Adjusting Security Controls for Evolving ThreatsSecurity Expert Lisa Gallagher on the Daily Battle to Keep Controls Current
While most healthcare organizations have a set of security controls that they map to the National Institute of Standards and Technologies' cybersecurity framework or another standard, they must continually measure the effectiveness of those controls as new cyber threats emerge and evolve, says security and privacy expert Lisa Gallagher.
"It's a question of managing those controls so they are never going to stay static; there always needs to be analysis of what kinds of threats we're seeing, what kinds of things have been successful - making changes almost on a daily basis," says Gallagher, managing director at PricewaterhouseCoopers' healthcare industries advisory cybersecurity and privacy practice. "So it's almost a new battle every day - but then adjustments need to be made."
In an interview with Information Security Media Group, Gallagher, who recently joined the consultancy after a long stint at the Healthcare Information and Management Systems Society, says healthcare organizations need to use cyber threat data and metrics to measure the effectiveness of security functions while mitigating and managing security risk as part of overall business risk.
She also stresses the need for more staff training "so that phishing attacks can be even better mitigated and everyone understands their responsibility in being part of the solution - doing things according to policy and procedure."
Gallagher, a member of a federal Precision Medicine task force, says that government initiative must address key privacy and security issues.
The Obama administration launched its Precision Medicine Initiative in January 2015 to enable "a new era of medicine" - where doctors and clinicians are empowered to tailor their treatments to their patients' needs and patients can get individualized care. Precision medicine, which is also sometimes referred to as "personalized medicine," aims to take advantage of advances in medical research, taking into account an individual's health history, genetics, environment and lifestyle, to better hone treatment.
"We need at a national level a security architecture designed into that system," she says, pointing out that the project will involve gathering massive amounts of data. "Then on the privacy side, we need to work on our [patient] consent model for the initiative."
In the interview (click audio player below photo to listen), Gallagher also discusses:
- How the healthcare sector has responded to the rise in ransomware attacks;
- Other emerging cyber threats in the healthcare sector;
- Her work as co-chair of the federal Health IT Standards Committee, which advises the Department of Health and Human Services' Office of the National Coordinator for Health IT; and
- The challenges involved in sharing cyber threat information.
Gallagher has more than 30 years of professional experience in systems engineering, hardware design and software development, as well as healthcare privacy, security and public policy. Before joining PricewaterhouseCoopers earlier this year, she served as vice president of technology solutions for HIMSS, where she formerly served as senior director of privacy and security.