Over the past year, leaders have been repeatedly reminded of the severe threat of healthcare cyberattacks. The Department of Health and Human Services’ (HHS) Office for Civil Rights is informed of nearly two new data breaches (affecting at least 500 patient records) per day.
Some larger health systems detect a potential cyberattack as frequently as every 10 seconds. Instead of experiencing relief during the COVID-19 pandemic, bad actors continued to step up their assault on healthcare. With increasing cyber attacks both on healthcare and other industries, cybersecurity has continued to demand increasingly more attention. But in an industry with so many internal and external stakeholders, whose job is it to take charge in healthcare?
While securing your health system requires buy-in at all levels, leadership remains responsible for a strategic approach to securing a health system from a cyberattack. The risk is great. Worse than compromised data or fines levied by HHS after a data breach, any attack that undermines endpoint systems can diminish patient outcomes. When caregivers no longer have access to the EHR and other tools, hospitals have to cut services, revert to pen-and-paper record-keeping, or even divert patients to other providers.
Even with technical training and preventative software, organizations are not safe from a potential cyberattack. However, executives can enact many strategies and resources to face the problem. This Week In Health IT guests and experts have recommended:
With several large successes of cyber attack this past fall, the security of many health systems have been brought to the focus of the conversation. Organizations have more at risk than financials and reputation: patient care and safety remain in the crossfire.
"“I'm starting to see people talk about cyber security and patient safety in the same conversation. They're realizing they have to go hand in glove,” explained Julie Hubbard, VP, Enterprise IT & Information Security at AMN Healthcare,
Email is the easiest way for bad actors to gain access to your health system, according to Ryan Witt, Managing Director and Resident CISO at Proofpoint. With a higher volume of attacks, some staff members are bound to click into a phishing scam, he explained. Therefore, health systems must have an action plan in place for when there is a successful cyberattack.
Witt noted HIMSS cybersecurity survey last November, where 11% of health systems failed to have a firewall in place.
"This just highlights the challenge from a basic technology investment that is lacking in healthcare. In terms of "why is this industry so under attack? Why do we have so many problems with regards to protecting patient data? Protecting our health systems? And really protecting patients?' Because there is now a linkage between cybersecurity and an institution's ability to actually protect patients," he explained.
The HIMSS survey also reported that phishing attacks were 57% of significant cybersecurity in the last year. Hubbard explained that the healthcare supply chain is ripe for infiltration by bad actors.
"The supplier risk management is probably one of the areas that is most neglected. Probably has the maybe baseline controls if you were, if you were lucky even over the last four or five years, I've seen the types of questionnaires that we're getting from companies that we're doing business with it," she said. "They are maturing, but in many cases, I'm very surprised right at the low level of information that they're asking for about how we're protecting our systems. So I think that's an area that needs a lot of investment."
There are ways to train staff that will help them identify clear phishing attacks, but bad actors have become more sophisticated, Witt explained. By partnering with a technology solution, health systems can help their staff avoid an interaction with a phishing email.
"You need to have the sophisticated gateway that blocks up to 95% of the email that comes your way. You're keeping almost all of the bad email away from your user immediately," he said. "So you're not forcing them to make a judgment call at all."
Necessary business functions can put team members at risk. The nature of some work simply opens doors to bad actors through external communications and applications, Witt explained. Therefore, it is critical to have an action plan in place to catch and isolate nefarious activity quickly and efficiently.
“If somebody is in your network undetected for six months, it’s essentially the equivalency of them living in the closet of your spare bedroom for six months and observing your family. How they operate, what they do, et cetera. I know that's really creepy, but from a cyber standpoint that’s essentially what is happening,” Witt said.
Protecting her team from the onslaught of bad activity was overwhelming at first, Hubbard explained. However, partnering with the correct cybersecurity solution made a difference to alleviate pressure from her team. In health systems that have little to no security team, or a reduced IT staff, she recommends finding outside help or technology that will help ease the burden.
“If companies aren't sure what to do, the one thing that I would say is work with a cyber security vendor that can help. Because the reality is if you don't have the right resources, or you have an outsourced IT team, let alone a security team, it could feel pretty overwhelming," Hubbard explained.
For him, cybersecurity has primarily been a personnel problem.
In most technological aspects, West admitted that healthcare lags behind other industries. However, health systems must focus on education and planning to maximize effectiveness against cyberattacks.
“Because we're behind, we have a tendency just to go buy some product and throw technology at it,” he said. “People are your key resource...If we can get people engaged, they're going to catch a high majority of these phishing attacks,” he said.
Personnel awareness has become increasingly important as phishing emails improve in appearance and sophistication. According to West, early warnings of an attack could be like suspicious emails or unexpectedly poor computer performance. Staff must be trained to identify and report all digital abnormalities.
Once companies have educated their workforce on basic cyber hygiene and created a primary framework for incident response, they will be in a better position to identify the right technology and put it to use, West explained.
One simple starting point that can make a big difference is a simple email “sandboxing” system.
“Today, 70-80% of what comes into the inbox is either spam or it is a phishing attack. Get a sandbox technology, then have a tested backup strategy and some monitoring. You need the ability to identify these [potential threats] in minutes, instead of days or months,” he said. “We’ve got to help our caregivers, our doctors and nurses, because they can't detect every threat.”
The successful Sky Lakes Medical cyberattack last fall can provide great insight for health systems. Systems should not be reinstated until they are officially secured, no matter how eager leadership is to return to normal, West warned. According to West, expediting the process can actually lead to a perpetuated breach. Therefore, systems must be intentional throughout the process, however tempting to get "back to normal."
“You must know the difference when you get hit: detection, response and recovery. They are not the same. They're not even close to the same. What causes this rapid re-infection? We think we've got a handle on it. And then it comes back at a resurgence," he said. "The problem that occurs is people go from detection before they've completely detected it, and they start their response and then they recover systems.”
Founder and director of cybersecurity firm Secure Anchor, Eric Cole, explained that most organizations need to recognize the inevitability of a breach. Under the best circumstances, good preparedness training proved essential; however, the human element of a breach has remained a tricky challenge to manage.
“Nowadays, it's almost too easy,” Cole said. “If I send an email that says, ‘Five of your co-workers have recently tested positive for COVID, click on the link to see if you've been in contact,’ it's a guarantee. I could have just given you 30 minutes of security awareness training and you're still clicking on it.”
Like West, Cole has considered personnel to be a company’s greatest defense against cyber threats. A team of sharp cybersecurity analysts will thwart most of the incidents that slip through the front lines, but properly staffing a robust cybersecurity department is difficult. Good cybersecurity analysts are expensive assets to your team, and many health systems cannot offer the competitive salaries.
To counter this, Cole suggested that hospitals think more creatively about their hires: not every prospect has to be a computer science major. What matters most in an analyst, according to Cole, is critical thinking ability. A skilled team member must be able to detect patterns and spot intentional malicious actions amid all the noise.
“I can teach anybody the computer science, but I can't teach the analytical [skills]. Either you have it or you don't,” he said. “During the interview process, you want to ask a lot more questions about how they solve problems.”
Psychologists can be trained to become cybersecurity analysts, Cole noted. A successful analyst must understand human nature, as they can predict and counter bad actors.
While outside-the-field hires may require more technical training, Cole said investing in quality homegrown analysts will prove invaluable in the long run.
As for technology, Cole thinks less is often more. He questioned how useful it would be to employ systems that give you 15,000 alerts a day if your team can only follow up on 300. Instead, Cole said to work with your team to identify only the most critical alerts. If an alert system creates all false alarms and no material benefit, consider turning it off, he suggested.
Cyber hygiene, staff, and technology are essential, but organizations still need the tools to respond to incidents as they happen, according to cybersecurity expert Patrick Potter, Cybersecurity success also is hinged on a holistic understanding of your own vulnerabilities, which must be shared by the security department and the executive team so that crisis mitigation decisions can be made in a timely and rational manner.
Potter is a veteran systems auditor currently working with RSA Security. To begin this process, he said, healthcare companies must audit every possible vulnerability in their systems.
“In the whole ‘internet of medical things,’ there are quite a number of insecure endpoints and end users. Plus now, there are a lot of people working from home,” he said, noting how this adds further complexity to an already sprawling cybersecurity landscape.
Health systems must take a long look at potential exposure from the many vendors whose technology they have woven into their internal hardware, according to Potter.
Healthcare companies must also know which systems have proved the most critical so they can add extra layers of security before attacks happen. Therefore, executives and their cybersecurity teams to must communicate to ensure they’re always speaking the same language.
“A lot of times, security teams don't translate the security risk well in business terms, and executives need to know that. You've got to turn cyber risk into business value terms so
you can get the resources to do something about it,” he said.
Many smaller institutions simply don’t have the resources required to build a robust cyber defense. According to Drex DeFord, an executive healthcare strategist at CrowdStrike, that creates concerning conditions across the industry.
“Leaving small hospitals, independent practices, and alternate sites of care to fend for themselves when it comes to cybersecurity just isn't good for the ecosystem,” he said.
Isolated, weak links cannot exist in such an interconnected industry. Bad defenses at one health center can cause major headaches for their partners, he explained.
DeFord mentioned that recent policy changes could provide some relief there; in late 2020, the Centers for Medicare & Medicaid Services (CMS) announced overdue changes to the Stark Law. That rule, meant to prevent health system self-dealing, also curbed their ability to share IT tools. Recent tweaks make it easier for large health systems to “donate” some of their cybersecurity resources and capacity to smaller entities.
These changes should open avenues that smaller providers can explore. If done right, the federal government could ease the cybersecurity burden on health systems, DeFord explained. However, any hypothetical federal program that creates too many administrative compliance hoops could repeat the to physician frustration with Meaningful Use, he warned.
“Declaring that you're using a framework in a compliant way is very different from having a really solid cybersecurity program,” he said. “It's better than no cybersecurity program, but if it's just a check-the-box drill...that's always a problem in cybersecurity.”
Mari Savickis, the Vice President of Public Policy at CHIME, also highlighted the relaxation of the Stark Law among other policy changes that health executives should put to use. However, she argued these policy changes are not enough given the severity of the problem.
“We need more help, absolutely we do,” she said. “The first thing is acknowledging we have a problem. Several years ago, major policymakers would not even acknowledge that cybersecurity incidents against healthcare systems were a patient safety incident. So finally we admit that we have a problem--yay! Now we need some more funding for it.”
It isn’t that the federal government won’t spend money on cybersecurity. The American Rescue Plan Act of 2021 allotted $650 million to the Cybersecurity and Infrastructure Security Agency (CISA). Biden’s proposed budget calls for an additional $2.1 billion for the agency in the fiscal year.
“That's a lot of money that’s been appropriated, but we need to figure out how that's actually going to be spent in terms of each sector,” she said.
Savickis acknowledged the administration’s enhanced push towards better national cybersecurity, pointing to a proposed “cyber sprint” around electrical infrastructure and the president’s recent Executive Order on Improving the Nation’s Cybersecurity. But she wants to see the phrase “healthcare” appearing in more of these orders and proposed budgets.
“I think from the healthcare perspective, it's a matter of how much attention our sector can grab,” she said.
When considering cybersecurity initiatives coming from Capitol Hill, Savickis agreed that federal forces may need to address the the increasing number of international cyberattacks as a foreign threat.
Even if every health system built a crack team, bought and optimized the best technology, and took advantage of every free or federal resource, it would not be enough. Health systems would still face cyberattacks sophisticated enough to overwhelm those defenses.
To veteran CIO and This Week in Health IT founder and host Bill Russell, the federal government must take the threat more seriously. Foreign hacker gangs and even nation-states targeting American healthcare infrastructure, Russell explained. Cybersecurity and national security are becoming one and the same.
“If there were carriers off our coast, it would be the federal government's responsibility to do something about that,” he said. “Cyberattacks are sophisticated and violent. The federal government needs to step up with almost a military-level of preparedness, funding, and sophistication in order to protect our health systems.”