Losing sleep over the cyber security nightmare? Find reassurance in the Clinisys approach

When an NHS trust, pathology network or US healthcare organisation, such as Veterans Health Administration (VHA), looks for a new laboratory information system, the IT department is going to take an interest. And one of the issues that chief information officers and their colleagues will be interested in is cybersecurity.

Chief technology officer, Shay Hassidim, and CIO/CISO, Jacques Le Roux, sat down to discuss Clinisys’ cybersecurity posture and the strategy it is developing for the near-future of cloud-hosted, SaaS based systems. We asked them to start by setting out the challenge.

The threat landscape

What concerns do you hear about cyber security?

Jacques Le Roux: The healthcare sector has become such a tempting target for cyber-criminals that cyber-risk is now the number one or number two enterprise risk for most healthcare organizations. It’s one of the main issues that keeps NHS CIOs and their colleagues up at night, and their concern is justified – a recent article indicated that a staggering 60% of cyber-attacks are directed at the healthcare sector

Shay Hassidim: That is certainly the case in the US, and one reason is that a medical record in some cases on the dark web is just a lot more valuable than a financial record. At the same time, the security skills and technical resources that you need to beat the hackers are very expensive. They tend to go to Silicon Valley and Wall Street.

Jacques: Also, in many healthcare organizations, legacy systems can account for a large percentage of IT infrastructure. This, combined with the massive amounts of patient data and an extensive network of connected medical devices, makes it hard to stay on top of security.

This issue is further exacerbated by the global push to make healthcare information more integrated, open, shareable, and accessible. That’s why several governments around the world have been implementing legal and regulatory measures to protect healthcare data and services from cyber-threats.

Regulatory compliance

When CIOs are assessing health tech companies, what are they looking for?

Jacques: In the UK, the Data Security and Protection Toolkit (DSPT), Cyber Essentials Plus, and ISO27001 certifications are used to evaluate suppliers. The importance of securing the supply chain and ensuring suppliers meet cyber security standards were highlighted in NHS England’s published Cyber Security Strategy.

Shay: In the US, there is still a lot of focus on meeting the requirements of HIPAA & HITECH, although I would argue that it is becoming outdated. Suppliers are increasingly looking to new frameworks like HITRUST, which is much more cloud focused and comprehensive.

Jacques: That neatly demonstrates another important point, which is that the regulatory environment changes constantly. In the EU, the Network and Information Security Directive (NIS2) will come into force later this year, and the UK government already announced its intention to update the Network and Information Systems Regulations 2018 (NIS Regulations). At Clinisys, we change with these changes, so we constantly comply with the highest level of security required by the jurisdictions in which we operate.

Technical compliance

What else?

Shay: It’s not just regulatory compliance. CIOs and their technical and security colleagues should be looking for suppliers that have really good security operations. The Clinisys cyber security operation is built around the FAN model developed by Northrup Grumman and NIST CSF.

This envisages cyber security as layers of controls fanning out from mission-critical assets, to data, applications, endpoints, the network and Public or Private Cloud perimeters, all of which are controlled by good policies, operations and monitoring. We have also adopted some really important principles, such as the zero-trust approach.

This operates on the principle that organizations shouldn’t automatically trust any user, device or network, and insists on strict authentication, authorisation and monitoring. Our customers will see the principle in action when their professionals use role-based access, find they can only access the data they require to perform their work, and find they can’t move from one segment of the network to another – all of which would limit the damage a hacker could do if they did access the system.

We also use real-time observability to continuously monitor our security posture, this provides us great insight into what is happening – and that greatly reduces the time it takes us to respond.

“Shift left” and third-party risk management

Is it possible to build in cyber security, right from the start?

Jacques: It is, and Clinisys is embracing the ‘shift left’ principle in its dev ops. The ‘shift left’ principal advocates for integrating security measures into the development process as early as possible for optimal results. If security is a priority from the outset, and part of the design, it allows issues to be rectified earlier in the process and results in a more secure application.

Shay: It’s also important to think about third-party, open source libraries. You need to make sure that whoever you are working with is not a one-man band, but a well controlled company, with well established software repositories. The Clinisys third-party risk management operation identifies, assesses, and mitigates the risks associated with third party software libraries, and makes sure they’re not introducing vulnerabilities and exposing organizations to potential risks.

The Clinisys cyber security strategy

What is Clinisys looking to achieve, as a company?

Shay: One of the things to recognise is that, with the shift to the cloud, there is a shift towards shared responsibility for cyber security. One of the beauties of moving to the cloud is that public cloud providers can command the skills and resources we were talking about earlier.

So suppliers can build, monitor and protect their systems in a way that is a world away from NHS or VHA trust trying to do it all on-prem, with just a couple of people to patch and fill holes. In that environment, our aspiration is to run what I call a continuous compliance operation.

That means we are not waiting to be audited, or running tests once or twice a month. We are using tools to implement and correct our infrastructure in real time, on a daily basis. We have an alerting system to let us know when we are out of compliance. From our conversations, Jacques and I know this is what CIOs, CTOs and CISOs are looking for these days, and it should give them a lot of reassurance when it comes to those late-night worries about facing down cyber-security threats.