Vikrant Arora, chief information security officer at Hospital for Special Surgery in New York City, discusses how to promote strong cyber hygiene and what new forms of cybersecurity threats hospitals should look out for.
Responses are lightly edited for clarity and length.
Question: What tasks require the majority of your time as CISO?
Vikrant Arora: As a CISO, majority of my time is spent on three things. The first is hiring and retaining security talent. Digital innovations, not just tools but architectures, are changing at fast pace. As such, finding individuals with a security mindset, willingness to learn and capability to adapt has become a time-consuming process. I also spend a great deal of time keeping existing talent engaged and providing a rewarding career path.
Nurturing relationships across service lines, building credibility for security investments and justifying business value of security investments on a day-to-day basis takes up a lot of my time as well.
And lastly, constantly maturing incident response process, so that we can detect and respond to incidents as early as possible, is a tedious activity as well. As an organization, we analyze more than 10 billion logs every month, and it is a daily pressure to keep up. As log sources increase — thanks to adoption of [Internet of Things], cloud and mobility — selecting the right logs, correlating them with structured and unstructured threat intelligence and finally combing through them for the right indicators is making an already hard problem harder.
Q: How do you train clinicians and front-line staff to protect patient data and avoid cyberattacks?
VA: Educating clinical users on cybersecurity is quite a challenging and an interesting task. One of the approaches we have taken at HSS is to make cybersecurity a personal priority. We routinely educate users on items such as the Equifax breach, Facebook privacy incident and compromise of personal routers. This helps to build security-conscious muscle memory and fosters desired behavior while deciding to click on a suspicious link in personal or corporate email.
The other key tenet of our security education, and security program, is to make risk-based decisions. We use security data analytics to identify threats to healthcare as a sector and HSS-specific threats. We also identify our behavioral analytics to determine our ‘most risky users,' 'most attacked users' and 'users with access to mission critical services.' Using these insights, we provide not just role based but also risk-based education instead of the 'one-size-fits-all' approach.
Lastly, it helps to be part of a high performing organization, such as HSS, where everyone is operating at the top of their license and aligned to corporate mission. My team routinely engages our world class marketing department to help with organizing security events and delivering messages that resonate with our culture and community.
Q: What do you see as the next big cybersecurity threat hospitals should look out for and why?
VA: We are living in a hyper connected world where everything is connected to the internet. Cloud, mobility and consumerization of IT has shrunk the perimeter all the way to individual users. It is also a well-known fact that biomedical devices have a lot of intrinsic security weaknesses. As we layer services such as patient engagement, predictive diagnosis and population health on top of insecure biomedical devices using public cloud infrastructure, it will be a recipe for a perfect cyber storm, if security is not top of mind.
Another threat we are watching closely is cryptomining-based malware, where the focus is not data theft or business disruption but stealing computing power and electricity. Such malware may not be easily detected by typical anti-malware programs and can be especially dangerous for organizations with cloud-based infrastructure, who can end up with a big fat invoice from their service providers.
In addition to these new forms of threats, I constantly worry about lack of emphasis on basic cyber hygiene. A security solution based on emerging technologies such as machine learning, artificial intelligence and blockchain can certainly provide benefit but are not a substitute for foundational security practices such as minimizing human error through education, authentication, asset management, patching and segmentation.
Q: What are a few IT trends you want to learn more about?
VA: The three trends I am closely watching are quantum computing, blockchain and serverless and microservices architecture. Encryption is finally becoming mainstream and delivering much needed security and privacy. Advent of quantum computing may render current encryption ineffective, exposing intellectual property and personal information across the internet.
Regarding blockchain, it has numerous applications and from a cybersecurity standpoint, I am particularly interested in blockchain solving the problem of attribution on internet. Anonymity on the internet is fostering cyber-crime and leading to geopolitical tensions such as ongoing disinformation campaigns against U.S. democracy or the fake news hack that nearly started a war between Qatar and its neighbors.
Lastly, there are serverless and microservices-based architectures being implemented, where the focus is on services and transactions, instead of servers. The security perimeter has already shrunk inwards from firewalls to users, and these newer architectures will move it to a new frontier namely application programming interfaces, known as APIs. This is a fundamental shift from traditional architectures and will require a reboot of current security principles.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.
To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com