Intermountain Healthcare is an insurance program, but it's also a chain of clinics, hospitals, doctors, and clinicians in Salt Lake City and the rural areas of Utah and Idaho.
Due to its widely distributed patient base, it is a pioneer in telehealth -- long-distance diagnosis and treatment supported by mobile device transmission. That makes it reliant on a variety of Internet-connected devices.
"I have to make sure that path is safe and secure," Chief Information Security Officer Karl J. West told attendees of the InformationWeek Elite 100 Conference May 3 in a session on what constitutes world-class security. The event was held at the Four Seasons Hotel in Las Vegas.
That's easier said than done when a hospital is frequently the target of ransomware attacks capable of freezing up data systems, like the one that struck Hollywood Presbyterian Medical Center in Los Angeles for 10 days in mid-February. The institution ended up paying the hackers $17,000 to release their systems.
"We followed that event closely... They were at the point where they were diverting patients to other hospitals," said West, a move that disrupts patient admissions -- the lifeblood of any solvent hospital.
Security to protect against such attacks needs to be consistently applied throughout the organization and supported by staff with a high degree of awareness of the stakes. That often means a re-education process. "Five to ten years ago, people knew more about the air conditioning system than the security system."
To promote that awareness, he doesn't preach security consciousness only to the IT staff and upper management, but also to the entire Intermountain staff of 30,000.
"I meet regularly with a number of people, the chief nursing officer, the chief medical officer..."
Security properly applied doesn't come cheap. "Everything (connected to security) has a cost associated with it. You need to have an organizational shift to understand how this model works."
West ran through a 14-point checklist with attendees, citing things that any organization serious about security must attend to. While the list contained standard cautions about the need for hard-to-guess passwords and the need to make sure security patches are applied to an organization's servers, it also recognized the dawn of the of the Internet of Things in the medical profession.
"We are doing all we can to innovate and help patients," which includes putting sensing and monitoring devices on patients who are being discharged. By giving doctors data in real-time after the patient has gone home, the medical staff has a much more realistic idea about whether the patient is on the path to recovery or not.
Such monitoring allows the doctors to discharge patients a day or two earlier than they might be inclined to otherwise, and it reduces the risk that the patient will need to be readmitted, a process that drives up the cost of treatment. "Return to care cases are reduced 70%" by the move, he said.
[Think Hollywood Presbyterian was an isolated incident? Read Multiple Hospitals Hit in Ransomware Attack Wave.]
The implementation of new data collection and transmission paths, however, must be matched by an assessment of risks to patient safety and the hospital's reputation should that data be compromised. Protections must be implemented equal to the risks, even when there's a cost involved.
One protection is to segment the network so that the most sensitive information is kept inside the most secure network segment. The participation of third-parties, a common factor in hospital operations, demands periodic reviews of partners with a risk assessment and, if necessary, a change in the terms of the contract with the partner.
CISOs must know where the data is, how it's generated, who analyzes it, and the path that it follows into the hospital's data store. A data dictionary can capture and maintain much of that information as a permanent record.
West said, "If another device is introduced, then the protections must be same. That's a key security priority for us."