Healthcare Cybersecurity. PHOTO: Cybercrime Magazine.

Cybercriminals Are Not Welcome At Northwell Health

New York’s largest private employer protects its patients and data

David Braue

Melbourne, Australia – Feb. 18, 2021

When the COVID-19 pandemic broke out last year, past efforts to align information security and development practice rapidly paid off for Northwell Health — which, like healthcare organizations worldwide, was thrust into a high-pressure operating environment where staff was constantly in crisis mode and cybercriminals were pounding on the proverbial door.

For chief information security officer Kathy Hughes, however, the additional pressures of the pandemic — maintaining continuity of service despite a wholesale shift to remote working, for example — meant it was time to tap the fruits of a long-term partnership with the development organisation, which had long ago embraced the need for security that is, as she puts it, “baked in and not sprayed on afterward.”

An ongoing collaboration with David Luft, assistant vice president for software engineering and development with Allscripts at Northwell Health, had already driven the collaborative creation of security guidelines, policy requirements, and awareness and training programs for New York-based Northwell’s 74,000 employees.

Both teams were also active participants in a security governance committee for software development, which includes representatives from organisational units across its 23 hospitals and 800 outpatient facilities.

This well-established relationship meant Luft’s development team, he told Cybercrime Magazine in a joint interview with Hughes, kept security front of mind as they worked to support and enhance applications enabling back-end business processes, supporting doctors and nurses working on the COVID-19 front line, and delivering an enhanced “digital patient experience.”



That experience, Luft said, “is really looking at all the different ways that we want to enable patients to have access to their information, and to be able to interact with the health system digitally in ways that really enhance the in-person experiences that they have.”

It doesn’t take a development expert to know that patient-related systems demand security — and that, Hughes said, has consistently remained a core tenet of the partnership.

“We do realise that at the core of our most valuable asset — which is our information and patient data — the way people access and use it is through applications,” she explained.

“For those applications that are developed internally, we have to make sure they are designed with security in mind at the forefront so that we protect our most precious asset from unauthorised or malicious access.”

Maintaining alignment of purpose

Working towards a “common goal” and maintaining a “very transparent relationship,” Luft said, have helped ensure that Northwell’s development efforts remain closely aligned with its changing business goals and security requirements — providing a robust DevSecOps culture.

Ensuring this alignment has influenced the development team’s hiring strategy, which involves hiring a mix of “very experienced” developers and many with just a few years’ experience.

“You can learn in school how to deal with cross-scripting issues or other programming techniques to make sure you’re delivering a secure application,” Luft said, “but the uniqueness of doing so in a healthcare system really requires a set of training and background that a lot of people don’t come to us with — so we’ve partnered with IT security to make sure we’ve developed specific materials about that.”

Close working relationships with risk and compliance teams inform specific training materials around personal healthcare information (PHI) and personally identifiable information (PII), while a slew of CI/CD tools — such as source code scanners and build management supported with data encryption where necessary — help ensure that security “is not just an ad hoc activity or something you do occasionally or at certain gates,” Luft explained.

“You can’t be reactionary,” he said. “You have to lay out a plan, build it together with all the appropriate parties, and then be very deliberate about delivering against it. It has to be embedded in every step of what you do.”

From the CISO to the user

With resources “incredibly stretched thin,” maintaining security during the pandemic has been a common challenge for healthcare systems, Fortalice Solutions’ chief strategy officer Melissa O’Leary told Cybercrime Magazine after hearing Northwell’s experiences.

In healthcare, she said, “you have a general culture of wanting to help people wanting access to that data — and as leaders in the healthcare space grapple with how to protect that data, it really comes down to that user awareness, and making sure that users are not the weakest link.”

Theresa Payton, former White House CIO who is currently Fortalice CEO, drew out the importance of the user story in normalizing security.

Cybercriminals see [security] as a padlock, and all they have to do is cut through the padlock and they’re in,” she said.

“But as you start to write out those user stories about how users are going to interact and engage with the technology, it is vitally important that — instead of being a painful, complex add-on — security becomes an invisible safety net, and a warm hug around the user.”

To deliver this, Hughes recommends “a really good layered defence-in-depth strategy” and maintaining relationships with development teams to ensure her organisation is “involved continually throughout that process.”

By combining “rigorous project management” and change management, she said, it becomes possible “to make sure that we have checkpoints throughout the entire lifecycle, to make sure that [security] standards and requirements are being met.”

During the COVID-19 remote working transition, the teams co-developed some specific messaging and training around remote-access security, producing training videos on issues like privacy, security and compliance as well as infographics and numerous phishing test campaigns.

“We made sure we got the message out, because it’s a little more challenging when you’re in this remote environment,” Hughes said, adding that the team had to “tighten up some controls and review some settings,” and to “double-check and double-check that we have the appropriate controls in place.”

“But because we had all the tools and technologies in place, it wasn’t a really significant shift for us to have the remote workforce supported for an extended period of time.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.


Sponsored by Fortalice

Fortalice was founded to be the security company that was lacking when we were in senior levels of government and industry.

Fortalice brings together the brightest minds and approaches for cybersecurity as a one-stop-shop for busy executives and practitioners who want to spend less time with trial and error and more time working with a true partner, the right people, and pragmatic solutions.



Send this to a friend