Denise Anderson, President of the Health Information Sharing and Analysis Center (H-ISAC), spoke to HealthManagement.org about this growing global organisation’s aim to fight cyber threats through cooperation among healthcare stakeholders.
H-ISAC aims to foster trust and cooperation amongst members with the objective of achieving a more secure digital health environment. How does H-ISAC achieve this and where are the greatest challenges?
I actually think, in general, that the sharing is fairly good within healthcare and the ISAC, especially amongst the larger organisations. It’s harder for smaller organisations which either, don’t have a security operation or resources, don’t understand the importance of sharing information or being part of a trust community, or don’t prioritise security. I think that education and sharing experiences among members is the best way to make the smaller organisations aware of the opportunities the ISAC offers.
You might also like: No Time to Lose: get serious about cybersecurity education
When it comes to medical device security, the issue is very complex. Manufacturers and healthcare delivery organisations (HDOs) can have contentious relationships. Within HDOs there are a number of stakeholders that often operate in silos. The regulators are also different for manufacturers and HDOs so the entire ecosystem is fragmented. It is very important that all stakeholders work together to solve security problems. In H-ISAC, we have a Medical Device Security Information Sharing Council which is co-chaired by a manufacturer and an HDO. We purposely did this and the goal is to ensure that both parties understand each other’s issues and perspectives so that everyone can work on challenges together.
Is healthcare management sufficiently concerned with cyber security?
In some organisations, there is focus. But really what we should be doing across industry is to change the conversation from one of cyber security to one of enterprise risk management (ERM). Cyber is just one component of the risk to the enterprise. If an organisation deploys ERM correctly, it will understand the ‘crown jewels’ and build its risk management strategy out from there. Of course it also means knowing what the threats are, who the threat actors are and what their motivations are - which is part of information sharing - as part of the equation. I don’t think healthcare, in general, is able to tackle that yet.
You might also like: Are you ready? What will the GDPR mean for cybersecurity?
When it comes to physical security, are the issues of developing trust similar to those of cyber security?
I actually think the sharing in cyber is better for a variety of reasons. One is that there is machine-to-machine sharing so those indicators get shared automatically. Second, most of the infrastructure is within the private sector and industry understands one person’s defence becomes everyone else’s offence. Traditionally, the physical security teams have been mostly former law enforcement and the community has tended to be very close fisted. Also, government had access to intelligence that wasn’t available to the private sector so, unless one had a clearance or need to know, information wasn’t freely shared. Trust exists but it isn’t as broad.
What do you anticipate for both cyber and physical threats in healthcare in the next five to ten years and how can they be addressed?
We see incidents stemming from old malware and vulnerabilities that will most likely still be around five years from now. The Nigerian prince and romance schemes still exist because they work! That being said, attackers will always find ways to take new technologies that come into play and that are connected to the Internet to achieve their goals. We just need to be aware and always mindful of the potential risks that can come from a lack of availability of resources and integrity of data. We also need to be very cognisant of cascading impacts from incidents that target other organisations, such as an attack like Petya/Not Petya that targeted a country but ended up affecting numerous large and small organisations to the tune of billions of dollars. Hurricane Maria in Puerto Rico was another example of cascading impacts from other sectors on the pharmaceutical and medical supply chain.
You might also like:GDPR: Conducting "big data" research with European health data
You have experience in a number of sectors, including finance. As far as security is concerned, do you think there are any lessons healthcare could learn from other industries?
I think any sector can certainly always learn from other sectors. Obviously the financial sector has been dealing with cyber attacks and incidents for decades because of the electronic nature of global finance and the fact that they are a target. So yes, healthcare can learn from finance and can see the benefits of their lessons learned, especially when it comes to information sharing. But it is more than just technology; it is also people and process and until there is awareness and acceptance from the leadership of an organisation/sector, lessons learned only go so far.
What are some of the key objectives you have for your continued tenure as President of H-ISAC?
Primarily I want to make sure that we are delivering value to our members. There are a number of things that we are doing to help assess what members want and what we can deliver. One area in particular is in building our Security Operations Center (SOC) to do more analytics on what members are seeing, create threat trending and other reports and build a ‘visit programme’ at the SOC among other things. We are hiring a Chief Security Officer this year to help accomplish this vision.
Another area is global expansion. As part of the expansion we have established an H-ISAC EU Council and are creating an H-ISAC Japan Council to establish regional forums for sharing and collaborating. We will look to hold summits in each region within the next year. I consider myself an evangelist for global information sharing and collaboration and the more we can get the world to share the better off everyone will be.
Finally, we will continue to grow the membership so that more organisations can benefit from being a part of the great community we have in place.