Build security into everything you do

Unmanaged cyber risks can compromise your organization’s ability to perform its mission by putting critical assets, data, and services at risk.  

Guidehouse Partner and cybersecurity expert Michael Ebert discusses the critical privacy and security issues healthcare organizations face, as well as the primary misconceptions around cybersecurity. Guidehouse is a leader in delivering cybersecurity and privacy solutions, having worked with commercial and federal agencies including the Centers for Medicare & Medicaid Services, National Institutes of Health, and Centers for Disease Control and Prevention. Our cyber experts help providers, life sciences, and payer organizations establish and optimize their information security and privacy operations to be better prepared to address current — and future — IT risks.

Video transcript:

Jody Tropeano: I'm Jody Tropeano, HLTH's Head of Content here with Guidehouse's Partner

of Cybersecurity, Michael Ebert who has some news to share with us today. 

Michael Ebert: Thanks, Jody, for having me. 

Jody: And what are the critical issues healthcare organizations face today securing their systems and preventing cyber attacks?

Michael: That's a great question. I mean you look at, and it's very valuable across life science, payers, and providers, providers, they have more assets per an employee than any other industry in the world. Most industries are four to five devices per employee. Health care is anywhere from 10 to 20 so they have so many more assets to configure and manage and they're FDA certified so they can't always you know enable cyber security protections the way a normal device could be enabled like an endpoint like a computer or phone so that really changes them and then the other thing impacting the industry and payer, providers and life science side is the convergence digital transformation moving things in the cloud, software service, platform service you know greater enablement of digital use and consumer engagement, the consumer engagement by life science companies, payers, providers putting abstract on the phone letting people manage for healthcare more directly, has really changed the nature of the industry and the way we have to look at securing it. Before everything was in-house now it's everywhere right and the consumer engagement and protecting that is paramount to the industry.

Jody: And in your experience what's something that organizations wish they had in place before they were attacked?

Michael: Well privileged access management is one of them. Most attacks elevate privileges one way or another and they don't have aggregate privilege management across everything they have, right and that's the asset management piece. They may have over critical systems but it's a non-critical structure that gains access to, that elevates privileges, which is and now you're into protected systems because you already have that permission. Privilege access management, asset management being a key component and knowing where all your data's at. Not everybody knows where all their data's at or third parties that have that data. Data proliferation creates significant exposure across these enterprises and is significant to every part of the healthcare life science industry.

Jody: And what do you think some of the main misconceptions out there around cyber security are?

Michael: The main misconception is my assets you know I've got this hard shell, I got firewalls you know I've got all this you know structure in place but I can't really detect and know when somebody's inside my system. You look at what happened with solar winds, that's basic secure devops right, any implementation whether custom code or package code, we should follow secure devops requirements which means we're in creating security into implementation. Everything we do we look at how access is granted that default admin password could easily be changed and that's true along a lot of systems. Now I've done work in life sciences, payers and providers where we've looked at package solutions and the first thing we do is we log in with default configuration password and sure enough we're in, you know so it's that basic secure devops integration and then privilege access management extending across all your assets or at least doing what we call security architecture not just network architecture where we actually put assets in segments and then send and manage those segments very directly based on the way we can secure those assets and treat those assets. Those are two big things that we need to do differently and everybody wishes they had done. 

Jody: And looking at the future so where do you see the biggest threats and the biggest opportunities around cyber security in the next year, and then let's say three to five years from now?

Michael: I think the biggest threats come in different ways. One is again our digital transformation. I think we're bringing new threats to the table because we bring new vectors for those attacks and that and we haven't matured how we secure those attacks. We've been trying to use traditional cyber security tools in a digital transformation age that just don't fit. We need to look at new ways in which to manage and secure those capabilities. I think the other issue is we're seeing more and more attacks that attack one very specific platform but really aren't designed for that platform. They're really multi-modal. They will exist in one environment but they're really attacking a different environment. So an example is I might put something on a mobile phone waiting for it to connect to a corporate network or plug into a PC and that truly is my target. So I'm using one platform to target another platform and you don't realize it because it's an accepted device already in your enterprise. And then cloud, I mean I don't think cloud vendors you know have been rapid to market our conversions to digital transformation and cloud have created a lot of vulnerabilities and exposure. There's an integrated platform capability you need to put in place to manage what you have, how you monitor it, how you measure it and that includes the cloud interfacing back to your backend system. So that's really the transformational issues that we're facing over the next year, in the next three to five years. 

Jody: And any final thoughts for our audience today?

Michael: Oh that's a great question. Yeah so you know I think we need to always be looking at integrating security in everything we do. It's got to be paramount. There are industries that have done that that you know going back financial institutions right, they think about security because

these bank robbers back in the 1800s. We don't think about that alway in health care, life science industry. You know it's got to be built into every single thing we do. I was with a very senior payer executive. They're rolling out brand new digital engagement to extend you know dealing with part of their patient care, the medicare side and they're rolling out these tablets. I'm like so are the tablets encrypted? What is your authorization tool? And he was showing me you know the very cool new way that they were engaged with their consumers and they hadn't thought about all those things when they rolled it back they had right, so you got to build security in everything you do. Engage it in an active way. It will save you time and money on the back end you're not faulting it on, you're building it in and I think that's a key element. It's engagement and that's why I say secure devops is key today. That's how we build it going forward.

Jody: Excellent. Great place to leave you but thanks so much for joining us today, Michael. 

Michael: Oh thank you