Chad Wilson, director of information technology security, Children's Medical Center and Don Kleoppel, chief security officer, Cerner, will be part of a power session panel at Cerner’s annual health care conference where corporate professionals will discuss proper credentials for a strong cybersecurity program. Cerner Health Conference will be held Nov. 14-17 in Kansas City, Missouri.
Importance of data security:
Don: It goes without saying that security is one of our key initiatives. It’s one of our missions to continue to strengthen our framework of data that our clients entrust to us. It’s top of mind for Cerner and will always be supported at the highest levels of the organization.
Chad: Most of our system decisions are made through processed information and that comes from an IT system: making sure that data maintains its integrity, its confidentiality is protected and that it is highly available to everyone when they need it.
Forefront on the front lines:
Don: We’re seeing a shift. A lot of the things you’ve seen in the past up to three years ago, the focus was on financial services. When you look at it present day, hackers have shifted their focus to health care as a primary target. Most of the time health care systems have the gamut of information on an individual. The value of those records are much greater on the black market than a set of Social Security numbers or a set of credit card numbers. The hacker community is more targeted toward heath care than what it has been in the past.
Chad: Health information is equally important as financial information. Unauthorized access or disclosure to health information can adversely affect the patient and organization. That information could also be used for some type of financial gain by selling off the data or using it for fraud reimbursement.
Don: When you look at breaches that have occurred over the past three to four years, it comes down to a failure of process and procedures. Cerner uses a back-to-basics approach: making sure we have basic blocking and tackling in place. Our focus to mitigate mistakes centers on four distinct areas: patch management, vulnerability management, configuration management, and access management.
Chad: A common mistake that I see is a lack of understanding in what it takes to have strong cybersecurity protocols. Cybersecurity is multifaceted, almost like a diamond. When looking at a diamond from 5 feet away: it sparkles and shines. When you get closer, you can see that every facet of it is polished and shined, and that contributes to the overall brilliance of that gem. Not having a strategic, holistic approach and getting mired down into a single facet or control have also been common mistakes.
Greatest threat to cybersecurity:
Don: It’s people. No matter how much you train people, no matter how much information you give them, at the end of the day, people in manual processes are the weakest link. Being able to remove the human factor as much as possible, to automate as much as possible, and validate as much as possible are the critical components to close the gap and lower the risk.
Chad: I would agree with Don. You are only as strong as your weakest link and your weakest link is people. People are brilliant, the brains we have can easily outperform the computers we put in place but we’re fallible, we make mistakes. It’s those mistakes that allow others to get through.
Best practices for maintaining a high-level of continuous cybersecurity:
Don: It’s different between large organizations and small- to medium-sized organizations but the concept is the same: making sure you’ve got the right logging level and you’re gathering the right data about your environment and you have eyes on that data. People are doing analysis and are able to react to what they see going on in that environment. A managed services solution where you turn that data over to a third party and they do the analysis and respond back to the company for things that they need to look at works well for a small- to medium-sized company. For larger companies with a large technology footprint building those skill sets in-house is critical to being able to respond to an event in a timely fashion.
Chad: First, would be visibility. If you can’t see it, you can’t protect it. You need to know what you have, its impact on the business and functionality within the business. Second, understand your adversary. You need to be able to understand what the threats are and manage those. What are the risks when those threats are realized? You need to understand the tactics and capabilities that are being used against you before you put mitigating controls in place. This is especially important to understand how potentially effective they are or can be. Third, but not last, think strategically. Think about winning the war, not every individual battle. An ounce of prevention goes a long way. It helps you define the amount of incident response that you need to be prepared with.
Panelists from the power session are:
Don Kleoppel, Cerner, Chief Security Officer
Kevin Hutchison, Cerner, Director, Enterprise Security
Mike Nill, Cerner, Executive VP & Chief Operating Officer
Chad Wilson, Children's Medical Center, Director of Information Technology Security
Bruce Robinson, CoxHealth, Chief Information Officer
Brandon Dunlap, Black & Veatch, Global Chief Information Security Officer