Modernizing and staying secure in the changing field of health IT

May 21, 2019 |  Security, Interoperability, Meaningful Use

Modernizing-staying secure-changing-field- health-IT

“The only constant is change” has never been more true than it is today. Technology has advanced rapidly in recent years; adoption of technology has increased dramatically; and meanwhile, regulatory bodies struggle to catch up.

Hacking has also changed. In the early days, it was mainly students fooling around.

Over time, criminal organizations and nation-states have adopted hacking as an effective tool. Plus, the dark web allows for anonymity and the creation of hacking marketplaces. The barrier for entry has lowered as criminals sell hacking as a service (or “crime as a service”).

How can an organization continue to modernize and move ahead while securing itself against the increasing threats?

New technology brings new concerns, and with legacy systems being kept around, they can become highly vulnerable and exploitable. It can certainly be overwhelming.


The more things change, the more they stay the same

When I read Cliff Stoll’s book The Cuckoo’s Egg (1989) — most likely the first documented case of a computer hacking incident that happened in 1986 — I was struck by the fact that the same techniques continue to be successful today. The hacker used default passwords to get into many of the systems, exploited an unpatched vulnerability in a commonly-used software package, and guessed commonly-used passwords.

The truth is that little has changed in 30-plus years; these continue to be the weak points in cybersecurity.

While technology has improved to some degree, the human factor continues to contribute the most to hacking incidents. The 2014 Cyber Security Intelligence Index (IBM Security Services) stated that “over 95 percent of all incidents investigated recognize ‘human error’ as a contributing factor.”

Human error does not include just poor security practices, misconfiguration, and other such mistakes, but also social engineering and phishing.

Kevin Mandia, founder of Security firm Mandiant, stated, “You will never bring phishing down to zero; someone will always click.”

Noted security expert Bruce Schneier put it nicely: “Amateurs hack systems; professionals hack people.”

What can health organizations do?

Rather than buying the next “silver bullet” technology that promises to solve all of our problems, it’s important to focus on the areas that actually contribute to most of the hacks. We must expect that systems will fail, people will be tricked, and mistakes will be made.

With that in mind, our goal is to achieve organizational resilience.

Systems should not fail spectacularly when people make a mistake. Additionally, we cannot expect that every system can be perfectly secured all of the time.

There must be layers of defense, a defense-in-depth strategy. Some technology purchases may still be required, but a risk-based approach and a focus on resilient systems can lead us to invest wisely.

Gareth Griffiths, Chief Technology Officer of BridgeHead Software, will be joining me for a presentation on this very important topic of securing legacy systems and maintaining a strong backup regimen (Session #1071) at this year’s MUSE Inspire conference, May 28 to 31 in Nashville, Tenn.

More to explore at MUSE

In addition, I’ll be hosting a discussion on Mitigating Cybersecurity Threats Across Your Environment (Session #1088), which will address questions like how to secure your organization while reaching Center for Medicare and Medicaid Services (CMS) interoperability goals.

Security should not be an obstacle to progress; instead, think of security like the brakes on your car — good brakes allow you to drive more confidently and safely, knowing that you’ll be able to stop.

In this session, we’ll take a look at interoperability, REST APIs, architecture diagrams, best practices, and third-party risk management,a s well as the security and business continuity requirements of HIMSS EMRAM Stage 7.

We will dedicate ample time to your questions so that the topics you care about most are covered. We’ll also cover frequently asked questions, and some practical resources you can leverage so that your organization can meet stage 7 requirements.

I hope you'll join us at MUSE to discuss these and other issues facing health IT professionals today.

A version of this blog originally appeared on the BridgeHead Software website.

Read how MEDITECH customers are improving clinical efficiency and patient care.

View The Innovators Booklet Online

Written by Justin Armstrong, Security Architect, MEDITECH

Justin Armstrong is responsible for the security of MEDITECH applications and platforms, including coordinating critical updates to MEDITECH software and communicating with customers when questions arise about MEDITECH’s security stance. Justin stays up to date on evolving security standards and regulations, best practices, threats, and software vulnerabilities by remaining active in the security community inside and outside of MEDITECH. He is a Certified Information Systems Security Professional (CISSP) and a proud member of the FBI’s InfraGard program as well as (ISC)2, ISSA, the Cyber Health Working Group (CHWG), OWASP, EHRA Privacy and Security Workgroup, and the NH-ISAC. Justin earned a Bachelor of Science in Physics and a Bachelor of Arts in Mathematics from the University of Massachusetts at Amherst. He obtained his Masters in Information Security Leadership at Brandeis University.
Find me on: