Reflections on HIMSS Discussions

By Brian Wells, Chief Technology Officer, Merlin International

In the month since this year’s HIMSS conference no less than three data breaches involving the exposure of patient information have made the news. Though the methods by which the hackers gained access to this critical data varied – in one instance a malware attack, while data storage error and employee email were allegedly implicated in the others – the fact remains that healthcare organizations (HCO) are facing an increasingly uphill battle in securing the right technology and talent to avoid becoming tomorrow’s next headline.

While each HCO has a unique set of considerations and priorities, when it comes to data security nearly all are facing some version of the same challenge: finding the talent and technologies to meet both needs and budgets. Smaller organizations whose  resources are often more limited seem to be struggling in particular. At HIMSS, a security analyst from a more modestly sized hospital shared with me that though he would like help there wasn’t the money to make hires, and even if budget did exist he’d face the further difficulty of finding the right talent to fill positions.

In multiple conversations with HIMSS attendees, insufficient staffing was consistently noted as the biggest challenge to improving cybersecurity posture. This mirrors results detailed in our study ‘The State of Cybersecurity in Healthcare Organizations in 2018’, conducted in partnership with the Ponemon Institute and released immediately following the conference. According to 74 percent of respondents, the lack of in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks. As a result, organizations are looking to help augment the staff they do have with technological solutions. 

Among solutions gaining prominence with HCOs looking to improve security without breaking the bank are identity and access management tools. Affordable and unobtrusive, multi-factor authentication is proving popular for preventing password fraud, specifically among remote and privileged access users. Organizations have also seen luck implementing security information and event management (SIEM) solutions that aggregate data produced across networks, servers, databases, applications and devices.  But monitoring and managing SIEM data can be complex and time consuming, often requiring one or more dedicated staff depending on an HCO’s size. And finding the necessary expertise to quickly identify weakness and threats to IT infrastructure could prove problematic, with nearly 80 percent of Merlin study participants finding it difficult to recruit IT security personnel.

According to the HIMSS participants with whom I spoke, the perfect technological solution would provide a 360 degree view of their cybersecurity with analytics and AI layered on top,  something we at Merlin are working to deliver.  In the meantime, our research shows there are plenty of lessons to be learned from high-performing healthcare organizations in significantly reducing cyber attacks. High performing organizations are more likely to have an incident response plan and a strategy for the security of medical devices (a looming and largely unaddressed threat, according to HIMSS presenters).  These organizations are also proactively investing in employee awareness about cybersecurity risks – conducting audits and assessments, providing regular training and  incentives, and conducting phishing tests, for example –   and ensuring third-parties safeguard patient information.  Implementing any one of these practices would improve cybersecurity posture critical to patient safety.

You don’t need to be a healthcare information and technology professional to recognize that HCOs are facing constant, increasingly destructive and costly cyber attacks.  Doctors will tell you that even small changes can deliver positive results to overall health. That advice could just as easily apply to cybersecurity. Only through the incremental implementation of both new technology and best practices can we protect patient data and access to essential care, and improve our overall IT health.


A Healthy Plan: The Three Critical Components of a Successful Identity and Access Management Strategy

By Brian Wells, Director of Healthcare Strategy, Merlin International

Most homeowners come up with well-established “rules” for their houses: They don’t allow anyone and everyone to come inside. And, for those who are part of the household, there are certain places which are off-limits. A child does not, for example, bring the Nintendo Switch to the study when mom is writing an annual corporate report. The dog can roam freely in the basement and kitchen – but definitely not in the master bedroom.

So if we’ve set up such rules for our homes, why don’t we – as members of the healthcare industry – do the same for our cyber networks and systems? Fortunately, we can. Through practices collectively known as Identity and Access Management (IAM), IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data, apps and other resources.

To date, we’re just scratching the surface as to IAM’s potential: The global IAM market is expected to grow from $7.94 billion in 2016 to $20.87 billion by 2022, according to projections from Stratistics MRC. Yet, despite the anticipated adoption, current research findings convey a state of IAM capabilities that’s divided between the “haves” and the “have nots” among healthcare organizations and companies in general:

  • Only one of ten healthcare organizations indicate that they’re leveraging IAM as a highly impactful component of their cybersecurity strategy, according to the “Cybersecurity 2017: Healthcare Provider Security Assessment” report from the College of Healthcare Information Management Executives (CHIME) and KLAS Research. One-quarter have either purchased an IAM solution but have not yet implemented it, or aren’t implementing anything.
  • Nearly three-quarters of healthcare professionals use colleagues’ passwords to access electronic health records (EHRs), according to survey research published by Healthcare Informatics Research, and 57 percent say they’ve done this 4.75 times on average. Literally 100 percent of medical residents admit to the practice, along with 83 percent of interns and 77 percent of students.
  • Companies considered at the highest level of IAM maturity, however, are seeing significant benefits, according to research from Forrester Consulting. They experience one-half the number of breaches (5.7 on average over a two-year period) than the least mature organizations do (12.5), with 43 percent of high-maturity businesses indicating that they’ve never had a network breach. As a result, the estimated value of their losses due to attacks is much smaller – $4.3 million over the two-year period, as opposed to $9.5 million for the least mature organizations.
  • What’s more, nine of ten of those at the highest level of maturity are deploying integrated IAM platforms, according to the Forrester research. When asked to rank the benefits of IAM, top performers cited improved privileged activity transparency (51 percent), reduced findings from compliance audits (51 percent), greater individual accountability (49 percent) and the elimination of redundant IAM tech (46 percent).

Urgency Grows for Greater IAM Adoption

Healthcare organizations will need to strongly consider more investment into IAM practices and solutions, according to a U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force report published in June. The “Report on Improving Cybersecurity in the Health Care Industry” recommends stronger authentication to “improve identity and access management for (healthcare) workers, patients, and medical devices/EHRs.” Too often, clinicians, support staff, patients and additional users simply enter passwords to call up systems, according to the report, when biometrics, tokens, multifactor authentication, wearable tech and mobile technologies could provide better protection while building a “trust relationship” with patients.

It doesn’t help that developing an effective IAM program is more complicated than ever, especially as healthcare organizations maintain tech apps and functions both on-premise and in the cloud. With all of the options out there, there are a myriad of platforms that we depend upon, with their own security procedures. Still, whether your organization runs its tech solutions on-premise, in the cloud or a mix of both, you can implement a strong IAM program which greatly protects your network and systems across-the-board – as long as you include the following three, critical components:

A thorough inventory. Whether you run a small, rural clinic or a multi-location healthcare corporation with 40,000 employees, you must conduct a top-to-bottom inventory of all users and their roles. You then match roles to appropriate access areas – a nurse has to call up patient data, for certain. But sensitive company fiscal files? Not so much. As part of this effort, in addition to documenting what people can call up, you need to determine what they can do with it, i.e., “read only” or make changes to a particular file.

Because this amounts to a tall order for large enterprises, you probably want to consider applying risk-based principles to inventory prioritization. In other words, focus on those who deal with the most – and most sensitive – data first. This would include financial executives and data analytics team members, the latter because they pretty much have access to everything.

Enterprise-wide usage identification. This is where you find out what users are actually accessing, as opposed to what they’re supposed to access. As you conducted segregation of duties in step one, you now deploy automated analytics tools to examine activity logs and identify whether employees (not to mention contractors and additional third parties) are entering into areas which do not appear to serve a legitimate, work-intended purpose. The facilities supervisor, for instance, may check room temperature levels for patients. But he has no business pulling files which contain the health insurance information of those patients.

Continuous monitoring. Once you’ve inventoried roles and identified the degree of appropriate and inappropriate activity via automated analytics tools, you cannot “set it and forget it.” You have to constantly monitor what’s going on to ensure individual roles align to allowable actions. The tools must be capable of adjusting to changes in responsibilities – when a surgeon is promoted to chief of staff, her duties will expand and, accordingly, so should her access to various parts of the organization. When the surgeon leaves for another hospital system, however, the cybersecurity team has to eliminate any access to internal assets.

To make such oversight possible, the automated analytics product needs to deliver a “single pane of glass” view of activity. Your cybersecurity team should not have to click from one screen to another to track individual tech systems, file-sharing interactions and email exchanges. With a cohesive and unified monitoring experience, the team will be best positioned to view – and respond to – everything in real-time.

At our homes, we don’t “set rules” to dictate a “Department of No” environment. Instead, we seek to establish a sense of order, so that a closed door at the very least tells a child to “Knock Before Entering.”

Similarly, IAM enables healthcare organizations to incorporate the same manner of guidelines and enforcement, so a lab worker is granted authority to review medical records, as opposed to such authority being assumed and allowed with little to no restrictions. Through effective inventory, identification and monitoring, an IAM program doesn’t inhibit business at hand. It supports it – building widespread confidence among managers, employees and patients that everyone is accessing what they’re supposed to, and nothing more.


Rise of Patient-Connected Devices Requires Commitment to Proven Cybersecurity Practices

By Brian Wells, Director of Healthcare Strategy, Merlin International

Healthcare is increasingly moving to the household: Driven primarily by testing, screening and monitoring products, the global home healthcare market is expected to surpass $364 billion by 2022, up from just over $239 billion today, according to a forecast from MarketsandMarkets.

Network connected devices – particularly those considered part of the Internet of Things (IoT) – account for a great deal of this demand. By 2019, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently deployed by 64 percent of organizations). As indicated, this adoption surge has extended into the home, with medical practitioners remotely monitoring just over 7 million patients worldwide – a figure that is projected to increase to 50.2 million by 2021, according to research from Berg Insight.

Unfortunately, there’s a “good news/bad news” reality in play here: While IoT significantly advances the capabilities of these devices, it also creates new vulnerabilities. Nine of ten of the healthcare executives surveyed by Aruba Networks, in fact, said their organization has already suffered from an IoT-related security breach. And, by 2020, more than one-quarter of identified attacks targeting the healthcare delivery industry will involve the IoT, according to additional research from Gartner.

If the bad guys start hacking patient-connected or embedded devices, there could be life-threatening outcomes. An adversary may, for example, manipulate a machine to inject a lethal dose of drugs. Or exact a ransom from a patient or their family. What’s more, it would be extremely difficult to identify the source of such a horrible attack. Patient-connected and/or implanted devices are rather rudimentary in terms of technology sophistication. They will not contain detailed log files of everyone and everything that has somehow connected to them, and they certainly won’t store enough information about IP addresses to lead investigators from an incident to a likely culprit.

Relatively recent recalls speak to the potentially dangerous risks which inadequately secured devices bring, including those used at home: In September last year, Abbott announced a voluntary recall impacting 465,000 pacemakers due to a possible hacking threat. In October 2016, Johnson & Johnson sent an official notification to 114,000 diabetic patients that a cyber attacker could exploit one of its insulin pumps, the J&J Animas OneTouch Ping, disabling the device or altering the dosage, according to the company.

While the scary scenarios call to mind something out of a sci-fi movie, our responses to the threats require a commitment to old-school remedies: network separation and patching

Through separation, vendors, hospitals, home healthcare providers, etc. work with patients to ensure the devices run within their own network, with their own routers and connective components. They will not, for instance, interact with other wireless networks in the home, such as a virtual personal assistant. The medical device is sealed off by firewalls and segmented setup/implementation so it only maintains connections between the patient and the healthcare provider who is monitoring the device.

Then, vigilant patching of the standalone network assures that the device remains current and well-defended. Because we cannot entrust patients with this role – most would not be capable of the patching, and, besides, a number of regrettable things could happen if they tried – the vendor and healthcare provider must proactively pursue this.

At Merlin International, we stay on top of the latest trends in healthcare technology and cybersecurity to offer the most timely and effective solutions and services to our customers. We understand and appreciate all of the good that medical devices can do – as well as the risks they introduce – and we plan and design our products to directly address this. If you’d like to learn more about what we do, then please contact us.


How Healthcare Organizations Can Reduce the Cybersecurity Risks of IoT

By Brian Wells, Director of Healthcare Strategy, Merlin International

Real-life “Attack of Connected Things” scenarios are playing out. Find out how to protect the enterprise while still reaping the rewards of IoT.

If you walk through the corridors of a hospital today, you will inevitably be surrounded by the Internet of Things (IoT). From X-ray machines to heart monitors to even HVAC units and refrigerators, healthcare organizations are turning to connected devices and machines to provide not only better care, but an improved “patient experience.”

Because of this, the IoT’s presence within the industry is expected to increase rapidly for the immediate future: The IoT healthcare market is growing 30.8 percent every year, and is projected to reach just over $158 billion by 2022, up from $41.22 billion this year, according to research from MarketsandMarkets.

By 2018, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently present within 64 percent of organizations) followed by energy meters (56 percent) and X-ray/imaging devices (33 percent). Four of five executives expect IoT to encourage more innovation, while about three-quarters anticipate that it will expand organization-wide visibility and boost cost-savings.

Yet, there are concerns about the technology, as 89 percent of healthcare organizations have suffered from an IoT-related breach, according to the Aruba research. Hackers are well aware, of course, that IoT brings new vulnerabilities, and they are eager to exploit them. In April, testimony from a top Merck & Company cybersecurity executive before the House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee validated the concerns.

“In just the last few years … we’ve seen more than a hundred million health records of American citizens (compromised or threatened) in a couple of well-publicized incidents,” said Terry Rice, vice president of IT risk management and chief information security officer (CISO) at Merck. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems. Unfortunately, I believe these incidents underrepresent the risk we are facing.”

Given the developments, healthcare CISOs and their teams should consider the following proactive steps to prevent horror movie-like “Attack of the Connected, Wild Things” scenarios – steps that respond to both the technological and human-focused elements of this emerging technology:

  • Segment everything. You should create a dedicated, separate network for IoT. With a segmented architecture entirely fortified by its own firewalls, you ensure that IoT devices will never interact with the rest of your enterprise network environment – including patients’ personal information, fiscal reports, HR records, etc. Connected devices and machines will strictly communicate with the servers which support them, and the ports and destinations they serve. Thus, if attackers compromise them, there’s only so much damage they can do, because their activity and malware is sealed off from everything else.
  • Establish controls over implementation. Frankly, organizations are taking an “anything goes” approach with IoT – one that undermines their ability to properly oversee and control it. A facilities manager, for example, could decide to install a connected alarm system in the elevators. An anesthesiologist may plug in a new product to see how it works. Hospitals win research grants all the time, and these grants often arrive with IoT-enabled technologies to assess.

In too many cases, however, all of this takes place without bringing in the CISO. Non-IT executives approve of an acquisition, and their staffers simply “plug in” without thinking of whether they’re introducing new vulnerabilities. So, clearly, CISOs must work with C-suite leaders to come up with policies which will require the involvement of security teams with any IoT initiative, large or small, with threat vigilance always incorporated into the process.

  • Expand visibility. The CISO’s mantra, “You can’t protect what you can’t see,” is more relevant than ever. It’s difficult to protect the enterprise, after all, if you don’t know who is plugging in what, and where. Through the effective, organization-wide visibility of all systems activity, you will receive notifications every time new IP addresses show up. When they do, you can verify whether they are properly sealed off within your segmented, IoT network. If they aren’t, you can shut them down until IT can locate them and redirect them to the segmented network.

As always, hospital executives, doctors, nurses and additional staffers are dedicated to delivering the best care available for their patients. More than ever, they’re discovering that IoT is making this possible. But to maximize the benefits of these innovations without placing the network, systems and data at risk, IT must collaborate closely with operations/business units so IoT is sufficiently segmented, and nothing is introduced which can harm anything outside of its own, contained ecosystem. In other words, you can take advantage of many “good things” through these devices without unleashing an army of “wild things.”


What Healthcare Organizations Should Consider Before Migrating to the Cloud

By Brian Wells, Director of Healthcare Strategy, Merlin International

On the surface, findings from a Healthcare Information and Management Systems Society (HIMSS) research convey a sense that healthcare organizations are universally embracing the cloud. According to the study, an estimated 84 percent currently use cloud services.

But dig a little deeper and you discover that adoption is limited, especially for critical functions related to electronic medical records (EMRs) and enterprise resource planning (ERP). Only 34 percent of healthcare organizations have migrated clinical applications and data to the cloud, and just 32 percent use the cloud for archived data and Health Information Exchange needs. In addition, less than one-quarter are turning to the cloud for back office apps and data.

In my interactions with industry executives, many say they’re testing the waters, with email, file storage and the like. Even so, they’re reluctant to wholly replace in-house datacenters with public cloud versions.  Use of EMR, ERP and analytics vendor hosting is popular, however.  But this should generally be considered as private cloud hosting in a geographically separate data center.

Yet, given the vast and often-reported benefits of the cloud – including the improvement of workflows through greater flexibility, collaboration, efficiency, rapid scalability and productivity – many of these same executives are seeing advantages in an increased presence. In determining whether the cloud is right for an organization, I stress four key considerations:

Security remains the greatest concern. Indeed, security ranked #1 among adoption barriers in the HIMSS study, as cited by 54 percent of study participants. While the sentiment is understandable, I believe the issue is somewhat overblown. Cloud vendors have more security measures in place, with more infrastructure and power. If breaches do occur, they’re usually the result of employees not adopting proper guidelines and security best practices. In my experience, following a reputable cloud vendor’s rules will keep you as or even more protected than would keeping everything on-premise.

Network reliability can be uncertain. If you use a private host for your network, you likely have strong datacenter redundancy for maximum uptime. But if you’re running your network on a public cloud, you’re entirely dependent upon the internet. If your connection to the Internet goes down, you will lose access to business-critical resources until connectivity is restored. That’s a big gamble. You could reduce risk by paying for two or three regional internet services– but this may prove too costly for some organizations. And for those in rural areas, it’s not even feasible.

Speaking of costs … If you’re planning to store massive volumes of data in the cloud, you’re looking at a hefty monthly bill – one that will typically exceed what you’d pay with an on-premise datacenter. That said, if you have a large amount of infrastructure which has to be replaced, it could make sense. You eliminate the “short-term pain” of a huge capital investment by rolling it into a monthly, operational expense. For some organizations, this approach may be more fiscally realistic.

“So what if we simply ‘dip our toes’ into the waters with a hybrid model?” This comes up in my conversations all the time. Healthcare executives want to put “safe” data assets in the public cloud, and keep more sensitive/mission-critical ones closer at hand. However, hybrid models elevate the complexities of ID management. If you extend the network over a combination of on-premise, private hosted, private cloud and/or public cloud options, you create ID management issues which could result in operations disruptions and potential employee backlash over the inability to access the data, files and apps that they need to do their jobs. HIPAA data access logging and auditing becomes a larger and more diverse challenge. Currently, there are few tools available which would help IT teams resolve these problems.  We have experience at Merlin with a very powerful tool that provides a single “pane of glass” to manage identities across all environments and many key applications regardless of where they are hosted.

As you can see, deciding whether to migrate significant IT functions to the cloud isn’t a “one size fits all” proposition. You must measure the pros and cons based upon your organization’s size, location, industry niche and other relevant factors, while also assessing the various comfort levels with any changes the cloud may bring. Finally, calculate expected ROI comparing it against the financial impact of not making the switch.

In other words, cloud migration is as much a business proposition as it is a “tech thing.” Proceed accordingly.


Electronic Health Records: It’s the Data. Not the App.

By Mark Zalubas, Chief Technology Officer, Merlin International

In seeking ways to gather and analyze – and hopefully act upon – electronic health records (EHRs), organizations are following a familiar path: They assess their needs, and then hire a vendor to support them. At this point, they’re locked into the selected vendor’s app, in terms of how they input, review and analyze data.

However, we now exist in an age in which data is delivering endless possibilities; when we pursue information discovery and seek to make good decisions from the resulting, newly acquired knowledge, we’re really only limited by our imaginations. Which is why traditional, vendor-centric approaches are no longer relevant.

In other words, it’s about the data. Not the app. Given that the EHR market is expected to grow to $33.41 billion in value by 2025, according to a forecast from Grand View Research, the stakes are too high to cling to antiquated models.

Let’s illustrate with a realistic scenario: A patient encounters blood pressure issues, even though he’s already taking medication for his condition, so a hospital doctor writes up a new prescription. Because it’s new, the doctor wants the patient to take daily blood pressure readings with an at home monitor and report back. Steady information over a stretch of time, after all, provides more value than that observed during occasional office visits.

The data isn’t difficult to collect. The patient can do it on his own, and call it into the doctor’s office. But what if the existing vendor tool doesn’t allow for the inputting of daily blood pressure readings? What if it caps this inputting to, for instance, four readings a year? In this case, both the doctor and patient are stuck with what the vendor has to offer. Sure, the doctor can work through higher-ups at the hospital to see if the vendor would upgrade the app so it’s configured for daily blood pressure readings. But the vendor may have other upgrades they need to address first, putting new requests on the back burner for months or longer.

You can apply the same sort of scenario to a patient’s weight, heart rate, blood-sugar level, cigarette/alcohol usage or any one of a number of other components which lend insights into someone’s state of health. The information is ready and available. But if the solution isn’t configured to incorporate it into a data capture/analysis program, the information will end up in limbo.

So what’s the solution?

Again, it’s about the data. Or, more precisely, thinking “data first” and then app.

Organizations should initially consider what exactly they want to capture, whether it’s blood pressure readings, cancer screenings, cholesterol checks, smoking cessation success rates, etc. Then they can figure out what kind of app will work best. Tech innovation is driving swifter and greater adoption of agile practices. IT departments are now positioned to more readily and easily develop (or pay to have developed) mini-apps to perform specialized functions – further rendering obsolete the monolithic, rigid, “our way or no way” mega-vendor tools.

All that’s required is a secured, indexable database. With this, organizations and users input whatever they wish into the database, and then build mini-apps accordingly so teams create chart visualizations, analytics tools, treatment plans, etc.

To cite another scenario, let’s say that same hospital doctor from before would like to know if her patients were picking up their prescriptions in a timely manner. Obviously, her local drug stores would have to compile and report this information to her. They could even work together to set up an alert notification system should patients fail to pick up their prescriptions within two weeks. Sounds simple, right?

Not if we’re still talking about the traditional model: The doctor might tell the vendor what she plans to do, and the vendor could respond that their product isn’t configured for data related to prescription pickups. Further complicating things, the app may need to be work with multiple reporting systems used by the various drug store companies with no way to determine if compatibility. Setting up a workable solution might take a year – or longer.

But through a modern, agile approach, the doctor simply comes up with a data collection/notification alert plan with the drug stores, has IT construct a secure, indexable database, and then design (or, again, hire someone to design) a mini-app to monitor prescription transactions, send alerts for late pickups and otherwise enable the doctor and her team to analyze various patterns within.

Or take another example: two or more unrelated entities (like a pharmacy and a diagnostics lab and a hospital) are all trying to get data into the same EHR, but if they don’t share the same EHR for the same patient (and they don’t) then they can’t do it directly.  With a standard data-based health model they could throw transactions into the same pot to be discovered by relevant applications later.

The upshot: For too many years, organizations dependent upon EHRs have resigned themselves to an “If we build it, you will come” arrangement with their vendors, i.e., the vendor builds the tool, and organizations buy in and adjust to its quirks and limitations. And being that other hands on health care priorities often take precedence, who could blame them?

But today, those same organizations can advocate for a “Let the data come first, and then we’ll build it …” strategy. By determining the intent of their discovery initiatives and data models, they necessitate COTS vendors and Open Source developers to build functionality around them. Subsequently, the market ultimately provides a better solution and HCOs end up with information that is more comprehensive, immediate, insightful and actionable – empowering them as more effective healthcare practitioners and better “custodians” of EHRs.