How Safe is Safe? Cybersecurity Professionals Face Their Fears at Pasadena Event

The Internet of Things brings new concerns

Published : Thursday, February 11, 2016 | 5:43 AM

Kyle Gililland, Director of Information Security at Huntington Hospital (left) and the other panel speakers (right) at healthcare cybersecurity meeting Pasadena at Guidance Software headquarters on February 10, 2016.

Perhaps only heath care cybersecurity professionals even think about this, but how safe from hackers is that device the doctors just implanted under your skin? As the Internet of people and places becomes the Internet of Things, how safe is the monitoring equipment you’re hooked up to in the hospital? It sends out data over the internet, so can it be hacked?

Can you hack into that device that monitors your medicine intake to allow you to take more than you should? (Yes, that’s happened already.)

Such was the level of discussion at this year’s Innovate Pasadena Cybersecurity Meetup Wednesday evening at the Colorado Boulevard offices of cybersecurity firm Guidance Software.

Guidance Software and co-sponsor DatumSec welcomed Steve Abdelmalek, Director of Technology Risk Office of Kaiser Permanente; Kyle Gililland, Director of Information Security at Huntington Hospital, and Brenda Rose, EIS IT Security Manager at Cedars-Sinai Health System, to discuss the implications of data breaches, cyber attacks, security threats, and third-party risk.

These days nearly everything can be coded and wireless, and if it can be coded, it can be hacked. Tech companies of all sizes, particularly those dealing with the public on any level, find themselves constantly losing sleep over the threat of security breaches, from the outside as well as the inside.

Gilliland reported that there has been a 900 percent increase in health care security attacks in the last year, and 20 percent of those have been from business associates.

The panelists first explored the idea of compliance versus actual security — to wit, if a medical device or software or app is compliant with government security standards, is that the same as actually being secure?

“Those two things overlap,” said Rose, “but compliant does not always mean secure. But if you’re running a strong, robust security system, it will be compliant.”

But, added Gilliland, “Make sure there is actual security, not just compliance. Remember that security is the driver, and that is what leads to compliance.”

But security against what? asked moderator Michael Harris, chief Marketing officer at Guidance Software. Hacking systems can, for example, steal all a company’s data, and then seal it away, essentially holding it for ransom. Harris queried the panelists about their biggest perceived threats and ostensible solutions.

Said Abdelmalek, “Medical records are a big target. Once those are hacked, hackers can steal everything. You can’t unring that bell.”

Gililland agreed, saying, “We need critical security controls. We need to protect users who can be phished. The key is locating and closing every gap in every system.”

And Rose added “Hospitals need to emphasize the security of the vendors that they deal with. We make sure that they come up to the same security bar that we set.”

Using a recent Dodger trade as an example, Harris told the group about how a security breach almost scuttled the deal. A hacker breached medical records that informed one interested party that the player involved had had more surgeries than either team was aware of. The trade went through, but it was an eye-opening lesson.

That discussion led to one about medical devices themselves. How secure are they? Who can be trusted?

As Gilliland noted, medical breaches of data can be hugely costly, and ultimately life-threatening. Being to able trust your vendors is key, he said.

“We do a complete risk assessment with every vendor,” said Rose, “and we require a certain level of protection for our hospital and our patients. We talk to vendors and collaborate with them to ensure security.”

Vendors themselves need to put themselves in the position of medical professionals when determining if a device or product or protocol is safe, added Gililland, who emphasized, “Know your vendor.”

With every device or app used, encryption is key, Gililland continued.

“The security of the device is as important as the device itself,” he said. “Users should never have to be worrying about security.”