Chris Joerg, chief information security officer at Cedars-Sinai Medical Center in Los Angeles, shares advice for how to best prevent email phishing attempts targeted at employees as well as some of the IT trends he would like to learn more about.
Responses have been lightly edited for clarity and length.
Question: What is the No. 1, first step a hospital should take when developing a cybersecurity incident response plan? What departments and team members should be involved?
Chris Joerg: Develop an incident response plan that includes an annual tabletop exercise with key internal stakeholders. The key is to avoid a steep and precarious learning curve after a breach, so involve individuals in your organization who have a role to play during a significant cyber incident. You could divide your stakeholder group into three groups. Group No. 1 would be your hands-on technical responders. Group No. 2 should be a combination of technical responders, select management decision makers and third-party incident response experts, preferably on retainer. Then, Group No. 3 should be your executive-level, emergency response team.
Q: What can hospitals and health systems do to try to prevent email phishing attempts targeted at employees?
CJ: Phishing is a constant morphing problem for health systems. I'd recommend healthcare IT staff follow a layered approach. First, deploy an email anti-virus/anti-malware gateway solution with modern capabilities, such as anti-spoofing, proactive identification and sandboxing of suspicious email traffic. Pair your email security technology with a healthy dose of user awareness training. This should include tips for identifying phishing email, warnings on the dangers of clicking links from unverified and unknown senders, and where to report and ask questions about phishing. Finally, help your employees exercise a greater degree of vigilance by adding a simple visual cue to all email that did not originate from within their organization. I'd recommend automatically prep-ending the word 'EXTERNAL' to the email subject line or add bold, bright warning text to the body of every external email.
Q: As a CISO, what are a few IT trends you want to learn more about?
CJ: The improvement of health systemwide identity management continues to be a focus item. Also, the zero-trust model is very intriguing. A zero-trust model changes the saying 'trust but verify,' to 'never trust, always verify.' It requires verification of identity regardless of the user's location or the inherited trust of a particular device.
Q: Heading into 2019, what is one of your main goals for your team?
CJ: We'll continue to look for opportunities that combine improved security controls and risk reduction with the sometimes-conflicting goals of new operational efficiencies and improved customer satisfaction. This path can often result in perplexing problems for IT managers and cybersecurity practitioners alike, but there is hope. Single sign-on technologies are often a great win-win solution. Centralization of authentication controls generally improves an organization's security posture, and your customers will be happier if they're challenged to authenticate less frequently.
To learn more about clinical informatics and health IT, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.
To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com.