For cybersecurity professionals, it can often feel like it’s more difficult than ever before to safeguard patient data.
That’s probably because it is, according to Samantha Jacques, PhD, VP of Clinical Engineering at McLaren Health Care. “If you think back seven or eight years ago, a lot of this didn’t happen. We didn’t have the cybersecurity challenges in the form that we have today. We didn’t have the networks or infrastructure that we have today.”
What we do have is an increasingly precarious environment, she said during a recent discussion with Drex DeFord, President of the 229 Cyber and Risk Community. “We need to figure this out.”
Doing so, however, isn’t going to be easy given the ever-changing risk landscape. But it is possible, thanks to the efforts put forth by leaders like Jacques, Errol Weiss (CSO at Health-ISAC) and Lisa Bisterfeldt (Cyber Resiliency Program Manager, St. Luke’s Health System), all of whom are working to improve cybersecurity through their involvement with the Health Sector Coordinating Council (HSCC), as well as other organizations.
The key objective, according to Lisa, is to provide – and increase awareness around – solutions that are “easy to use, out of the box” and can be leveraged across the board. “A lot of times we hear about the large health systems, but in reality, all of healthcare is so vulnerable,” she said, noting that it’s just as important to protect critical access hospitals and small practices. “Healthcare is moving quickly. We need to create tools that are not only educational, but can be operationalized to help them be more resilient in the time of a cybersecurity incident.”
Through a series of Unhack the Podcast interviews, the three leaders shared perspectives on their experiences with the HSCC Cybersecurity Working Group (CWG) and why it’s so important for leaders to get involved.
“A huge financial, logistical & operational burden”
Samantha Jacques
For Jacques, who serves as a Board member for AAMI in addition to sitting on the HSCC Executive Committee, one of the most significant challenges is the abundance of devices that sit on the network.
“Hospitals and health systems have a lot of technology, and that technology is not necessarily supported,” she said. Further complicating the situation is the fact that while computers and servers tend to have long life cycles, medical devices tend to stick around even longer – and that “causes issues when we’re talking about things like operating systems and IT security items that we need to secure.”
The need for alternative ways of securing technology was the impetus for the development of the Managing Legacy Technology Security (HIC-MaLTS) document, which touches on risk management, governance, and future-proofing medical devices. “We know that organizations need to replace some of this technology, but it’s also a huge financial, logistical, and operational burden, and they can't necessarily do it at the pace that manufacturers need them to do it,” Jacques stated. “This guidance helps both sides of the aisle understand exactly what we can do to ensure that our healthcare organizations – and our entire ecosystem – stay secure.”
What they quickly learned is that the focus shouldn’t just be on devices. “When you implement complex technologies in a health system, it’s not just the physical thing you’re implementing. It’s the rest of the ecosystem that goes along with it.”
For example, an infusion pump is an endpoint device that needs to be managed. “But I also have to care about the network it sits on,” she said. “I have to care about the application that sits on the server. I have to care about how that talks back to the manufacturer, and the ecosystem becomes incredibly complex.” It’s not just an infusion pump; it’s “the entire chain of technology” that must be kept secure and used in the way it’s intended from an FDA perspective.
And of course, there’s the patching aspect, which becomes extremely tricky when devices are still being utilized but are no longer supported by the manufacturer. The HIC-MaLTS document, according to Jacques, covers this and other issues, from risk transfer to patch testing to future proofing, providing practical steps on how to approach difficult conversations.
“There’s no easy solution for the legacy problem, but if we continue to try and mitigate the issues that we have going forward, we can try and resolve these issues,” she said, clarifying that ‘we’ isn’t inclusive to large IDNs.
“This document helps all organizations based on whatever resource capabilities they have,” Jacques noted, adding that technology life-cycle and risk management should be mandated discussions. “It doesn't matter what size organization you are, here are the foundational things you guys should be working on. It helps small and mid-sized organizations prioritize those things that they need to be focused on.”
A “safe and secure way to share information”
Another critical aspect of CWG is information sharing, according to Weiss, who discussed the “natural synergy” between ISAC and HSCC.
Errol Weiss
“I look at the ISAC as the tactical arm of the sector,” focused on “what vulnerabilities and what threats we’re dealing with right now, this minute, that we need to make sure our members are aware of,” he said.
HSCC, on the other hand, is the strategic arm, zeroing in on the long-term objectives through the resources provided by its 400-plus members across industry and government organizations. “It’s really neat to tackle this from a workgroup standpoint,” noted Weiss. “We had so many different perspectives and ideas come to the table.”
The one thing everyone seems to agree on is the need to share information; the how, on the other hand, is far less clear. “When we talk about the benefits, everyone agrees and says, ‘let’s do it.’ But so often, folks don’t know how to get started,” he said. “They don’t know what to share. They don’t know who to share it with.”
This is where Health-ISAC can play a role by offering “a safe and secure way to share information in a trusted environment – even anonymously,” Weiss pointed out. Perhaps the biggest advantage is for those experiencing a cyber incident, who can connect to others in the community who have been in their shoes.
By communicating with leaders from those organizations, “you might be able to restore faster and learn how they were able to mitigate the circumstance and get back up and running more quickly,” he said. And for those on the other end, it’s an opportunity to share critical knowledge and help others avoid costly mistakes by walking them through a cyber event. “In the heat of the moment when there's a major incident going on and you're witnessing the behaviors of people under incredible pressure and dealing with these kinds of incidents, it’s being able to look at behavior like that and say, ‘wow, that’s how I want to be able to lead when I’m in a similar situation,” Weiss noted.
In addition to helping to educate the community, participating in these exercises also has another side benefit. “It makes the whole information sharing thing a lot less scary,” he said. “It puts it into very concrete black and white terms,” and has proven in many cases to be “a great way to get buy-in and background from others.”
“A great template & a great opportunity”
Lisa Bisterfeldt
The other critical piece is the establishment of the Operational Continuity Cyber Incident (OCCI) checklist to provide “a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber-attack.”
What that does is get “everyone at the same table so that we’re working toward the same objectives and have the same understanding,” said Bisterfeldt, who has been able to leverage her prior experiences in both emergency management and public health to develop a product that mirrors the hospital incident command system.
The document, she added, is “built in a way that can be easily operationalized” due to processes that were created during the pandemic. “We took those same fundamentals and applied them in a checklist format that could be initiated in the first four hours of a cybersecurity event.”
The goal is to get everyone on the same page in terms of “what are the things we need to think about and what do we need to have in place,” said Bisterfeldt. Having a checklist helps to “vocalize within IT and cybersecurity teams prior to [an event] and be able to start doing some of that work. It’s a great template and a great opportunity, even for a mental checklist. It’s an amazing foundation to start building a solid cybersecurity incident response and recovery plan.”
And for Bisterfeldt, it’s further validation that taking on the role of Cyber Resiliency Program Manager four years ago was the right move – both for her and the organization. “It’s been so rewarding to take my background in public health and my passion for the health of our community, and apply that skillset into this exciting, fast-paced cybersecurity environment,” she said. “It’s been such a treasure to be part of this amazing workgroup with not only great stakeholders but also great resources that we’ve been able to develop.”
And the development continues, with the next item on CWG’s list being an Executive Checklist designed specifically to help CIOs and others understand their role in incident response and prioritize threats. “It goes all the way from thinking about blood donations that could be destroyed due to an incident, to surgeries that might need to be postponed – the things you need to think about to continue operations” and make the best possible decisions, Bisterfeldt noted.
For her, participating in CWG has been invaluable – not just from a security standpoint, but also in helping to build “a solid network of peers.” And while not all leaders are able to commit as much time as Bisterfeldt, Weiss, and Jacques, there are “all different levels of participation and engagement” that can make an impact, and move closer to the ultimate goal of keeping data (and patients) safe.
And it starts with collaboration. “It’s not just the tools you can get from the Cyber Working Group; it’s this amazing opportunity to learn from others.”
© Copyright 2024 Health Lyrics All rights reserved
