Leading up to Black Hat USA, hear from Black Hat Review Board Members, Speakers, Trainers and Partners about their contributions to information security and the upcoming Black Hat event.
This week, we chat with Mitchell Parker, CISO at Indiana University Health, presenting Black Hat USA 2020 Briefings The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis and Stopping Snake Oil with Smaller Healthcare Providers: Addressing Security with Actionable Plans and Maximum Value. Listen or read the transcript below:
Mitch, Welcome to Black Hat! This year you're presenting two Briefings, but I heard you submitted at least three proposals?
Yes, that's correct I submitted three. I had the two that were accepted, and I had a third on supplier and vendor risk management that was based on some additional work that we had done.
Wow, that's amazing! What motivated you to submit and to submit so many Talks?
Well the first one which was the Dark Side of the Cloud was one that rang true to life with us. One of our concerns is with the opioid crisis and making sure organizations have the proper privacy security and diversion controls in place to address using the technical controls and additional processes to not prescribe as many of these opioids and make sure electronic medical record systems are not able to be subverted or you can check to see if they've been subverted.
There was an actual real-life case that happened where a pharmaceutical marketing arm paid electronic medical records company a million dollars to alter the clinical decision support alerts to recommend the prescription of opioids. Now this is not something that is theoretical, this happened 230 million times. And the US Justice Department was able to statistically prove that physicians who have seen those alerts prescribed more opioids.
So, we have to take a look at the systems we have and make sure that they're not able to be subverted in such a way or if they are subverted, you're able to catch it because quite frankly if we don't, people become addicts and people die.
In reading both of your abstracts, I noticed a lot of your research has implications for smaller healthcare facilities and practitioners — Is that just a particular passion of yours?
I've been doing research on this topic for several years. It initially started as part of my master's thesis when I was at LaSalle University. It was more about the use of cloud computing in small and medium sized healthcare practices and taking a look to see if this is something that can be made secure and cost-efficient for them.
The reason why it's a particular interest is because we put these requirements out there (very specifically HIPAA and the HITECH Act) and we expect our smaller practices to comply in the same way that a larger Health System or Hospital is able to, but with the amount of resources that a smaller practice has it becomes prohibitively very, very difficult.
The reason that concerns me is the majority of hospitals and healthcare practices in the United States are not large systems, they're smaller ones. The majority of health care takes place in these smaller systems and these 1-2 doctor practices and we want to make sure that the patients that are getting medical care, are having the appropriate protection for their medical records and their data as they would at the larger system.
Ransomware has exacerbated this because a number of smaller practices have been hit and patients have not been able to get access to their medical records which they need to get treated and that's a concern of mine. We want to make sure that these practices have what they need to protect themselves because ultimately the majority of Americans receive care at one of these practices and if they're not able to effectively get medical care then we have a major hole in society we have to address.
In "Stopping Snake Oil with Smaller Healthcare Providers: Addressing Security with Actionable Plans and Maximum Value," you talk about how people are offered nonactionable, lengthy frameworks or just a list of potential exploits without real actionable or practical solutions — Can you give a bit of a preview or some details on things that you think are actionable that you'll share in your presentation this August?
So realistically, what we found (and again this is going back over a few years of research) is that there's a difference between talking about information security and actually implementing in an actionable way. What we had discovered is that there's a major gap when it comes to health care.
A lot of organizations will pay to have a security firm come in and do their HIPAA assessment; What ends up happening is they buy some policies, they buy some training and they buy a risk assessment and they think they're done. Realistically, it comes down to being able to continually manage what they're supposed to do — Now what I did is laid out what the organization actually has to do.
I was more concerned about that because again, there's a lot of people that think HIPAA compliance means I bought some consulting from a company, I blew my entire security budget on this security company and I spent some money on training (that quite frankly my team is not going to listen to) and there's policies that people are going to ignore and they didn't talk about the how or how it gets done.
There's a big knowledge gap between the people that really know HIPAA and how to implement it well, and a lot of these smaller practices. My goal is to make sure that we address the gap, because at the end of the day we have to protect the patients. Statistically the majority of physician practices in the United States are smaller practices with ten or fewer physicians. We go into detail about why this is important, why it's important to have something in place and more importantly how to get there.
I assume working in a medical institution, the pandemic has significantly impacted your work. I am curious on a personal level how that's been affecting your day-to-day, or any insight you're willing to share.
I'll tell you what I've told a number of other people. The COVID-19 has advanced healthcare in its move from inpatient to outpatient by 5 years.
If I were to go back in time and tell you in January/February that the majority of appointments were going to be done via telemedicine or that the cost curve of basically the intersection of inpatient, outpatient revenues that outpatient revenues are going to exceed inpatient revenues 5 years ahead of schedule you probably wouldn't believe it. Or that the number of telemedicine visits was going to go up so much that the Department of Health and Human Services authorized the use of platforms that were not certified for telemedicine, you probably would not believe me and that's actually what happened.
That was part of the waiver that they did, so we had to move very quickly as an organization to pivot to address security concerns and to make sure we could rapidly onboard new equipment. Not only for patient care, but also for laboratory testing and then for telemedicine turn around on a dime to build out new systems, new structures and new processes. To be able to do this, we've advanced 5 years in 3 months and I am not exaggerating when I say this.
I will also tell you that the impacts from COVID are going to permanently impact healthcare and accelerate further development of what we call "hospital at-home" technologies: A stronger push for telemedicine and a stronger push for remote monitoring which is correspondingly going to completely change how we do medical device security as well.
How we look at security is going to move from "hey, we have a firewall" or "hey, we have defense-in-depth" to guess what, we're going to be sending patients home, we need to monitor them, this is how we are monitoring them, make sure the entire distributed process is secure.
So we're moving from islands to distributed very, very quickly and it's going to be a wild ride! Especially given that the 21st Century Cures Act Final Rule just got passed in March. Ironically, right before COVID happened and they started canceling all the big conferences like HIMSS.
What is going to happen is we are gonna have to very quickly act to get good security standards up and running much quicker than we thought we were and we're gonna have to act as a community to do so in the absence of effective legislation.
Do you have any hobbies outside of InfoSec?
Whatever portion of my day is not taken up with my children, my wife and my cats — and I have five-year-old twins! Sounds great, but when you have co-workers of yours with four kids and look at you and go "Whoa! you got twins," you know your life is crazy.
I try and do a lot of writing to keep myself focused and I really have tried to do a lot more spending time with my family outside of work, just to keep away from all of this.
One of the lessons I've learned in the past year (again, accelerated by COVID) has been the importance of just disconnecting. The importance of putting down a laptop, putting down the iPhone, putting down Twitter and just spending time with your family.
I think to me that's most important of all. I really try and do that and get involved with activities, even if its mundane family life, just to be able to focus and I think that's something really all have to do.
But again, my escape from work is my family and my kids and my wife and that's most important to me.
Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years' experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health's patients and team members. Mitch also actively researches and publishes in the academic community. He is an adjunct lecturer in Health Informatics at Indiana University – Purdue University Indianapolis, and also guest lectures at multiple universities, including IUPUI, Purdue, and IU Kelley School of Business. He has also published peer-reviewed papers with collaborators across the world. Previous to his move to Indiana, Mitch was an Adjunct Professor in the Information Technology and Cyber Security (ITACS) program at the Fox School of Business at Temple University, where he taught MIS5903, the Cyber Security capstone course. He also publishes in multiple publications, including CSO Magazine, Healthcare IT News, HealthsystemCIO.com, Security Current, Healthcare Scene, and HIMSS' blog. He also has contributed a chapter for an upcoming Cybersecurity in Healthcare textbook, an essay to Voices of Innovation, which was published in March 2019 by HIMSS, and has a chapter in an upcoming book on Healthcare Cybersecurity for the American Bar Association's Health Law section. Mitch has also been quoted in numerous publications, including the Wall Street Journal, ISMG, HealthITSecurity, and Becker's Hospital Review. Mitch also is a prolific presenter, having presented at NIST, IEEE TechIgnite, the national HIMSS conference multiple times, the HIMSS Security Forum, multiple ISMG Healthcare conferences, multiple regional HIMSS conferences, Becker's IT+Revenue Cycle conference, and numerous other regional and national conferences.