Training and awareness are key to blocking cyber threats
Chief Information Security Officer Anahi Santiago talks about cyber security in today's health care industry.
As chief information security officer (CISO), Anahi Santiago, MBA, CISM, is the senior-level executive responsible for making sure that millions of Christiana Care Health System medical records are secure.
Since May 2015, she has worked collaboratively with the hospital’s leaders so they understand the risks associated with strategic business decisions. She also leads a team of cyber-security professionals who implement controls and apply risk-management tools to prevent unwanted incidents, such as hackers violating data confidentiality and network security.
While staying ahead of the bad guys is an ever-changing challenge, it’s high-pressure work that Santiago is passionate about doing well. “We must always adapt and learn, and these are things that I love,” she said. “At the same time, all the technology in the world isn’t going to stop hackers if we’re not training our people to know how to protect the organization from cyber threats.
“It only takes one click, one user, from one computer to click on the wrong thing and invite the vampire into your house.”
Santiago has had a diverse career in information technology and recently served as director of information security and support services at the Philadelphia-based Einstein Healthcare Network. She is a nationally recognized speaker on information security and a board member of several high-profile organizations, where she networks with other security professionals to stay abreast of industry trends.
Santiago serves on the Advisory Board for Privacy and Security of the eHealth Initiative, an influential nonprofit that researches, educates and advocates for solutions to improve the quality and safety of health care through information technology. “I am one of the first to know what will be impacting our regulatory landscape and can inform our leadership about what’s coming on the national scene,” she said.
Cybersecurity has been a hot topic, both within the government and the private sector. For hospitals in general, how secure are records?
We apply a lot of protection controls to our medical records, and I think we do a better job than most American institutions. Unfortunately, the hacker community is very collaborative and they do a good job of banning together to mount an attack. Attacks by nation-states are also worrisome because of their resources.
Are there different motivations behind cyber attacks?
Yes, there is the typical identity theft, where someone wants to use a Social Security or credit card number for financial gain. And there is medical identity theft where someone wants to commit fraud by falsely billing insurance. This has happened a lot. The federal government has recovered $29.4 billion in false billings since 1997. Sadly, people who are desperate and can’t afford insurance are more than willing to pay $500 to get a medical identity so they can be treated for a disease such as cancer. And nation states often come after information for business analytics. They are trying to mine information to exploit in the marketplace.
Are these cyber threats constant for Christiana Care?
Yes, I can tell you right now there are bad guys trying to get to our data networks. But we have tools that prevent breaches, and we are alerted if hackers are attacking our firewalls. So far, all of their attempts have been thwarted.
How is the CISO connected to the delivery of quality patient care?
Right now if your credit card gets stolen, you get a phone call or fraud alert from your bank. Unfortunately, there is no automatic alert for a health care breach. On average it takes 256 days for an organization to learn it has been hacked. If an identity is stolen and used for medical theft, the patient might not know right away, as patients don’t typically check their health records monthly to see that the information is correct. A theft may be life-threatening if a medical record is altered and a clinician later makes a decision based on that record. That’s why I say our role is closely aligned with the quality of care and patient safety. This is also why we work so hard at security.
Christiana Care’s providers use many different kinds of electronic devices. How are these at risk?
The devices are an entry point. They are not necessarily under attack like our network is — but our people are under attack. The most effective way for hackers to get into an organization is through its people. You’ll get an e-mail that looks very real, as if it’s come from Christiana Care, your bank or your spouse. But it’s hiding malware viruses or asking for personal information that a hacker can use to infiltrate the network or steal your data.
How can we best protect information assets and manage cyber risks?
We protect ourselves best through education and awareness so our clinicians and staff are on the alert for attacks. And we will be training on this at Christiana Care. Also, as we grow our business, we need to constantly examine the risk of cyber intrusions and make the appropriate decisions about applying technical controls. Maybe some risks are so great that we will decide not to go down a particular path.
What best practices do you recommend for Christiana Care employees?
If you get e-mail that looks suspicious, don’t click on the link, and don’t open the attachment. This could introduce malware into the network. If someone is asking for an ID and password or credit card number or account information, don’t give it. Christiana Care will never ask for such confidential information over e-mail. Nor will your bank or mortgage company. Please be cautious at home as well. If you do click on a link by mistake, report it immediately, because we want to know as quickly as possible, and we will not be punitive. The sooner we learn that something has occurred, the sooner we can respond.