 data is neither clean from one source or another, nor do existing systems talk to each other. And whilst this is technical issue, the problem is commercial. Putting it right takes man hours and costs money.

Except that it doesn’t. And it comes through the decision of starting again, and putting your data on a cloud. What that means is, a cloud-based solution that does identity management, allows hospitals and organisations to rapidly and accurately deliver a patient record at the point of care – with the flexibility and scalability you need in today’s evolving and digital environment.

Shaz does not talk about technology. He talks about Service Level Agreements. He talks about peace of mind. The idea that you as a Hospital (say). can access all of your data, 24/7, safely on a cloud, without the need for local expert support. Amongst all of the solutions that a hospital might have, Nextgate is the single line that makes not just a difference – it is THE difference.

It is the reason why Shaz left his  job at Orion, where he was a user of Nexgate technology, to take up an offer with the company that created the stuff.

Nextgate competes with the big IBM and Corporate Players in data integration. But it is addressing a real market need. The Obama driven “spine” of data accessibility mirrors the attempts in the UK to formalise data accessibility. Nextgate has reference sites and projects that are pan-Atlantic.

Yet it is a hard sell – what Nextgate are saying is; don’t wait until you have an issue before talking to us about our Cloud benefits.   As they say in the song, –  don’t lose sight of Paradise.

FORGET ACCREDITATION. LETS TALK ABOUT RISK MANAGEMENT

We talk with the EHNAC Executive Director, Lee Barrett, and ask – why now their time has come.

You could say it’s not what you say – it’s how you say it. You could argue that everything about EHNAC is a contradiction, a misnomer.

The image of silver-haired Lee Barrett as he sits back in his university-like Office, gently guiding me into his world – where he has been active for more years than I have fingers and toes – belies the relevance of EHNAC in the current medical world stage.

And that’s the problem. Or to put it another way in marketing-speak – maybe it is the “opportunity”.

EHNAC is a nationwide accreditation process for healthcare players. Up to now, and since its origins in 1993 – its focus has been to give you and I a framework, if you will, a set of guidance, that says you have passed the test – whatever that may mean. You would be forgiven to think that this is akin to taking your driving licence; you get the magic certificate, the nod from the examiner and off you go.

And this approach misses the point. Because EHNAC have moved on. To understand its importance, is to recognise that in getting accredited for your internal and external processes – you are protecting your entire business against the risk of the unforeseen. By complying with industry standards, you are mitigating your exposure to malevolence or just pure chance of things going wrong. A tick in the box from EHNAC means that your processes are reasonable and acceptable.

It’s not like the Assessors at EHNAC don’t have the know how to guide you. The academic atmosphere of Lee’s office gives rise to years of practical experience, across some of the key issues of modern healthcare, which EHNAC imparts to its accredited organisations as part of the deal.

EHNAC is currently active across all of the USA – and mandated in New Jersey, Maryland, and Texas, Compliance with individual State legislation is not a quick process at a government level. But it can be an immediate step at the individual vendor level.

In the litigious world we live in, never has Risk Management become so important. Lee’s parting words to me were:

“We are agnostic; our years of experience has taught us how to deliver standards that give a meaningful structure for each of our varied accredited organisations. What they actually do – is not important. It is how they do it”.

Lee can be contacted at HIMSS in his meetings onsite.

More from HIMSS 2018

We are pleased to give airtime to several more of the vendors and their PR people, who have kindly contacted us. Please do use our Search bar above, to seek out anything specific that you need to know…

Jennifer Ringler writes to us to say; I want to offer you an opportunity to speak with Lonny Reisman, MD, Founder & Chief Executive Officer, HealthReveal, on the following topics:
·       Why Accountable Care Organizations aren’t resulting in as much savings as expected, and how real-time health data technology can help
·       How health monitoring technology and guideline directed medical therapy together can help deliver equal access to care for all populations, regardless of geography
·       How patients with chronic diseases can achieve better outcomes and lower mortality rates through the use of real-time health monitoring technology and data
·       How acute incidents in patients with chronic diseases can be both predicted and avoided through the use of health technology

We have also been contacted elsewhere to see if we would  be interested in meeting with the VMware or Mercy companies, to discuss today’s top healthcare trends and the future of the industry.

Probably more interestingly, Upland Software have got in touch; they specialize in cloud software solutions for IT project and cost management. What they say is –

“The companies that we work with use our systems to manage the resources, costs and delivery of their projects. Over the past few years, we have come to work with a number of health organizations and what we find is that despite sometimes mature project processes, there seems to be a lack of standardized tools to help them be efficient at their work. Particularly in an environment where their extended team is made of Doctors and Clinicians, not project experts. “… They continue…

“Our solution, Eclipse, is unique in that it provides a way to centralize all project information, including inter-dependencies, status, costs, who is working on which project, and more.  Over the past few years, we have helped almost 300 Health organizations giving them more control and visibility over their projects, so they can better manage project teams, allocate expenses, more accurately update key stakeholders, and keep project delivery on track.

At HIMSS we will be talking about the trends that we are seeing in project delivery, as well as showcasing our most recent release, with an expanded featureset for managing resources, time tracking and capabilities for greater project visibility. ”

Two Speakers have asked their PR people to write to us, and this is what they say; (we include their Links below)…

“Sevenikar will be opening the summit by speaking about how healthcare must evolve from caring for people to caring about people, and the importance of transitioning to a patient-centric revenue cycle in order to make this a possibility.

Vancleave will be speaking shortly after Sevenikar on the transformation that Mosaic Life Care has undergone to transition from a healthcare provider to a lifestyle company. As a result, Mosaic Life Care’s revenue cycle team has undertaken an ambitious overhaul of its financial structure, with more than 15 revenue projects scheduled to take place over five years.

The links below will take you to abstracts about Sevenikar and Vancleave, respectively, and the sessions they’ll lead. I’d be happy to provide you with more information on these two women and the hospitals/health systems they represent.

http://www.revenuecyclesolutionssummit.com/las-vegas/2018/speaker/gerilynn-sevenikar

http://www.revenuecyclesolutionssummit.com/las-vegas/2018/speaker/deborah-vancleave

And almost finally – do feel free to talk to G Medical Innovations, a next generation mHealth company.

Listed on the Australian Stock Exchange in May 2017, G Medical Innovations have developed an integrated product suite that includes consumer medical grade and hospital grade monitoring devices set to launch into North America over the course of 2018.

What they say is; “With FDA approval and a strong pipeline of innovation, we hope this is a company you would be interested in learning more about.”

They continue… “Our goal and passion is to increase efficiencies in the healthcare system that both empower physicians and caregivers and improve personal quality of life. We do this by providing innovative medical monitoring solutions that provide accurate medical-grade diagnostics in real-time to save time and offer a heightened level of care.

We will be demonstrating both our consumer and commercial healthcare applications for the very first time at HIMMS, including:

The Prizma Medical Smartphone Case – due to set a new standard in personal healthcare, the Prizma enables you to easily transform your smartphone into a highly-reliable mobile medical device. With this unique device, you can independently manage your own health by continuously measuring, monitoring and sharing your vital signs with caregivers and loved ones. In addition to providing immediate access and updates to your personal health indicators and therefore peace of mind, medical data can be both stored and sent in your personal & highly-secured Data Portal Service where you can easily view, monitor and share it with those involved in your medical care. Prizma is an electrocardiogram, and also measures heart rate, stress levels, body temperature and oxygen saturation.

The Vital Sign Monitoring System with G Medical Patch – a modular, easy-to-use, clinical grade solution for monitoring patients. It utilizes patented wireless technologies, proprietary information technology and service platforms to empower a new generation of medical providers to increase efficiency and the level of healthcare provided to patients. Available for both in-patients and out-patients, the G Medical patch can be used to monitor patients in assisted living residences, hospitals, nursing homes and other in-patient facilities. By enabling patients to be mobile and still carefully and automatically monitored, the G Medical Patch takes the pressure off healthcare providers and personnel while enhancing patient care. Information from this continuously monitoring is transmitted, stored and sent to clinicians for at-a-glance summaries, giving both clinicians and patients peace of mind.

HIMMS will be the first time that both the ‘full flow’ of Prizma and the Vital Signs Monitoring System with G Medical Patch will be demonstrated”.

And finally for the time being…why not meet the Infinite Peripherals company at booth #3271? “They will be showcasing new products that will mobilize the healthcare industry, as well as a big piece of upcoming news.”

And just in case you didn’t know…

Infinite Peripherals, are a leading innovator of iOS business solutions, empowers businesses to operate more efficiently. The company offers barcode scanner data and insights that impact the bottom line in real-time as well as secure payment processing solutions for various industries including healthcare.

There you go…

 

WHAT IS THE PROBLEM WITH MAKING DECISIONS?

We look at the increasing lack of leadership in our UK Public Services, and its negative impact – and we say; its time to do something.

The question really is; “why”, – is it necessary to do something? Public Services are not going to disappear overnight. Whether you take a week to do nothing at all – or a year – will not necessarily impact on your own job. It might, however, impact on someone else’s life – but as a Clinical Director told me recently – “I have a nice house, and nice holidays; why am I putting myself on the line?”

Lack of decision-making means that the people who we entrust to look after us, provide our essential services, and who we had hoped would go the extra mile – have no need to do so. This results either in a lack of engagement, where – according to a colleague of mine recently moved from the private sector into local government – that her colleagues already had their coats on by 16.58 each day… or an increasing level of stress related absence through the paralysis of moving things forward, in times of increasing pressure and demand for the very services they feel unable to deliver.

It’s not our job here to tell others how to do their job. But it is our job to explain the damage that simply putting things off, keeping things the same, and hoping that maybe tomorrow things will work out – doesn’t fly. Particularly as we are moving, and have moved – into an arena of “personalised service”, where our individual use of personal data, our smartphones, our iPads, our fitness trackers – means that technology exists to deliver great improvements in quality of pubic service.

As Bogi Eliasen of the CIFS in Copenhagen said at the HIMSS Conference almost one year ago – by harnessing the data that is flowing, in realtime, across our desks every minute – we can better employ our people, enable them to make decisions related to the data that they themselves have access to, reduce the stress in our places of work – and actually do what the public are asking us, and expect us – to do.

Because – the fact is – we no longer have the option of simply throwing more people, and more cash, to continue doing things the way we always have – because it just doesn’t work any longer. There are just too many people living longer, with too many orthopaedic ailments, exponential rises in diabetes sufferers, that having a few more nurses, a few more clinics, some more phone-lines – can never hope to keep pace with the needs of society that are getting worse.

It is for this reason that the recent PR from NHS England, about its new Diabetes Partnerships, – is like adding an Elastoplast to cover my broken leg. It misses the fundamental point. Hospitals that prefer to use in house resources rather than engage with specialist IT help, are simply putting off the moment of truth – that we have reached a tipping point.

What we have seen is that, due to the new personal focus of our provision of services, we need to move out of the “silo” mentality of me doing my job, and you can do yours. We need to start looking at how we treat society as a whole, in particular the mix of Community based solutions linked to (say) hospital services.

In the same way that “if you always do what you always did – you will always get, what you always got~’ so it is obvious that our current ways of doing things, at just about every area of Management that we have looked at for this Article – simply do not deliver the results that society is increasingly asking for.

This means investment in new technologies, that are proven, and that can link performance to results and to costs. The technology exists and has done for some time. The question tho – is whether our Social and Public Service leaders can take the lead and deliver what the rest of us are asking. After all – they have nice houses and nice holidays to go to. We wouldn’t want them to risk all that, now would we?