Information Security

Defending the digital infrastructure

Putting cybersecurity for healthcare on solid footing

CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center.

Kevin Charest, Ph.D., works across multiple industries and platforms, focusing on improving cyberdefense through information sharing. He is divisional senior vice president and CISO at Health Care Service Corporation (HCSC), which operates the Blue Cross Blue Shield plans across the states of Illinois, Montana, New Mexico, Oklahoma and Texas. Charest is a leading figure in cybersecurity for healthcare, responsible for all aspects of IT security operations across HCSC's five health plan states, including actively monitoring and mitigating current cyberthreats and overseeing the governance, risk and compliance program. He was CISO for the U.S. Department of Health and Human Services and directly responsible for the HHS cybersecurity technology portfolio. He now serves as a board chair for (ISC)2, the largest international information security certifying body in the world.

What is the nature and scale of the infrastructure you are responsible for protecting?

Kevin Charest: We have a primary data center in Illinois where we centralize most of our applications and data. We also have a DR [disaster recovery] environment, a colocation facility, in Texas. Like many healthcare companies, we have been evaluating the cloud. There are lots of heavily regulated industries in the world -- finance, for example. But I would argue that we are the most regulated. All the regulations apply to us. Privacy, healthcare and insurance. We have had to take a very considered approach to the concept of moving to the cloud, and spent the better part of last year working with the major players. We have finally reached an agreement with one of them and [are] close with another, because we don't want to be single-threaded.

A set of controls in place around data and key management … has allowed us to begin the process this year. We haven't moved anything yet, but that is imminent. We also want to look at the future state of our BC/DR [business continuity and disaster recovery] activities, and will do some experimenting on that. We have our colo facility, but, ultimately, a cloud-based DR would afford us new and interesting options. So we will be exploring that.

What is your approach to cyberdefense at HCSC?

Charest: We have taken a big data approach and have moved away from some of the more traditional approaches used in small and mid-tier companies that might have several monitoring tools cobbled together into a cyberdefense system. We do use some commercial tools, but we have mostly moved to a more transactional design that is as close to real time as I can get. Traditional methods force you into a bit of a box. You have to have the data you will need in the future, and you need to identify the logs and make sure you have the right elements within those logs. Then, you have to have to have them available in your tools to identify an attack in the future that you can't anticipate today. I don't see that as a good risk management approach. The ability to consume large volumes of data relatively inexpensively is an opportunity. I want all the data, and that way we have the ability to do some interesting analysis and heuristics and behavioral analytics.

What are the special challenges of cybersecurity for healthcare?

Charest: There is something like 480,000 different entities covered by HIPAA. It is important to the company that we recognize that. Our primary purpose is to take care of members, so we want to be connected to all those entities, which are on a spectrum from a single-doctor practice in rural Oklahoma to the most innovative surgical hospital in downtown Chicago. It is a wide spectrum, with varying levels of cyber maturity. You can no longer take the approach that you will simply build your system with a hardened perimeter. Those days are long gone. Data is everywhere, and we want to connect and collaborate with the whole healthcare ecosystem. To do that, I have instilled the phrase assume compromise in my team. If you do that, recognizing that every entity you connect with could be compromised, you will build with a different mindset.

To do that, we also have a watch phrase within our team: 'We watch everything everywhere, all the time, forever.' It instills the idea that we will pay attention to everything we interact with in delivering services.

What's your involvement with (ISC2), and what's the benefit for you?

Charest: I'm on the board, and I have been a member of the organization since about 2007. It is the largest international consortium focused on cyber professionals, certifications and validations of skill sets. We have a significant shortage of cyber professionals worldwide. By having an organization of 5,000 members worldwide, you can influence that and help generate talent. Many of us believe we are all in this together. For me, it allows me to give back.

Is your role on the board of Prevalent, a cybersecurity vendor, a similar kind of investment?

If you look at risk factors, email is the single biggest risk vector carrying phishing and fraud. When you look at risk factors, you have to look at third parties.
Kevin CharestCISO, Health Care Service Corporation

Charest: They're tackling what I think is one of the biggest challenges we face, namely third-party risk. If you look at risk factors, email is the single biggest risk vector carrying phishing and fraud. When you look at risk factors, you have to look at third parties. One of the ways in which our company innovates is by working with startups that are trying to drive down healthcare costs. We want to make sure we are participating with that and innovating and helping our members get the highest possible quality of service. But that comes with a risk when you are connecting with third parties, and third parties also have third parties. The concept of cascading controls across your own ecosystem is extremely important. Prevalent is focusing on how to assess the quality of the cyber program and compliance that a third party has in place.

When you consider cybersecurity for healthcare, what do you see as the motivation for cyberattacks on a healthcare organization -- and which ones worry you the most?

Charest: The vast majority of what we see is an organized crime type of approach. It used to be if they could get credit cards and PII [personally identifiable information] and steal identity, that was the thing. That still happens, but what we're also seeing is a rise in the last few years of ransomware attacks. It is now about extortion. A few years ago, there still hadn't even been a ransomware attack in the healthcare sector, but more recently, it has been hundreds of millions of attacks. In addition, I will tell you that the Chinese are very interested in how our healthcare system works. It may not really be about research or intellectual property but more of a focus by them on the ins and outs of how we do what we do -- how we control costs and how we provide care.

With so many critical things to worry about in your field, do you find that top management 'gets' cybersecurity for healthcare -- and supports your efforts?

Kevin Charest, CISO, Health Care Service CorporationKevin Charest

Charest: Yes. I've had supportive CIOs for many years. Here at HCSC, I work for the CIO who works with the CEO. I have incredible support here from senior leadership, at the board level and in the C-suite.

What is your Cyber Fusion Center?

Charest: In many ways, it has the earmark of a security operations center, but we also ensure it doesn't exist in isolation; it is part of our overall incident management process. An application may have a hiccup. We are connected to the network operation center and the command center for application monitoring. All of the things are connected in real time. When things happen, there are alerts and we can quickly triage. Something might look like a network problem but it is actually a cyberattack, or something might look like a cyberattack but it is actually a bad card in a switch somewhere. We bring these items together, and the teams are connected in real time by video and audio. This is a strong integration and innovation play that I am very proud of.

Article 3 of 3

Dig Deeper on Compliance

Get More Information Security

Access to all of our back issues View All
Enterprise Desktop
Cloud Computing