October may be National Cybersecurity Awareness Month, but the 2021 cybersecurity landscape has health IT leaders need to be wary of cyber threats every minute of every day.
This Week in Health IT founder and host Bill Russell first likened the healthcare cybersecurity landscape to a war, in 2018. If a foreign warship were anchored off the American coast, the US government would take action. Likewise, they must consider cyber threats. This was as the industry was still processing the back-to-back blows delivered the previous year by notorious cyberattacks “WannaCry” and “NotPetya.” Both attacks were sophisticated cyber-weapons that wreaked havoc on health systems.
Even before the uncertainties brought about by the novel coronavirus, health systems were still struggling to fill out their cybersecurity teams. Now, these challenges have continued. Meanwhile, COVID-19 has brought about higher vulnerability as online threats grow in volume and complexity every year. According to Forbes, the number of hacking incidents levied against health systems jumped by 42% from 2019 to 2020. These statistics marked the fifth year straits of increased healthcare data breaches.
Health systems continue to fight to keep safe in the fraught health IT cybersecurity landscape. Leaders must collaborate to bolster their understanding of the threats, vulnerabilities, and possibilities, postured Censinet's Chris Logan during a Newsday interview.
"We're all in the same fight. So at the end of the day, we all need to start working together to solve these problems. It's not about the haves and the haves nots. It's how can we share that best practice? How can we share those controls? I think that's going to be critical moving forward to solve the problem," he said.
As bad actors have increased their attacks, the cybersecurity conversation has continued to garner attention and urgency. As Cybersecurity Awareness Month comes to a close, This Week in Health IT gathered perspectives from some of the leading minds in health IT. Experts have weighed in on the cybersecurity landscape and actionable insights about how to navigate healthcare cybersecurity in 2022 and beyond.
While much has changed in the wider world since Russell made his first “war” comparison, health IT continues to grapple with the same obstacles. If healthcare cybersecurity is a war, the good guys need more recruits—and Russell’s guest on that 2018 episode, David Muntz, knows where to look.
Lack of personnel may be a big issue, but Muntz, a principal at Starbridge Advisors, explained that it’s easy to find IT professionals with the technical skills for cybersecurity. It’s harder to find prospective staff who understand the nuance of healthcare cybersecurity landscape—and are passionate about it.
Muntz emphasized the value of homegrown health IT talent. He explained how it’s sometimes better to leverage existing clinical knowledge to develop valuable cybersecurity team members.
“I’ve got plenty of people with technical skills,” Muntz said. “We populate our projects with the best of the people in the clinical areas. Once they go into healthcare IT, they aren’t touching one person at a time—they are touching hundreds or thousands at a time, and it’s easy to draw them over. You don’t need as much technical skill as you need human skills.”
To tackle the ever-growing threats that health systems face, it isn’t enough to have a fully-staffed IT department. Experts like Muntz, Russell, and Sirius Healthcare's Cybersecurity First Responder Matt Sickles all agree that homegrown IT staff are an advantage, provided they are committed to their work.
Dedicated IT teams will foster success by truly caring about the health of the organization, Sickles explained. These team members have “skin in the game.” They stand opposite to contractors who “get parachuted in to tell the CEO they’ve done a bad job” on security.
The optimal factor of success is constructive communication, Sickles explained. Staff must be willing to express the severity of the threats staring down their health system and receive attention when suggesting preventative measures.
“Say it out loud, say it often, repeat it. And make it part of the beginning of every discussion related to information,” Sickles said. “If it is information technology or information security, cybersecurity just has to be omnipresent in the conversation.”
During his tenure as a CIO, Russell explained how the chief security officer was designed to be a thorn in his side. Russell encouraged his CISO to consistently pipe up to alert the organization of deficiencies in their security.
“His role is to get in my face and say, ‘We’re not making enough progress in these areas. How are we going to move the needle?’“
Mitch Parker, CISO for Indiana University Health, was quick to answer what he perceived to be the largest gap in health cybersecurity.
“Due diligence,” he said.
Health leaders should pay attention to the third parties that they use to provide IT services, he added. The risks are manifold. On one hand, a a cybersecurity breach can bring down clinical applications from third party providers if their services are compromised.
A more recent example illustrates the other risk: direct infection passed through a third party. During the SolarWinds breach in 2020, Russian hackers exploited vulnerabilities in the third-party software to gain access to victims ranging from US government agencies to the California Department of State Hospitals.
Parker believes true diligence means incorporating security teams into the procurement process. It can prevent uninformed decisions or panic-buying, especially in the wake of a newsworthy breach.
“I think the unintended consequence of SolarWinds has been that a significant number of third-party vendors took their marketing materials, added the word ‘SolarWinds’ to them. And they are now making a lot of money off of CIOs that don’t know any better,” Parker said.
Cybersecurity staff should be involved in vetting potential IT partners, Parker posited.
Attacks that have compromised trusted third-party enterprise vendors, as the NotPetya attacks did, can have catastrophic consequences that are out of the health system’s control. However, most attacks are less sophisticated. Ryan Witt, Managing Director and Resident CISO at Proofpoint, insisted that health systems address the easy routes first.
“I would argue the starting point would be your email gateway. People are essentially being attacked on email or other messaging channels,” Witt said. “You need to have a sophisticated gateway that blocks about 95% of the email that comes your way, so you’re keeping almost all of the bad email away from your users immediately. You’re not forcing them to make a judgment call.”
In addition to filtering outside emails, Witt suggested the use of domain-based message authentication, reporting & conformance (DMARC) capabilities to relieve the pressure on employees. These tools would allow health systems to verify the domain that users are sending their emails from, minimizing the risk of coworker impersonation that can result in serious data breaches.
Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare, agreed with Witt’s suggestions, but also endorsed reactive human intervention.
Her organization experiences a near-miss by hackers after they attempted to impersonate her company’s CFO. As a response, her organization created new rules. Team members must now only execute certain actions through verbal confirmation.
“We put a new control in place that basically said that no wire transfer would ever be approved via email,” she said. “We always work to validate that the information we’ve received is legitimate—so take it out of the digital communications and literally pick up the phone.”
Karl West, the Chief Information Security Officer for Sirius Healthcare, said that one of the simplest prevention techniques is staying up to date with the latest healthcare IT patches. Health systems must treat cybersecurity measures as preventative measures. Cybersecurity teams must enlist preventative tactics. Health leaders must treat these measures as the equivalent of a vaccination effort.
“What makes a system susceptible as if they forget to get their vaccines. This is not political and it’s not moral. Just get the vaccine and vaccinate your systems,” he said. “It’s called patch management. You need to be doing that.”
Even with strong preventive measures, incidents will continue to happen. West has understood that it’s vital that leaders take a measured approach to response and recovery.
“When you get hit, you must know the difference between detection, response, and recovery,” he said. “They are not the same. They’re not even close to the same.”
West has often seen a failure in understanding the full cybersecurity landscape. Organizations detect a breach and immediately fly into their response, not realizing that the strand they have detected may just be the tip of the iceberg.
It may seem counterintuitive. However, he explained that it is better to pause for an analysis rather than launching into a hasty response and recovery effort. If an organization were to rush into response and recovery without fully understanding and eradicating the threat, they may find themselves facing a resurgent hack or malware operation.
“Don’t move until you’ve completely identified [the threat] in a good shop,” West said. “You should be measuring how long it took to detect and know that you have the threat vector completely understood. Measure how long it takes to respond, how long to recover.”
Health systems can also "sandbox" their systems to help contain a threat, West explained. Health organizations often run “flat networks” that are easy for bad actors to traverse. By segmenting technologies within the health system into sets with strong firewalls between, providers quickly shut down infected systems to prevent the spread of a breach—and potentially avert a full-scale system outage.
Other experts agree that long-term vision is vital to full recovery and future prevention.
“Everybody is prepared for the first 24 hours or less. Once you start getting past that threshold, things get a lot more complicated,” added Brian Sterud, who serves as both CIO and CISO at Faith Regional Health.
Sterud has tasked his team with planning contingencies based on key questions.
“How would we operate? How do we get bills out the door? Make sure that patient care is first and foremost, and then make sure that we can get bills out the door.”
Failure to implement simple preventive measures can spell disaster for patients and health systems. Attacks that compromise clinical care are a clear affront to healthcare’s mission. Dr. Eric Quiñones, Chief Healthcare Advisor at World Wide Technology, noted that providers are also responsible for being good stewards of their patients’ private data.
In the spring of 2021, mid-size provider Scripps Health in San Diego faced down a ransomware attack that forced many of their systems offline for three weeks. The incident cost Scripps a reported $113 million in lost revenue and left the health system legally vulnerable.
“It's very bad that any organization should be held to ransom and breached, but it’s another thing when information is actually stolen,” Quiñones said. About 147,000 patients had their health and financial information compromised in the attack. “It hurts [hospitals] from a credibility standpoint. There's that indirect cost as well. Do patients trust them now?”
Patients have now filed class-action lawsuits against Scripps, alleging that the health system should have done more to thwart the attack and protect patient data.
Unfortunately, the story of Scripps is not a unique one. Its larger neighbor, UC San Diego Health, suffered a breach that lasted from the winter 2020 into spring 2021. That event compromised about a half-million patient records and also produced a pending class-action suit.
“This breach was preventable—had UC San Diego Health had the right data protection protocols in place,” the plaintiffs’ lawyers argue.
Kristin Myers is the CIO of Mount Sinai Health System. She knows many bleak statistics about the 2021 cybersecurity landscape, but lists them without losing hope for the future of healthcare cybersecurity.
“Twelve percent of all ransomware attacks are in healthcare, and downtime on average can be around 23 days,” she said. “Just think about being down for 23 days—you’ve got to be able to reduce the attack surface, but you also need to be ready in terms of an incident response. Looking at the backups, doing tabletop exercises with our executives, I think that is extremely important.”
Today, Myers said there is widespread executive support for the cybersecurity operations at Mount Sinai. She’s also hopeful about a new CISO hire brought in from outside the industry. Once past the learning curve of healthcare, she believes outside cybersecurity experts can bring new perspectives and skills to fill the gaps in health IT.
Still, she has understood the road to a healthier cyber future won’t be seamless. Improvement depends on simple best-practices, systemwide buy-in, and realistic expectations.
“It’s a journey,” she said. “There’s not going to be perfection with cybersecurity, it’s a maturity journey that everyone is on.”