Q&A: Jennings Aske Details How Visualization Can Step Up Healthcare's Security Game
When it comes to tapping technology to improve operations, there’s no doubt that NewYork-Presbyterian Hospital is an industry leader. Just last year, the hospital was named one of the top 10 World’s Most Innovative Companies in artificial intelligence by Fast Company for its use of AI and telemedicine.
.jpg "“Dan")
Jennings Aske, senior vice president and chief information security officer for NewYork-Presbyterian Hospital. Photo courtesy of NewYork-Presbyterian Hospital.
Another place where the hospital leads is in its cybersecurity initiatives. In an effort to tighten security, the organization recently tapped Splunk’s IT Service Intelligence platform, which allows the security team and other staff members to better visualize data and spot threats.
Tools are a major element of strengthening the organization’s defenses, in conjunction with a strong cybersecurity culture, says Jennings Aske, senior vice president and chief information security officer for NewYork-Presbyterian Hospital. Aske recently spoke with HealthTech about the organization’s ongoing efforts to keep cyberthreats at bay.
MORE FROM HEALTHTECH: These organizations saw performance and scalability boosts from hyperconvergence.
HEALTHTECH: How would you assess current security threats for healthcare organizations?
ASKE: Part of the reason that security has lagged in healthcare and made it now one of the most targeted industries is that people in the industry thought security in this vertical was different than in other sectors. That is simply not true. Many leaders in the sector thought they only had to comply with HIPAA and not look at cyber risks. They thought they were immune from some of the threats attacking other industries. That made healthcare susceptible to the types of attacks that have been striking other organizations.
For example, the WannaCry ransomware attacks impacted healthcare along with every industry vertical. But every vertical, whether through neglect or shortcomings in processes, has not implemented protection against what’s known as EternalBlue, the security vulnerability derived from technology stolen from the U.S. National Security Agency and which provided underpinnings for WannaCry. Microsoft released a patch for that in early 2017, and in May, the WannaCry outbreak impacted every industry vertical.
People in healthcare need to understand they will see zero-day attacks, advanced persistent threats and all the other threats seen by the bank, defense and retail industries. We need to implement the same controls and technologies seen in verticals that have been dealing with this more proactively for some time.
HEALTHTECH: Do you find that peers in healthcare are beginning to get the message about security?
ASKE: Absolutely. At NewYork-Presbyterian, I meet with the CEO, the chief operating officer, general counsel and CIO every two to three weeks to brief them on the security program. Additionally, I present to the board of trustees and their subcommittees quarterly. In fact, because of my role in the organization and the importance of cybersecurity, I’m now responsible for enterprise risk management.
Meanwhile, I’ve noticed that many of my peer institutions are ratcheting up their spending for security and elevating the profiles of security leaders in their organizations. Many of us now view information security as a patient-safety risk.
But we’re not where we need to be. It takes years to build mature programs. And it’s still a cat-and-mouse game with attackers; often, they’re able to target specific vulnerabilities and exploit them, such as those present in medical devices.
HEALTHTECH: Why did you decide to implement Splunk’s IT Service Intelligence platform for cybersecurity?
ASKE: My director of operations and I needed a solution to help us handle the Big Data problem in security. There are many technology systems that contribute to our security posture — firewalls, intrusion prevention systems, endpoint security, directory services — and they all generate alerts or logs that need to be analyzed or correlated with other data points in order to understand where potential risks exist. Human beings cannot do that alone; there is too much data.
Already, we are ingesting about 1.5 terabytes of log data daily, and that number is just growing and growing. With an application like Splunk, we were able to find the needle in the haystack by correlating diverse log sources to identify anomalous behavior.
HEALTHTECH: How are you applying data visualization to do that?
ASKE: We’re now building out a security operations center. We have a dedicated team responsible for ensuring the security of our organization, five analysts and a manager continually looking at correlated data. The team doesn’t work 24/7, but the service does. At any point, they might receive an alert derived from the correlated data that identifies a potential problem — perhaps someone clicked a link they shouldn’t have clicked. Splunk provides the pane of glass that helps them sift through all the data.
HEALTHTECH: How else will you be using the platform?
ASKE: We’re extending this platform to identify opioid diversions. Instead of teaching our pharmacy leaders how to write structured queries that comb through logs of data, we’re using the solution to provide a simple set of dashboards that help them better visualize and manage important info on controlled substances.
For example, a pharmacy leader will receive an alert via the dashboard if an employee’s account is being used to prescribe Oxycontin while the employee is on vacation. Or, we can establish profiles of how often a pharmacy tech interacts with a pharmacy cabinet and investigate if a threshold is exceeded. We’re close to finalizing a set of about 15 use cases.
HEALTHTECH: You’re also developing use cases for ensuring patient privacy. Where does that effort stand at this point?
ASKE: NewYork-Presbyterian is partners with Columbia University Irving Medical Center, ColumbiaDoctors, and Weill Cornell Medicine. While we’re jointly deploying a hosted Epic electronic health records system, we all had different approaches to privacy auditing capabilities. We needed a common approach.
After a market review, we felt it might be best to build what we wanted with Splunk in order to gain the scalability and rich visualization we were seeking.
At the moment, we’re building a data model, a graphical user interface and dashboards with data visualization and alerting for the purpose of improving patient privacy — something our privacy officers embraced during demonstrations. Next, Splunk will begin sharing this work with some of their other healthcare customers for additional feedback, and we’ll seek to integrate it with our Epic EHR.
We’re tackling real-life privacy use cases with the tech. One powerful use case arose when I was at a previous hospital and we received victims of a bombing attack. Unfortunately, we had curious employees who looked at medical records even though they weren’t part of the care team. We wanted to create tools so that, when situations like that arise, we’ll know the medical record number of the affected individuals and we can proactively look for employees who are accessing records they’re not authorized to see.
These types of powerful use cases will be game-changers in terms of enforcing patient privacy.
HEALTHTECH: What advice would you offer peers seeking to make use of data visualization effectively?
ASKE: First, understand your data sources so you can ensure they’re capable of providing information in the formats required to perform visualizations. We require our vendors to produce logging in a format such as syslog so we can consume it in Splunk and use it for our various purposes.
Second, set realistic expectations. Organizations can’t implement a data-visualization tool overnight. It takes time. We’ve been ingesting logs for a while, but building out the dashboards and the playbooks takes time and expertise.
Third, if you don’t have internal experts in this area, hire a third party to help. IT consultants have helped us set up a server to route logs to a forwarder, for example. This area is complex, and many healthcare institutions don’t have experience in it or haven’t done it at the scale that we’re trying to achieve.
The reality is that, if you need assistance, you shouldn’t be afraid to ask. Security takes a collaborative effort, so getting feedback from others is always a good thing.
