The elimination of cybersecurity threats is an impossible goal, and should not be the focus for any healthcare organization's privacy efforts, according to Seattle Children's Hospital Chief Information Security Officer Cris Ewell. Instead, he believes flexibility and an assumption of risk are two of the most important aspects to maintaining a stable environment.
"Everybody certainly should have [information systems] hacking and malware instances," Ewell said Thursday at the "Safeguarding Health Information Building Assurance through HIPAA Security" conference hosted by the Health and Human Services Department's Office for Civil Rights and the National Institute of Standards and Technology in the District of Columbia. "If you aren't detecting those, then you have a monitoring problem; you essentially are blind to what's going on in your institution."
Because the cybersecurity landscape is evolving daily, Ewell said controls must constantly be implemented for organizations based on their specific functions and needs. Additionally, he said, security professionals and executives need to be open to the possibility that a system or a process put into place one year ago might be obsolete today.
Asset profiling and inventory management must be top of mind, according to Ewell, who said he has a risk-dashboard in place that brings information from all corners of Seattle Children's to his attention. From electronic health records and social media use to the HVAC system, every online system must be accounted for.
"This is all about minimizing your electronic attack surface," Ewell said. "Reconnaissance is one of the first things our adversaries do. You'd be amazed at the amount of information I could gather on all of you, as well as your institutions, down to the actual systems that you use."
What's more, Ewell said, offline preparation is equally important. At Seattle Children's, he noted, senior leaders from throughout the organization meet every morning, in-person, seven days a week, a mechanism he said could take over in the event of an emergency.
For organizations that have been breached, the middle of an attack is not the time to figure out protocol, he said.
"Imagine you have a YouTube posting [from an attacker] that says 'Hey, by the way, we're in your system,'" Ewell said. "OK, now what? Do you know what to do next? … Can you turn off the Internet? … Do you have a process to make that decision? Can you actually communicate some of those decisions within your institution without using electronic communication?"
To learn more:
- check out Ewell's slides (.pdf)