Intermountain CISO: Healthcare security says goodbye to perimeters, hello to identities

Karl West says the shift is being mandated by related trends toward consumerization and the cloud.
By Jonah Comstock
Share

Intermountain CISO Karl West speaks on a panel at the HIMSS Healthcare Security Forum. (Photo by Donis Perkins).

As healthcare shifts towards consumerization, a related shift is happening in healthcare information security. The change is from a perimeter model to an identity model and from an emphasis on compliance to one on maturity, Karl West, chief information security officer at Intermountain Healthcare, said in a talk last week at the HIMSS Privacy and Security Forum.

“At Intermountain, 80 percent of our critical data is already in the cloud,” West said. “By volume, the rest of it will move in the next one to two years to cloud-based environments. We’ve spent all those years trying to protect and secure that data in a perimeter, but now in a cloud-based environment, the perimeter really goes away.”

The new model of security will be based on roles and identity, West said. And it will be powered by AI.

“As we go forward, shifting to a consumer-based model and to cloud-based, which enables consumer, it means shifting from perimeters to identity-based access, location tracking, and understanding how a role works and what data they’re accessing,” West said. “And in the process of doing that, what we’re doing at Intermountain and realizing all the technology we’ve been sold by vendors doesn’t work as well in this environment. What works is artificial intelligence. Using large data lakes of information about the data that you have, about the roles of your users, and then tracking that information in real time using artificial intelligence.”

Another way that security is evolving is a growing awareness that checkbox-based strategies that emphasize compliance with a set of guidelines are insufficient to protect an organization, because the nature of cybersecurity threats changes so often.

“Just because you can check a box and say you did something, doesn’t mean you have good security,” West said. “So maturity became a consideration and maturity means, not only do I have a checkbox, but I have ways to detect what’s occurring and ways of monitoring.”

Again AI plays a role here, allowing security professionals to monitor access more reliably and efficiently.

Finally, consumerization means that the patient is tapped into their healthcare data — and therefore is an entry point into the system for attackers. Intermountain is working on a system that limits how often both members and physicians have to remember their passwords by having a single sign-in on their mobile device, which then allows them to sign in everywhere else in the hospital with that device — without having to re-enter passwords.

The imperative is to create what West calls a “frictionless environment”, combining security with convenience.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.