Broader set of tech tools tracks vendors' business agreements, use of PHI.
As healthcare organizations strive to innovate, their Achilles' heel has been the growing attack surface that such innovation exposes to criminals. One healthcare organization is responding by incorporating more agile risk management technology into its IT infrastructure.
"Managing cybersecurity is a little more complicated in an organization that prides itself on innovation, when risk is part of the equation," says George Carion, chief technology officer and chief information security officer at Cedars-Sinai, a Los Angeles nonprofit academic healthcare system.
"It's not just about measuring security or risk," Carion says. "It's about managing that risk over time."
To help, Cedars-Sinai has turned to Censinet which recently announced additional software to help health systems manage enterprise risk in a complex, multi-vendor world.
That service is made available to providers on a subscription basis. The expanded offering helps providers with the many complexities of risk management of the technology they use. "The mission of cybersecurity is largely about the reduction and management of risk," Carion says. "The need here is to move fast, but do it carefully."
For example, the new software, known as Censinet RiskOps, provides an enterprise risk dashboard, and can highlight risk hotspots, such as identifying technology suppliers who hold protected health information (PHI), as well as those who may not have signed a business associate agreement (BAA) with the provider. RiskOps also gathers information on other high-risk areas, such as when a vendor's technology uses virtual private networks, and how well they support other security standards such as PCI and ISO 27001, and even report on the kind of information various vendors create that has found its way onto the dark web.
In this way, providers can both manage and quantify their risk with suppliers, Carion says. "Every Censinet customer will want to measure risk in a slightly different way, so it’ll be interesting to see how customizable the platform is on day one," he says. It should save Cedars-Sinai considerable time, versus previous labor-intensive processes, all driven through manually completed spreadsheets, he adds.
System Helps Providers Understand Their IT Risks
Providers have the burden of understanding the risks they are bringing into their IT environment when they establish a relationship with a vendor or service provider, Carion says.
"It’s important that this assessment work happens quickly. What used to take weeks really needs to happen in days,” he says.
In the wake of sophisticated supply chain cyber-attacks, such as the infiltration of the Solar Winds technology platform by criminal hackers, Censinet is incorporating methods that standardize a software bill of materials (SBOM) into risk assessments, says Paul Russell, chief product officer at Censinet.
For example, Censinet is already capturing data conforming to the Manufacturers Disclosure Statement for Medical Device Security, known as MDS2, descriptions of the security properties of medical devices.
"We're doing this work with the National Telecommunications and Information Administration (NTIA) to start to drive standardization around how we talk about the software in other devices, and in other software, so that we can even get more granular than just what vendors you're working with, but [also] what software is in those vendors' products," Russell says.
Censinet assessments also take into consideration the fact that a growing number of technology providers based their products on cloud platforms, rather than standalone data centers.
"It requires openness and sharing from a full set of vendors—any industry where software is involved to deliver goods or services to a customer," Carion says.
"Rather than just answering a long list of risk and company background questions, it's a cooperative team working through the details of how to best implement a solution," Carion says. "The combination of a digital platform to manage risk, connected to the right people to think through best case end states, can really save time."
Solar Winds Attacks Highlight Need to Inventory Software Bill of Materials
In the Solar Winds instance, customers were updating their installations of Solar Winds software, not realizing that bad actors had inserted malware into that software upgrade, unbeknownst to Solar Winds.
"It's super-difficult for customers to detect those things," Carion says. "But it's also pretty important for customers to be aware of when they could be vulnerable to that type of an attack."
Censinet's support of SBOM documentation should help a security team see where a software supply chain creates extra risk, whether it’s software your IT department controls or critical software upstream in a hospital materials supply chain, Carion says. "We need to worry and plan for problems that can occur upstream, which can create service issues that affect Cedars-Sinai operations," he says.
"Risk assessments are becoming a standard practice in healthcare, and whether you’re an established company or a startup, you’ll need to learn how to work with your customer," Carion says. Working through a risk assessment for the first time will help startups. "When they knock on another hospital’s door," he says, "they’ll be better prepared."
“We need to worry and plan for problems that can occur upstream, which can create service issues that affect Cedars-Sinai operations.”
George Carion, CISO, Cedars-Sinai
Scott Mace is a contributing writer for HealthLeaders.
System meets need to streamline gathering of information on how software supports cybersecurity standards.
CISO says it helps govern compliance and risk management across third-party suppliers and vendors.
Software bill-of-materials approach addresses rise of supply-chain cyber-attacks.