Cybersecurity in health care entails managing huge risks that are ever more apparent in a post-WannaCry world, such the vulnerability of sensitive patient data and the functionality of increasingly connected medical equipment. Emery Csulak, the chief information security officer of the Centers for Medicare and Medicaid Services (CMS), says that people from across the industry have improved at engaging with one another to coordinate on these challenges.
Csulak is responsible for protecting patient information at CMS, but has also stepped up to provide guidance to solving challenges facing the broader health care community and CISOs in general. He co-chaired a task force that brought together public and private sector leaders to lay out ways to improve health care security. He was also involved in publishing the CISO Handbook, a resource for professionals dealing with cybersecurity and risk management.
CybersScoop: CMS in particular is an agency that’s responsible for safeguarding many patients’ health records. What are some of the big risks and challenges associated with that?
Emery Csulak: When you look where you see the industry is right now, particularly for us, a lot of the challenges come to user challenges. Where have a lot of the big events occurred? The big events have occurred because people have been phished. People have been compromised through a lot of mistakes. They’re in a rush, they’re checking their email, they click on something and they compromise themselves.
Email is a common attack vector, but it’s also common when people get lazy or make a mistake or just are kind of in a rush — when they’re doing an upgrade or a change or something and they’re not following their best practices, and they deviate from their standard operating procedures. One of the biggest challenges is human error and the question of how you compensate for that and reinforce the importance of taking your time and doing it right. So when you look at that from our side it seems to be more of a user challenge versus dealing with medical devices and items like that.
CS: What is something that you think the overall health care security community has improved upon in the last couple of years?
EC: I think the Health Care Industry Cybersecurity Task Force report that we put out last year was clearly at a point where the health care sector was really starting a much stronger engagement. I think that’s the biggest improvement: the engagement level. Because if you see what the Health Care and Public Health Sector Coordinating Council was two years ago and what it is recently in terms of engagement, the number of people participating, the volume of a conversations going on — I think that’s the biggest thing right now. Everybody can focus on patches and vulnerabilities, but in order to solve some of the longer term problems, what you see is the sector coordinating council and the associations really ramping up their visibility and their conversations around cybersecurity so they can tackle the challenging problems. And you see that in medical devices. You see that in feedback to the Stark regulations in the last month. You see that in a lot of different ways and how it’s percolating into more mainstream cybersecurity conferences and even sector-specific conferences. That engagement is really exciting to see.
CS: You were involved in putting out the CISO Handbook recently. What response has that gotten in terms of keep keeping security professionals on the same page?
EC: I got a lot of positive feedback on it. When we were working on the project, we talked about all the things that we could put into it and we understood that we couldn’t be everything to everybody, and what we really wanted to focus on is: with the workforce challenges that are facing the industry, how do we enable new federal employees to get a better appreciation? And although it’s called a “CISO Handbook,” we hear from feedback that really anybody entering the cybersecurity workforce across the spectrum can really benefit from that conversation of understanding: Where does our authority fall from? What are the relationships of the federal oversight? Who has authority for managing, responding, for giving direction for funding? How do all those things relate? When you’re doing your job, you’re not trying to figure out: Why am I following something? But rather: What does it mean? How do I ask questions about it?
And I think what you see in the CISO Handbook is something that I used to do every year with all my staff, because you have turnover of staff and turnover of contractors. It’s really to get a better appreciation of the organizational relationships, the oversight and how that builds upon one another. That’s the kind of stuff we wanted to talk about in the the CISO Handbook. I think we did a good job.
I think the minute you publish something like that, it’s out of date and it has to be sustained. But it kind of levels the playing field and lets people enter the federal workforce and really get a quick appreciation of the complexities of it and help establish that they’re not going to be missing something major. It helps level that common understanding, I think.