Cybersecurity: How HSS Gets it Done
By Elizabeth Hofheinz, MPH, MEd., October 11, 2019
Is your hospital “naked,” i.e., is it vulnerable to cyberattacks? Here to help cloak your facility is Hospital for Special Surgery (HSS) cyber guru Vikrant Arora, chief information security officer at that institution.
There’s ‘security’ and there is ‘SECURITY’…and Hospital for Special Surgery in New York has the latter. When they brought in Vikrant Arora in 2017, they were arming themselves with his decade of experience protecting the largest healthcare system in the country…that of New York City. Arora told OSN, “I was in charge of cybersecurity for 20+ hospitals, 70+ clinics, where we were faced with the enormous challenge of ensuring that individual facilities could securely connect and collaborate to provide care to more than 1 million patients annually. It was also during that time that I led security for the largest implementation of (Electronic Health Record) EHRs in the U.S.”
Arora also ensured security for vendors, biomedical devices, apps, and patients, all the while complying with HIPAA regulations and New York state laws.
“In addition to my prior duties,” says Arora, “at HSS I manage the security of the hospital’s brand, intellectual property and enable secure digital innovation. There are many choices when it comes to hospitals, but many people seek out HSS due to its reputation…and that must be protected. Then there is the substantial ‘bank’ of innovation that is born here at HSS. The implants and techniques developed in-house increasingly depend on technology and pose unique cyber issues and we are forced to adapt culturally and technically to contend with threats to this information.”
Asked how he commenced this new role, Arora noted, “On day one my primary goal was to learn what the core business model is, and what are the facility’s most valuable assets. I sat down with key stakeholders, direct reports, the CEO, COO, CME, CFO, etc., and had a non-cyber discussion about their core security objectives. Then, I did a mapping exercise to assess all of the facility’s applications and assets that support these key objectives. Following that we did a threat modeling process to see which assets were exposed to attacks; we then assessed the potential impact to the organization as well as the likelihood of attack and formulated a business risk based cyber security strategy.”
OK, let’s have it…what were the most important threats?
“I look at threats as being in three ‘buckets.’ The first is regulatory. While there is not as much of a threat on that landscape, there are significant changes happening in Washington, DC and Congress that can have an impact. Currently, it is a fragmented model with various state, federal and international regulations, with the government on the verge of adopting the California Consumer Privacy Act (CCPA) or European General Data Protection Regulation (GDPR)-like regulations as the federal standard.”
“When it comes to HIPPA, as it is now data is loosely shared with partners, who often bring on consultants or subcontractors so that information ends up being widely distributed. And there is no way a hospital can produce a map that shows everyone who has access to patient X’s data. Also, it is almost impossible to delete all of the records from a patient if he/she requests to do so, a right built into GDPR and the CCPA (duty to delete). Healthcare is a complex ecosystem of providers, payers and patients and has a long way to go in terms of cyber hygiene and due diligence.”
But Vikrant Arora fights the good fight.
“In trying to ensure there are no cybersecurity blind spots it is vital to conduct an enterprise-wide analysis where you look at all of the stakeholders and determine the risks to them—and you can’t just find that out by sending them a questionnaire. If the IT landscape that is analyzed is not holistic or within a business context, then it is not meaningful. There is no new technology that will come along and help us with new stringent regulations but it is due diligence that will win the day…or hopefully, most days.”
The second thing that keeps Arora up at night is the ghoulish-sounding Dark Web and advanced cyber criminals. “As is obvious from many of today’s political headlines, cybercriminals have evolved significantly. Geopolitical tensions are part of this mix. Take North Korea and Iran, where the US government has imposed sanctions, and those countries have attempted to recoup some money by hacking the banking system and stealing credit cards and hacking hospitals in order to hold medical records hostage. There is an uptick in ransomware, as is evidenced by 140 local governments, police stations and hospitals that have been held hostage by ransomware attacks.”
But, Vik, I have antivirus software!
“We are a long way from antivirus software. If you do the basics right, then the hackers move on to the next target. If your defenses are multi layered enough that it doesn’t make economic sense for them to infiltrate all layers, then that protects you in the short run. If someone is determined to get in, they will…so it’s a matter of when, not if. And this means organizations not only focus on defending but also on responding to and recovering from an incident.”
Knowing that people are typically behind any technology problems, Arora goes all out to bring the entire HSS crew up to speed with the best ways of avoiding cyber issues. And it goes way beyond a PowerPoint presentation at the new employee orientation. “By using analytics, we can rather accurately pinpoint which users and roles are susceptible to email attacks (phishing), which is the leading compromise method in most breaches. Throughout the year the security team does phishing campaigns where we send phishing emails to gauge how users react and provide ‘just in time’ training. Anyone who has clicked on three in six months is flagged as ‘high risk’ and we have them attend a formal training.”
“We take a similar approach when it comes to people visiting questionable websites. The training is completely customized, so they walk away with a meaningful message. All our security education is imparted based on risk and role. That way the intervention is not burdensome for the entire hospital. Finally, the focus for all education is protecting personally-sensitive data and not just corporate-sensitive data and staying safe online at home and at work. We are also taking steps to protect our patients from being phished to increase trust in HSS as not just a provider of care but also as a custodian of their medical information.”
And the third bucket is filled with what cyber worries? “Consumerization, i.e., this raging demand of Uber-like convenience is happening in most, if not all, industries, including healthcare. But making things super easy for customers while keeping data safe is no small feat. There is the Internet of Things (Telemedicine, refrigerators with Wifi, electronic prescriptions, Alexas, BP machines, insulin machines with Wifi, etc.). The point of all of this connectivity is data…vendors, patients, hospitals, and the government are all collecting data.”
“In addition, the Cloud is moving us away from physical things. In the coming years, for example, there will be no physical data centers and most organizations will receive ‘data centers as a service’ without being responsible for managing any underlying hardware. With the flip of a button you will be able to get your own servers. And while this will afford people value and velocity, it will require a new way of thinking from a security standpoint”
Vik, am I secure?
“Every day someone asks me if his or her data are safe,” says Vik Arora. I tell them that it’s like being healthy. If I ask you if you are healthy, you’ll probably say, ‘I am doing the right things such as exercising, going to my annual checkups, so I hope I am healthy.’
“ It’s the same with cybersecurity…you need to always be doing the right thing. This won’t prevent an incident but make your recovery easier and quicker. Stay healthy and stay safe.”
So pay attention…think like a hacker…and then think like Vik.