To make cybersecurity more effective in Federal healthcare, security professionals need to bring a broad swath of folks to the table to build security into technology from the beginning while still enabling the mission, said a panel of Federal chief information security officers and cybersecurity leaders at ACT-IAC’s Health Security, Privacy, and Practice Forum on April 23.
The growth of technology in the healthcare field has ushered in a much larger attack surface, and with it a need for a cultural change. But while cybersecurity leaders think about how to push security forward, they also need to keep the primary mission in mind.
“We need to enlist healthcare professionals in order to make the messaging effective and meaningful,” said Servio Medina, chief of the Defense Health Agency Cyber Security Division Policy Branch. “You’ve heard the term, ‘you should bake in cybersecurity’ – you’ve probably heard a cybersecurity person say that while [wagging their finger] … The contrapositive is equally true. If we don’t bake in healthcare professionals in cybersecurity, how do we expect cybersecurity to be effective for the healthcare professionals?”
The Department of Veterans Affairs (VA) is taking a similar, if slightly different, approach to balancing security and mission.
“While it would be great to have the clinicians, physicians, and nurses inside the room, I think what you have to do is get the understanding that patient-first, or we like to say veterans-first, perspective includes cybersecurity and privacy,” said Paul Cunningham, CISO at VA. “If they’re not thinking about it, who is?”
While cybersecurity folks might be looking to partnerships across the agency, they also need to look across the office at the rest of the IT department in a collaborative effort.
“[IT] is in charge of designing the architecture of the enterprise, they’re in charge of rolling out the applications that we all use, they’re in charge of making decisions about how these applications are provisioned. Are we doing an adequate job of involving them?” asked Samuel Visner, director of the National Cybersecurity Federally Funded Research and Development Center at MITRE. “My sense is, I don’t think we always do.”
“I think partnering with our IT people is really important, and taking the broker role is something we’ve adopted at [the Center for Medicare and Medicaid Services (CMS)], and it’s paid off significantly,” said Thomas Schankweiler, information security officer at CMS. He noted that in recent times, his office has worked with IT to explain the cybersecurity benefits of cloud servides and how many controls are already baked in to the business and mission side. That has changed the conversation from compliance to enablement, he said.
The theme of bringing folks to the table and gaining a deeper understanding permeated the panel’s thinking.
“What we really need to do is understand that most people are really trying to do the right thing from their perspective – it may be patient care, it may be delivering services, and … we start talking past each other,” said Bruce McCulley, CISO at Department of Health and Human Services Office of the Inspector General. “[We need to] try to promote good practices, try to help enable the mission goals and get everybody into a shared mindset rather than talking past each other.”
At the end of the day, the need for strong cybersecurity is still imperative – but relating it to the mission is key, the panelists agreed.
“The right conversation is one where they say, ‘How do we build this?’ from the earliest thinking of a concept or design of a system,” said Schankweiler. “I had a friend who talked about it in terms of making a blueberry muffin. You don’t cook your muffin and put the blueberries on top – the best way to make a blueberry muffin is to mix all your blueberries in while you’re making your muffin, and you have something real scrumptious at the end.”