Challenges of Healthcare Security – Enterprise Security Weekly #142



this week I'm joined by Lee Neely and hopefully April right to interview Bryan Warren he's the president and chief counsel consultant rather at war sex security to talk about the challenges of healthcare security in our second segment we'll talk about the challenges of inheriting someone else's code the enterprise news docker desktop for Windows 10 is going to switch for Windows Linux subsystem netskope introduces zero trust secure access to private enterprise applications ten notable security acquisitions of 2019 and so far perhaps can your patching strategy keep up with the demands of open source all that and more on this episode of enterprise security weekly this is security weekly for security professionals by security professionals broadcasting live from g-unit studios in Rhode Island it's the show for we talk security vendors in honor afraid to name names its enterprise security weekly the V avi solutions observer platform provides SEC Ops teams a powerful combination of comprehensive data for threat hunting and Incident Response that includes wire data analytics and enriched flow records using pure unaltered packet and net flow observer presents views across the entire IT infrastructure with threat alert features including scope impact and advanced traffic profiling teams can use automated workflows to dive into high fidelity Network evidence and more quickly resolve issues minimizing impact on customers users and business operations learn more about the V avi network security solution and download free resources at security weekly comm /v avi that's VI a VI is the fear of a cyber attack keeping you up at night are you worried that your business isn't properly protected keep your network up-to-date and secure from vulnerabilities with VSA by kasaya kassay is VSA patch management module installs deploys and updates all of your software from a single console because a as Network antivirus provides real-time updates and ensures maximum security start sleeping peacefully all night long to watch VSA in action request a demo today by visiting security weekly comm forward slash casaya that's Kas EU ia the greatest threat to businesses today isn't the outsider trying to get in it's the people you trust the ones who already have the keys your employees contractors and privileged users sixty percent of online attacks are carried out by insiders to stop these insider threats you need to see what users are doing before an incident occurs observe it enables security teams to detect risky user activity investigate incidents in minutes and effectively respond get your free trial at absorbent comm forward slash security weekly welcome everyone to episode 142 of enterprise security weekly for June 19th 2019 I'm of course your host Paul acid Orion joined remotely right now by mr. Leigh Neely Leigh welcome ah good to be here will greetings from Idaho and looking forward to a great set of conversations today absolutely a couple of quick announcements make sure you register for our upcoming webcast with saltstack logarithm and is C squared and V avi solutions go to security weekly comm forward slash webcasts if you missed any of the previous webcasts you can check them out at security weekly comm forward slash on demand I'd like to now welcome Brian Warren he's the president and chief consultant for war sex security specializing in healthcare security and safety assessments and education welcome Brian hey thanks Paul I appreciate you inviting me and it's a great to join you guys today yes nice to have you and we're gonna be talking about healthcare security something we haven't talked about in a little while here on the show and I know many folks listening to this show hold various positions in security in healthcare organizations and it's a pretty challenging role to be in security for a healthcare organization I'd put it right up there with universities who may also have you know healthcare kind of facilities either on campus for the students or medical colleges in in schools within them so very challenging environment what in your mind Brian what are some of the top challenges that make it different from defending an enterprise that's not in healthcare sure so I think one of the things that when you're looking at healthcare security versus industry retail and you're correct the probably the closest correlation would be that of higher education or oral schools it's because you're dealing with people that don't want to be there nobody goes to the hospital because I want to think about that you know you're at the mall because you want to buy something you're at the amusement park because you want to have a good time you're at school because you want to learn something but most people at the hospital are already having a pretty bad day unless you're having a baby you're probably having a pretty stressful unexpected day and that's because you're injured a friend the family something unexpected happen that's going to stretch your coping mechanisms to the max so that in combination with think about some of the unique aspects of particularly a hospital they're open 24/7 365 you can never just lock the door you can't prominently ban anyone so you know if you act up at the mall I can trespass you and ban you from the mall I can see you can never come back to the Galleria or you can't come back for a number of years but federal law prohibits you from doing that because we still have to provide emergency care regardless of your behavior regardless of your history and then also think about the type of clients and patient populations that come to healthcare you're looking at behavioral health patients you're looking at people that have suffered criminal activity gunshot wounds stab wounds overdoses and that's in addition to all the day-to-day things so it's a very challenging as you had said for a variety of reasons but the biggest part is the people that you're there to serve don't want to be there in the first place most of the time well also I I don't think the hospital really wants like no one wants someone to be sick or hurt right and all right the hospital doesn't want more patients I hate it because that affects patient care also they want to get patients in and out as quickly as possible right no one wants to be in the hospital for longer than they have to be there's also the issue of hospital transmitted diseases right which is often times I've noticed it in maternity wards right they're like you want to go home they're like yeah like you're out you're healthy everything's good baby's good you're going to home right you're not hanging out in the hospital for a hole right host two reasons right exactly right yeah no sarcoma sore hospital-acquired infections is certainly something you have to worry about that's usually not something that you see a lot of unless you're like a cruise ship or an enclosed environment like a normal virus but yeah that is certainly one reason that as you said you want to get in and get out as quickly as you can and you know the other issue is let's face it it's reimbursement and you know hospitals are a business and let's face it they they need to have people coming and going they don't have an infinite amount of beds to have people in for extended periods of stay right yeah and also when if we focus a little on physical security which is kind of roughly what we've been talking about so far it's not just physical security but when we talk about things like two-factor authentication specifically in a healthcare setting is very different right because of the activities that are going on you can't have a physical token that's you know transmitting germs or whatever or you know people need to be using their hands doing their jobs they can't necessarily take a time out from you know surgery or procedure to authenticate to a computer that requires usage of their hands for example are there solutions that you have seen in healthcare that work really well in terms of authentication that are kind of a little more bleeding-edge in terms of not requiring a physical second factor token for example sure so if you go back a few years to your point especially in healthcare proximity readers that's one of the big reasons that they're so popular in healthcare it's not just because of cost or setup because it doesn't require that physical contact like a a Mac stripe used to in fact even some of the what used to be higher tech biometric solutions like palm scanners they're they're tending to get rid of those because you have to clean them constantly and look it's like iris scans or even maybe voice recognition as far as bleeding edge you're looking at facial recognition and and some other things infrared as far as reading some some heat like from a first-person space but you're not seeing a lot of hospitals adopt those now in certain high-security areas for example let's say you have a hospital that does a lot of oncology or cancer research and this is true of universities as well if you have a significant amount of radioactive source material their own site that you're using for legitimate purposes you're probably going to want to have at least dual authentication if not triple authentication because there's bad guys that would love to get their hands on it and unfortunately radioactive material is one of those things that you can do a lot of bad stuff with very little so you don't need a whole lot that cause a big panic and that's where you're going to start seeing some of the investment in some of the more bleeding edge things but it's more because it's required let's face it you know physical security still behind in many areas in healthcare simply because of the cost right yeah radioactive material is more common in a hospital setting than most people might think right yeah my wife works in health care and in it's not just you know the x-ray machines right or whatever not x-ray but in medical imaging they use radioactive materials for diagnostic images that's right and they also use it to irradiate blood samples uh it's used for a variety of things you've also got specialized cancer treatment areas such as a gamma knife that uses a very particular isotope that can be very bad if you get it out of its confines and use it in some illegitimate way and again you've got people that understand if you want to go take some radioactive material you're not gonna attempt to go to the nuclear plant you know let's face it you know they've got got weapons they've got all these security but a hospital has to remain open you know I always joked you can't smell hospitality without hospital right you've got to look at it as more of a layered defense so it may look open but you really need to safeguard and harden that target when you get to the actual storage area but again it does draw attention into your point a lot of people want to get their hands on those radioactive materials understand that it's probably easier at a university or a hospital than other sources yeah one of the kind of exposures if you will in hospital settings that's common is the older operating systems that are running on computers that are attached to any type of medical device or medical equipment right it could be as large as an MRI machine or it could be you know an embedded operating system in an IV pump or something in what always what struck me recently and I'm not sure why I never thought as before is and I'm not sure who holds the responsibility right is it the software company that makes the operating system is it the vendor that is developing the technology on an operating system or is it the client that has chosen that particular solution which I mean let's face it it runs Windows mostly but yet they've chosen this operating system or designed this operating system and it's being used in this environment that it has to be up all the time it has to be secure and those are two things that are tough to get in Windows you have to reboot it for patches for example right and your software ends up tied to these patches I think more easily than other environments Brian why is it do you think that with this we've made this technology choice and it's pretty common in a healthcare setting why haven't we been shifting or moving maybe we are two different platforms in different types of software that are just more resilient easier to patch and more reliable I would say that a big reason for that again is because of cost and let's face it three big questions that most security people and this is true and in any industry but particularly healthcare are going to be faced with and it doesn't matter what you're looking at physical security IT security operational security your administration is going to ask once everyone else doing why are they doing it and what happens if we don't do it and if you look at the brain there's there's someone at your door right I recognize the the ring back to what I was saying a lot of places when they start looking at investing in some type of infrastructure or some kind of specialized security particularly on the IT side one of the questions that is going to be brought up is well what's everyone else doing and to your point it's it's almost that catch-22 well it's is using this type of software that means that it's easily available that it's probably less expensive it's not a one-off that we have to have specialized not your talent again it all boils down to let's try to make it as homogeneous as possible and unfortunately that's the case not just in IE but in physical security as well you see a lot of what people consider security solutions for no other reason man they were either the lowest bidder or well that's what everyone else is doing and we don't want to be the first to try something out now you have few healthcare organizations that are proactive they want to get out there they really want to be innovative and and try things but you don't see a lot of trailblazing when it comes to security because again it's a very costly endeavor and we just don't have the same political clout as some others in health care for example when you're looking at nursing shortages when you're looking at specialized equipment particularly diagnostic equipment yeah that it's point to you know produce revenue for the organization and you have a finite bucket of finance security is usually at the at the bottom of that list unless something has happened then they're gonna reconsider and you can probably get some fun well yeah and Brian it's a great point when I think we choose any technology we typically in the in almost any scenario right we typically don't go with the technology that has the least adoption for a lot of reasons right like it hasn't been fully tested if they've got 75% less of a user base than other software that's more popular that software is largely not been tested in the real world as much there's not as much support in other people that you can call on there's not as many consultants for example that you can bring in to work on that software and I think those are some really good reasons why we end up with commodity Windows operating system with more commodity Windows software because it's well-documented a lot of people are developing on that platform that's probably why the vendor chose it right and that just trickles down to the consumers of that of that technology well you also have to look at interoperability because of the high tech act and some other things that were signed into law a few years ago about electronic medical records how they should be used how they have to be used things of that nature you don't want to get something that is going to cause you problems and you have to constantly create new ways so it will talk to your neighbor if I'm a patient at hospital a and I choose for whatever reason to go to hospital B my electronic medical information has to be able to seamlessly move from A to B and if it'll be is using some unique system then that could cause problems again that's going to be an increased cost and there's also the opportunity there that not all the information gets through something may get corrupted so again unfortunately it's falling down to let's go to the lowest common denominator and you see that in a lot of different systems I had a question go ahead sorry last last week there was a story about a medical gateway I'm forgetting this particular but I still got enough that was essentially running Windows CE II that had an RDP vulnerability in it and like my question is and why are we using that the my question was a lot of the recommendation from security Park cash practitioners was not only patch but you know segment the network to better protect these things and I'm wondering how does that look from the other side when you say to the hospital we need to segment or update these devices that really need to be clicking along 24/7 what's that what's that what's the pushback from the other side or is that okay and accepted you're getting into an area that's a little beyond me I don't do a lot of cyber and IT security and that's probably best to somebody that does that I'm much more of an operation and physical security person I would like to answer that but unfortunately I am not educated enough in my wheelhouse to really speak to why someone would do that no I was more than I may be off your wheels I was thinking of what's the impact when we when a outsider comes in with a let's fix your cyber or physical without consideration of what the what the hospital would be thinking about for how they are convicted their network so maybe in a different vein one thing that I've been worried about we've been talking about the hospital level and and and what you've got going on there what happens when you move out of the hospital out to the clinics or the medical offices what does the bar go down up left right how does that translate to the individual doctors trying to get their job done or this is there really no mapping no you actually see a dramatic drop in fact it can go from there's a pretty wide spectrum there so look at your hospital well look we'll talk about an acute care hospital and by that I mean it's a bedded facility people are going to be there overnight typically you have an emergency department your may or may not have labor and delivery behavioral health all the specialty units so your typical full hospital full services now let's go down a notch so to speak and you're going to move out to maybe an urgent care or an ambulatory care center in the community you may have some similarities when it comes to security they'll certainly probably run the same type of IT and cyber security as the parent organization or the parent you know hospital and you may have some physical security at limited CCTV or surveillance limited physical access controls but you're probably not going to have a physical security presence in other words any type of guard force there you're probably going to have little to no training of the people at those isolated areas and yeah again that's where it really comes in – they're gonna rely on local law enforcement or police more than internal and then you can go a step further think about home health care workers and that's something that a lot of people don't think about in health care these are people that are practicing health care in another person's home so you can imagine that the only thing they've got with them is their device you know their their phone their tablet and then the knowledge that they have from proper education they literally have none of the protections offered by the home organization when they're in a person's residence and you can imagine some of the things that they see on a day to day basis so it's a pretty broad spectrum of security not just based on the organization or that are the type of organization but where you are in that organization Brian I wanted to ask about physical security as you know my wife works in a health care environment and she very vividly describes you know what it's like to work in in health care and it's a very busy place so yeah a lot of us have probably been to the hospital at some point right and there's people running around all over the place they're not necessarily paying attention to any kind of physical security that's really hard because their jobs are consuming them yet it has to be an open environment what is your kind of like top advice for you know those listening that are responsible for protecting a hospital for example in terms of physical security to improve their physical security sure I think step one and again you know you can look at low-cost you know high cost low cost no cost right step one is a proper orientation for staff and make sure that they understand why security has to be everyone's responsibility and let me elaborate I don't think that nurses and other you know physicians and other direct care providers need to be chasing people down the hall tackling them if they do something wrong but they do need to know what the organization or the hospital considers as suspicious or unusual behavior they need to know where their panic buttons are if they have them they need to know the phone number to call to reach security if they need them you know these are really basic things that people take for granted but believe it or not when you're looking at orientation for new people coming into healthcare they're constantly looking for ways to make it more efficient and well we need to carve a few minutes out here and a few minutes there because we want to get these people through as fast as we can so we're not going to talk about security they'll learn that on the job well then people get on the job and as you said who's got time to learn anything because you're hitting around running so somebody may have told you you here's the code to the break room and you know here's the way the ID badge works and there's a panic button out of the desk if you need it but that's really not good enough so I would say on the low end education orientation is one of the biggest things we also need to look at some and I hate to use the word standards because that's a really tough word but we really look at you know regulation is not very prescriptive in other words they're not going to tell you in a regulate your OSHA or any of the big accreditation agencies are not going to spell out you have to have this type of lock set on this type of door in this type of unit they're going to use words like reasonable precautions and sensitive areas should have a heightened security the physical environment things of that that's why it's important to get someone that knows what they're doing to get an assessment and to take a look at that physical environment don't leave that up to the caregivers because it is a specialized field you really need to get somebody in and let's face it nobody likes security for one reason it's not convenient I don't want to have to badge in a door every time but again things change when a bad event occur so we really need to work together get a lot of different groups together especially your clinical folks and explain to them why things like tailgating the door is important in that that may seem small but that's actually huge if you let someone in behind you you badge it in and then you let the person in behind you if I don't have a camera then I'm gonna assume that you allowed them in purposefully you see what I mean it's very yeah if I can prove what happened and then that seems basic but it's surprising how many places are have eliminated that from the orientation of their clinical staff well it is surprising to me because I find the hospitals are very good at implementing policies and procedures right and I've watched the progression over the past ten years I mean because of wrong-side surgeries because of you know mistaken identities the procedures that are in place today are are very stringent in a took time I think for people to implement them correctly but for example where you know my wife works she told me all about how they validate the patient's right they ask for your and you probably been new hospital right how many times they asked for your name and validate your date of birth they're making sure you are who you say you are before you have any kind of tests or anything right give you tylenol it doesn't matter they're validating who you are when they do a procedure there's multiple points now where they've built into their procedures they have to check with the patient to make sure you know is it your right upper quadrant is it your left leg it's it and in multiple and then they'll take timeouts and this is all built in their procedures and in speaking with IRA Winkler a couple weeks ago layer eight it was his strategy for – preventing it social engineering attack in physical security attacks to make this what I think is a similar type of procedure make it very easy make it clear cut tailgating is a great example Brian right tell them you'd only had to tell them about tailgating right one person through the door who's authorized at a time that's the rule that's it just like in a procedure at least three times you will verify with the patient that they're having a procedure on the right leg if that's the leg they're having surgery on right so I think it's totally possible I think it's just some education that has to be done I would agree and I think part of it too Paul that you're looking at is when you're talking about all of the safety especially when it comes you know identify the patient properly a lot of that grew organically out of the need because of malpractice and litigation and unfortunately I hate to put it this way but a lot of security issues hospitals are willing to roll the dice until something happens so and that is changing now especially with some of the new legislation that's being thought about as far as OSHA one thing that a lot of people don't realize is OSHA regardless of industry we're not just talking about healthcare we're just talking about in general OSHA does not have a specific regulation regarding workplace violence they never have and in health care that is particularly troublesome because healthcare has the highest workplace violence rates of any industry in the United States and nobody's even a close second is that because of do to patients I mean because my wife has stories about patients that like just go nuts and start attacking and the health care professionals right it's very very scary the concern from her wife safety oftentimes you've got behavioral health patients that are simply wanting to get away you've got victims of violent crime but you've got average everyday people that are placed in extraordinary circumstances yeah and the coping mechanism just can't quite deal with what's going on and so you know all these things combined in one place it's the perfect storm for workplace violence if you think about it so health care I would say because of some of this OSHA is now seriously looking I know that a bill was submitted in November last year to actually create some workplace violence legislation so that there's a requirement because as it is now there's just a patchwork of some different regulatory language that hospitals have to comply with but none of it really speaks to what has to be done when you're talking about security training for your staff the may be the doctor understand the law but oh hey April thanks for joining us it seemed your audio is breaking up a little bit yeah that's kind of Charlie I couldn't understand your question I apologize technical difficult and cut off a little bit gosh yeah I think the connection so orders themselves today say that again sorry I think April's asking if the Board of Education is dealing at the board level rather than at the doctor physician oh absolutely again I think that it's important that everyone in some states have already you know taking this into effect California for example Massachusetts are now requiring that anyone that works in the healthcare environment regardless of your role has to have at least some type of minimal training on security on safety things like we're please administrators until it's important to boards through the real decision makers that's really the biggest challenge I have said for years April's trying to call in an unsafe security and safety really need to do what risk management did you know 2025 years ago the practice of risk management in health care was just another hat that someone wore in workman's comp or insurance or Human Resources and now it is one of your most powerful departments and divisions in health care because it can show an ROI for the preventative measures that it undertakes and I think security needs to be viewed the same way absolutely so you're saying the I would say so it sounds like the after risk management the next big opportunity that needs to become a knot and no longer an and also is is security a regulatory and accreditation it's going to be a must-have but it's going to be where you're gonna have a workforce and we've already seen that you've got a generation of people that are coming out of school that don't accept workplace violence and security risk and health care as part of the job 2025 years ago nurses that worked in the IDI and I'm not saying this was right but they understood that you know what I'm gonna get bit I'm gonna get punched I'm gonna get swear that and spit upon that's part of the job working in the IDI but it never should have been that way and you've got a generation of people now that are saying no that's not what I signed up for and if they don't feel safe working somewhere they're gonna leave and that is a huge cost to replace especially some of these experienced specialty clinical folks that's gonna be a big driver for administrators agreed uh so Brian tell us a little bit about your company is it a you would like an independent consultant or have a team of people or yeah we do security physical physical and operational security assessments mostly in the healthcare environment have done some other industries but I've really got 30-plus years in the but health care so I do everything from looking at your policies and procedures your educational methods your training programs I then compare that to your local state and federal regulations and accreditation and I really try to help people understand you know what's the best way to do something without spending a lot of money I understand that you don't have millions of dollars to throw at a security solution but there are some best practices out there they can really be adopted and that's really what we specialize in trying to make as safe and environment as we can for patients but also for the staff that are providing that health care fantastic well Brian thank you very much for appearing on enterprise security weekly and with that we'll take a short break come back with the enterprise security news or a topic which are whichever ones next it's going to be good though so stay tuned

Leave a Reply

Your email address will not be published. Required fields are marked *