Losing sleep over the cyber security nightmare? Find reassurance in the Clinisys approach
When a healthcare organization looks for a new laboratory information system, the IT department is going to take an interest. And one of the issues that chief information officers and their colleagues will be interested in is cybersecurity.
Chief technology officer, Shay Hassidim, and CIO/CISO, Jacques Le Roux, sat down to discuss Clinisys’ cybersecurity posture and the strategy it is developing for the near-future of cloud-hosted, SaaS based systems. We asked them to start by setting out the challenge.
The threat landscape
What concerns do you hear about cyber security?
Jacques Le Roux: The healthcare sector has become such a tempting target for cyber-criminals that cyber-risk is now the number one or number two enterprise risk for most healthcare
Shay Hassidim: That is certainly the case in the US and anywhere else, and one reason is that a medical record in some cases on the dark web is just a lot more valuable than a financial record. At the same time, the security skills and technical resources that you need to beat the hackers are very expensive. They tend to go to Silicon Valley and Wall Street.
Jacques: Also, in many healthcare
This issue is further exacerbated by the global push to make healthcare information more integrated, open, shareable, and accessible. That’s why several governments around the world have been implementing legal and regulatory measures to protect healthcare data and services from cyber-threats.
Regulatory compliance
When CIOs are assessing health tech companies, what are they looking for?
Shay: The first thing they tend to look for is a well-known certification.
Jacques: In Europe and the UK, the Data Security and Protection Toolkit (DSPT), Cyber Essentials Plus, and ISO27001 certifications are used to evaluate suppliers. The importance of securing the supply chain and ensuring suppliers meet cyber security standards were highlighted in NHS England’s published Cyber Security Strategy.
Shay: In the US, there is still a lot of focus on meeting the requirements of HIPAA & HITECH, although I would argue that it is becoming outdated. Suppliers are increasingly looking to new frameworks like HITRUST, which is much more cloud focused and comprehensive.
Jacques: That neatly demonstrates another important point, which is that the regulatory environment changes constantly. In the EU, the Network and Information Security Directive (NIS2) will come into force later this year. At Clinisys, we change with these changes, so we constantly comply with the highest level of security required by the jurisdictions in which we operate.
Technical compliance
What else?
Shay: It’s not just regulatory compliance. CIOs and their technical and security colleagues should be looking for suppliers that have really good security operations. The Clinisys cyber security operation is built around the FAN model developed by Northrup Grumman and NIST CSF.
This envisages cyber security as layers of controls fanning out from mission-critical assets, to data, applications, endpoints, the network and Public or Private Cloud perimeters, all of which are controlled by good policies, operations and monitoring. We have also adopted some really important principles, such as the zero-trust approach.
This operates on the principle that
We also use real-time observability to continuously monitor our security posture, this provides us great insight into what is happening – and that greatly reduces the time it takes us to respond.
“Shift left” and third-party risk management
Is it possible to build in cyber security, right from the start?
Jacques: It is, and Clinisys is embracing the ‘shift left’ principle in its dev ops. The ‘shift left’ principal advocates for integrating security measures into the development process as early as possible for optimal results. If security is a priority from the outset, and part of the design, it allows issues to be rectified earlier in the process and results in a more secure application.
Shay: It’s also important to think about third-party, open source libraries. You need to make sure that whoever you are working with is not a one-man band, but a well-controlled company, with well-established software repositories. The Clinisys third-party risk management operation identifies, assesses, and mitigates the risks associated with third party software libraries, and makes sure they’re not introducing vulnerabilities and exposing
The Clinisys cyber security strategy
What is Clinisys looking to achieve, as a company?
Shay: One of the things to
So suppliers can build, monitor and protect their systems in a way that is a world away from NHS, APHP or VHA trust trying to do it all on-prem, with just a couple of people to patch and fill holes. In that environment, our aspiration is to run what I call a continuous compliance operation.
That means we are not waiting to be audited or running tests once or twice a month. We are using tools to implement and correct our infrastructure in real time, on a daily basis. We have an alerting system to let us know when we are out of compliance. From our conversations, Jacques and I know this is what CIOs, CTOs and CISOs are looking for these days, and it should give them a lot of reassurance when it comes to those late-night worries about facing down cyber-security threats.
At Clinisys, we change with these changes, so we constantly comply with the highest level of security required by the jurisdictions in which we operate.
What is NIS 2 about ?
The NIS 2 directive represents a unique opportunity: its implementation will enable thousands of entities to better protect themselves. It also encourages member states to strengthen their cooperation in cyber crisis management, notably by providing a formal framework for the CyCLONe network, which brings together ANSSI and its European counterparts. NIS2 will set the best practices in cyber security.