Dan Costantino, chief information security officer at Philadelphia-based University of Pennsylvania Health System, discusses the idea of implementing data protection as a team effort instead of an individual role.
Question: What would you say is the No. 1 threat to hospital cybersecurity today and why?
Dan Costantino: It continues to be both people and time. The human element has always been a significant challenge impacting information security, often due to unintended actions taken by employees that result in cybercriminals taking advantage of vulnerabilities. It is because of this human element that phishing continues to be the top attack vector for cybercriminals. I mention time as well because these issues cannot be fixed immediately, as influencing the corporate culture to practice good security hygiene and implementing a resilient security program is truly a marathon. Trying to do too much in a short period of time is a frequent mistake made by health systems and security programs.
Q: What advice would you give to other hospital CISOs or CIOs to get hospital staff on the same page in the aftermath of a cyberattack?
DC: Organizations can easily fall into the trap of spending so much time recovering from a cyberattack that the lessons learned are never documented and discussed. Most health systems have experienced a cyberattack by now, whether it be small or large. Hopefully disaster recovery planning and regular tabletop simulation exercises are set in place to provide significant clarity in responsibilities and actions when incidents occur. Still, there are critical points in every recovery scenario that have room for improvement and should be discussed to ensure the same mistakes aren’t made twice. These cyberattacks are one of the rare times that CISOs, CIOs and IT leaders have the entire businesses' attention, and that opportunity must not be wasted.
Q: What do you see as the next big cybersecurity threat hospitals should look out for?
DC: Many threats that hospitals have experienced for years will need to continue to be managed moving forward, such as phishing and unpatched systems. With that said, hospitals are facing new threats to medical devices and general IoT [internet of things] as interconnection continues to expand. Getting in front of this threat as quickly as possible should be on every health systems' roadmap. There is a potentially significant risk to clinical operations in the event of an adverse event taking place. Avoiding this pitfall is of utmost priority.
Q: What do you consider to be the most important aspect in hospital data protection?
DC: Getting everyone in the organization involved. There continues to be a common misconception that IT and Information Security own all of the data and are completely responsible for the protection of it. This mentality is dangerous and often leads to misuse or mishandling of sensitive data. Boiling the ocean and applying the same level of security controls to all data is not a practical model and is bound to experience setbacks and incidents.
Health systems should be working toward a mission and culture that promotes data protection as a part of everyone’s job, whether that be data ownership or basic stewardship. At the same time, IT and security have the responsibility for making secure solutions available that avoid slowing down critical workflows and business operations.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference Sept. 19-22, 2018 in Chicago. Click here to learn more and register.