At the recent HIMMS healthcare conference, Enterprise Times caught up with Nick Coleman, Global Head Cyber Security Intelligence, IBM Security. We wanted to know how enterprise security could be mapped to healthcare. While both have a need to protect data, healthcare is often spread over multiple sites and providers with an expectation of shared data. This creates a challenge in building a security model that protects the data and patient privacy without limiting clinical access.
ET: People are finally starting to think about cybersecurity inside hospitals. Given how different healthcare data use is from the enterprise, how do we set the right level of expectation for healthcare?
Nick Coleman: Some of it’s the same and some of it’s different. In a hospital, I have health records and data. I have lots more data than I would have in a bank or in a retailer. There is a lot of access to data which is distributed across lots of places in the organisation. On one level, it looks and feels like any other organisation. At another level, it’s very different.
It’s the Internet of Things, the whole connected devices and instrumented medical equipment which pervades hospitals. So, are we trying to apply common thinking? Yes. Things like the NIST framework where you use a recognised cybersecurity framework, which goes identify, protect, detect, respond and recover. A framework like that can be equally applied into a hospital or to a financial services organisation.
We then have to contextualise it. What are the specific threats and vectors that are going to be facing a hospital? You’re not necessarily going to have the same corporate footprint as the enterprise model of architecture. You’ll have a healthcare one with links to insurers and other people. Similar to an enterprise but applied in the context they’re the same, but different.
Then we start to talk about the threat and how we understand that in the context of the hospital. What kind of threat intelligence can I get and how can I apply it to make sure my defence is appropriate to the threat I face? I’m really trying to understand who has the capability to come and attack those systems. What kind of vectors will they use? Can I spot it? This is the same kind of thinking as for an enterprise but you are applying it to a very specific set of contexts.
ET: In the enterprise we have user IDs and group controls over data access. It’s arguably, not very effective in a lot of places, but it is a well proven process. As a hospital starts to expand clinical systems the number of people needing access to records increases rapidly. It includes everybody on the clinical side both inside and outside the hospital so that means dentists and GPs. Administrative teams also want access to some patient data. It doesn’t map to the same model as users inside an enterprise. How do we take that line of business, for want of a better phrase, and produce that contextualised security for data management?
Nick Coleman: We’re talking about big data lakes and it’s the same in lots of industries. There are so many connected chains of information which come together for a particular activity. We have to think about big data, where it comes from, how we secure both the access point and the data. What can we do with it and how is it getting used? Again it’s the same but different in the hospital context because you’re applying it in those scenarios and the data, sometimes, is different.
If we look at the big data challenge, we have to think about structured and unstructured data. In percentage terms roughly 80% of the data is going to be unstructured and 20% structured. Let’s think about how to manage and deal with that data. How do I understand whether that medical record has been changed in the unstructured way, rather than whether that instrument is reading the heart rate monitor at the right level or the kidney dialysis machine?
It’s a big data problem. Is the data is managed? What are the inputs and outputs? Are the systems trusted? Then I want to think about that in terms of my security intelligence and the ability to react to it and deal with the cyber threat. It has to deal with both the structured and unstructured data. I need to prioritise resources, prioritise defence, think about that in the context of that ecosystem.
ET: That’s already a challenge for healthcare with back office and clinical systems. Those clinical systems have to have priority over other data. Some have already created multi-tiered networks in order to move data around. The challenge is that they soon hit bottlenecks, especially a lack of bandwidth. How poorly skilled is healthcare compared to enterprises when it comes to understanding the complexity of the architecture?
Nick Coleman: It’s a challenge in lots of industries and sectors especially where we’re moving to the Internet of Things. We are having to rely on legacy equipment sometimes going back decades. They also have new stuff that they may not know anything about. It may have been purchased by procurement or a different department and security may know nothing about it. That’s what we find in organisations in real-time. Smart hospitals have a lot of new components and at the same time there is legacy equipment that has been there for years. How do you maintain that?
You need to be able to understand the systems. For legacy systems, that might be looking on the Internet for information about a particular device or an operating manual. That will be a starting point to understand if the device is configured properly or not. If not, is that causing a problem which is an issue right now? We talk about data for patient care so maybe we should talk security care as well. Bring that data together to see what is a priority. If the configuration means it is exposed and it looks like somebody’s coming after it then it’s a priority case that we should prioritise and deal with. We have to use threat intelligence across all the systems and data.
ET: Hospitals fear hackers coming in and changing data. They are already struggling to digitise much of the paper data bit it is inaccurate and the this leaves them with a major data cleaning problem. We’ve seen the same problem inside enterprises. How does healthcare get itself to the point where it has an acceptable level of data cleanliness?
Nick Coleman: Data will never be 100% accurate and we have to accept that there is always risk in systems. To think that there isn’t is not realistic. But, context is king. Perhaps I have a piece of data which I’m not sure is 100% accurate. It might be a urine test, for example. I can retest that so this is really a clinical decision. This is where clinical logic and decisions integrate with the systems of defence, integrity and data checking. The security system should be driven by the priorities of what the clinicians think is an appropriate risk, whether this would cause a loss of life. Those rules can be taken, automated and instrumented so that they can have systems which enable them to make informed decisions.
So what is the right level of threshold? A clinician can probably tell you that there is a higher risk of something bad happening in these scenarios, therefore, if this is seen in a security event then this is the priority for us. If this data is not trustworthy, we should look to contextualise it with other data to know whether that actually looks about right. That one piece of data on its own depends on the context but needs to be seen in a much wider pattern. This reduces the risk because rather than rely on one indicator, you’re actually digesting and analysing. The challenge, though with all this data is we have to make humans quicker.
Our challenge is where we can apply artificial intelligence and machine learning it actually enables a computer to digest information much quicker. If you can apply those rules and logics then give informed information to a clinician they can say: “That data doesn’t look like it’s going to be reliable enough, or does cause me a concern in the security way. I need to take a set of actions to deal with that.” It’s about prioritising resources so there won’t be zero risk to that system, but there is an ability for them to put that into a picture.
ET: When you’re engaging with hospitals and other healthcare institutions, how often is the clinical side of the business brought in as part of that engagement?
Nick Coleman: It varies. Sometimes you’re just talking to teams who are responsible for predominantly the IT infrastructure and sometimes you’re really having an informed discussion as a hospital. Where it works well is when you’re looking at an organisation which really understands it wants to be proactive in these things. A proactive hospital might say: “Look, we don’t necessarily have a problem right now, but we understand they exist and we want to be at if not over the norm, and able to manage our risk and our resilience in line with the threat, which is growing.” Then you have a discussion with the clinician about: “What does that really mean?”
The discussion might include them saying: “Well, in certain environments that are not temperature controlled, for drugs and things like that, it becomes a real problem.” This is where the clinician can go much quicker than some of the infrastructure people. They know the things they really care about, the outcomes and these are the systems they really depend on.
ET: If I lose the data in my enterprise it might inconvenience some customers or cost me some business. In a hospital it could cost somebody their life. As we become more and more dependent upon electronic systems, the question is, “where does that resilience lie?” It is not just about data it includes systems designed to all keep patients alive such as in an ICU. We know that IT leads people to deskill organisations, to remove the number of bodies physically on the ground. Can healthcare follow that model? Or does healthcare actually have to say: “Our resilience here is the knowledge in people, not necessarily the reliance on IT.”
Nick Coleman: The resilience of a system is to have contingency around the things that you care about. In the event of data not being there or devices not loading properly, the real question is: “If that’s a critical process, what is your backup contingency plan to deal with that event?” It might be retesting patients or doing a whole set of things that you as a clinician will be able to do. If you can’t do some of those things, clearly you might put more contingency into that plan so that those events are much more resilient in terms of their application.
I mentioned the NIST framework earlier. One of the reasons I really like this framework is it talks about Identify as the first step. Think about what that is, not what matters technically, but what matters to your business or your hospital context.
After the session I spoke at this morning, someone came up and said: “Do you know what this session has allowed me to do? It’s allowed me to go and think about it. We’ve been doing privacy impact assessments, but we haven’t really been thinking about what’s critical for us and what could be monetized by hackers. What is the value that we have? What is the critical function that could be exploited by people.”
Identify is where it all begins. From there you develop a protection and resilience plan, which is protecting, monitoring and doing all those things. Then you need to be able to recover from incidents. Do we live with a world where we will have disruptive events? Absolutely. How disruptive will they be? It really depends on how prepared we are in terms of that “intelligence on steroids” approach where we really understand what’s happening in our systems and how we can respond. If we’re not ready to respond, then in most cases the impact is magnified.
ET: That’s leads us to incident response. If we were to talk about a train crash, every hospital has an incident response plan. A major plan that they roll out and it deals with everything they need to do. Cybersecurity is a whole new world to them. How surprised are you at how unprepared people at this conference appear when the question of incident response comes up?
Nick Coleman: I was quite surprised. We did a straw sample, so not scientific, but a straw sample of the number of people in the audience who had engaged in a cyber exercise. I think it was under five percent, just a very small handful. That did surprise me, especially because, we’ve seen hospitals having to cancel operations as a result of attacks. Maybe we should take some comfort in the fact that some of them have probably been through incidents and learned real-time. I want to understand how can we measure their capability? Are we measuring it against something like the NIST framework and saying: “Have you adopted a common framework in addition to a legislative requirement that you sit within? Can you talk about what you identify as critical? What you’ve chosen to protect? What your detection system is?” There are many other questions we could ask.
I’m concerned that very few have done an exercise which I think is industry best practise these days. I’d like to go further and really look at whether they’ve got the intelligence, and if they understand what are they spending the money on. Are they spending enough? That comes down to having a discussion with the clinicians and the senior people similar to the conversations I have with board directors. What they want to know often is: “Have I done enough? What does good look like? What should I be spending? Are my team capable of delivering?” Those are the kind of questions I get.
In a hospital I expect to be saying to them: “Have you gone through a framework? Can we evidence it? Can we understand that you’ve made clinical driven decisions and you’ve decided a budget which is appropriate for your risk appetite?”
ET: HIMSS and Chime are the two major healthcare digitisation solutions and have announced they are planning to align their frameworks. Given that they are so dominant, do you think it’s reasonable that people like HIMSS and Chime should start offering up best practices and integration opportunities for commercial companies?
Nick Coleman: I don’t know the particulars of this. We’ve already seen regulators on to the NIST framework across different sectors, from energy to financial services. We need to have globally understood frameworks which all the supply chain can buy into. I want things which can travel, be easily understood and if they’re buying equipment from, Israel, the US, wherever it comes from then I want those supply chains to be also able to talk in a common language.
Common frameworks help. Then next question is: “contextually, how do you think about that and how do you get the community engaged?” That’s where healthcare conferences and groups which operate within that, can help to galvanise the community. I think it’s more about galvanising the community more than creating the framework. The establishment of best practise. There’s the EU security agencies and other people who can also help in that galvanising. Ultimately, it’s about raising capability which to me is: “Are you spending money on the right stuff and are you able to respond if things go wrong?”
ET: IBM recently launched its cyber range with a focus on incident response. Do you have a healthcare scenario yet? How hard are you going market it to healthcare when, quite frankly, there a lot of businesses out there with deeper pockets who are much more likely to want access first.
Nick Coleman: We have a number of healthcare clients around the world. The cyber range is showing you the opportunity to effectively demonstrate your readiness. I would look at the cyber range as you say, as part of incident response. Getting a team together and see how they work together when things go wrong. How do you take actions? This comes back to what I said earlier, which is, how ready are people for this challenge? The answer is, there’s still a way to go. Do I think a lot of people have actionable threat intelligence to really understand and focus where they should prioritise their stuff? There’s still a gap there and based on what I’ve seen at this conference people need help in planning and doing scenarios.
ET: Thank you Nick