November 6, 2015
What do Target, Albertsons, JP Morgan Chase, Anthem, Blue Cross, Sony Pictures, and the U.S. government have in common? All have been victims of serious data breaches that have enabled hackers to obtain confidential information from computer systems that were inadequately protected.
In February of this year, Varian convened a summit meeting of IT leaders from more than a dozen customer sites to talk about cybersecurity in the radiation oncology department. “It had become clear to us that data security is practically an oxymoron in the current environment,” says Ken Khouri, director of software support and managed services at Varian. “The world has changed and so has the magnitude of the threats. ‘Bad actors’ have access to malware tools that make it easier to cause harm; insiders are solicited to sell information about their companies’ software vulnerabilities. There is nearly one reported breach of healthcare data every day somewhere in the world—with hacking the largest and fastest growing source of breaches.”
Varian software products have historically been developed with a focus on quality and patient safety. The assumption was that these products functioned inside a secure IT perimeter set up at the institutional level, and that people accessing the software would be authorized users.
“Today, that’s an assumption we can no longer make, given recent findings that institutional perimeters are not as secure as once imagined. We can’t rule out the possibility of bad actors gaining access from the outside, or of users on the inside either intentionally facilitating access for personal gain or more likely being the victim of a spear-phishing attack,” says Khouri. “As we talked with IT stakeholders from customer sites who are working diligently to protect data security in their operations, it became clear that software vendors need to do more to help make those efforts successful.” To address the issue, Varian has launched an initiative to develop a long-term cybersecurity plan. “We have established an office of information security that is staffed by people from our product engineering and corporate information technology departments,” says Khouri. “They are collaborating with cybersecurity experts and with IT stakeholders from customer sites to identify risks and chart a course for making security enhancements. The plan is to roll out security enhancements that may range from minor software code changes to product design changes on a schedule reflecting this collaborative, riskbased approach.”
According to Khouri, the cybersecurity summit meeting resulted in actionable input from IT experts at a perse set of customer sites. “Our plan is to hold the cybersecurity meeting annually to share our progress and continue the dialogue.” Varian has also created a cybersecurity interest group within the OncoPeer™ community—a new cloud-based resource for knowledge sharing among oncology professionals.
“Cybersecurity—like patient safety—is going to come down to an effective collaboration between vendors and healthcare providers,” explains Khouri. “Varian is committed to taking this issue very seriously—and we look forward to working with others to minimize the danger of data security breaches.”