This Week Health
October 26, 2021

The Fight Against Cyber Criminals: Health IT Experts Explore the 2021 Cybersecurity Landscape

Experts Explain How to Navigate the Healthcare Cybersecurity Landscape for a Safer Future

October may be National Cybersecurity Awareness Month, but the 2021 cybersecurity landscape has health IT leaders need to be wary of cyber threats every minute of every day. 

This Week in Health IT founder and host Bill Russell first likened the healthcare cybersecurity landscape to a war, in 2018. If a foreign warship were anchored off the American coast, the US government would take action. Likewise, they must consider cyber threats. This was as the industry was still processing the back-to-back blows delivered the previous year by notorious cyberattacks “WannaCry” and “NotPetya.” Both attacks were sophisticated cyber-weapons that wreaked havoc on health systems.

Increased Urgency in the 2021 Cybersecurity Landscape Elevates Conversation in Healthcare IT

Even before the uncertainties brought about by the novel coronavirus, health systems were still struggling to fill out their cybersecurity teams. Now, these challenges have continued. Meanwhile, COVID-19 has brought about higher vulnerability as online threats grow in volume and complexity every year. According to Forbes, the number of hacking incidents levied against health systems jumped by 42% from 2019 to 2020. These statistics marked the fifth year straits of increased healthcare data breaches.

Health systems continue to fight to keep safe in the fraught health IT cybersecurity landscape. Leaders must collaborate to bolster their understanding of the threats, vulnerabilities, and possibilities, postured Censinet's Chris Logan during a Newsday interview.

"We're all in the same fight. So at the end of the day, we all need to start working together to solve these problems. It's not about the haves and the haves nots. It's how can we share that best practice? How can we share those controls? I think that's going to be critical moving forward to solve the problem," he said.

As bad actors have increased their attacks, the cybersecurity conversation has continued to garner attention and urgency. As Cybersecurity Awareness Month comes to a close, This Week in Health IT gathered perspectives from some of the leading minds in health IT. Experts have weighed in on the cybersecurity landscape and actionable insights about how to navigate healthcare cybersecurity in 2022 and beyond.

Facing the Staffing Challenges for Cybersecurity Understanding

David Muntz This Week in Health IT

David Muntz, Principal at StarBridge Advisors

While much has changed in the wider world since Russell made his first “war” comparison, health IT continues to grapple with the same obstacles. If healthcare cybersecurity is a war, the good guys need more recruits—and Russell’s guest on that 2018 episode, David Muntz, knows where to look.

Lack of personnel may be a big issue, but Muntz, a principal at Starbridge Advisors, explained that it’s easy to find IT professionals with the technical skills for cybersecurity. It’s harder to find prospective staff who understand the nuance of healthcare cybersecurity landscape—and are passionate about it. 

Muntz emphasized the value of homegrown health IT talent. He explained how it’s sometimes better to leverage existing clinical knowledge to develop valuable cybersecurity team members. 

“I’ve got plenty of people with technical skills,” Muntz said. “We populate our projects with the best of the people in the clinical areas. Once they go into healthcare IT, they aren’t touching one person at a time—they are touching hundreds or thousands at a time, and it’s easy to draw them over. You don’t need as much technical skill as you need human skills.”

Awareness and Communication Are Top Cybersecurity Priorities

To tackle the ever-growing threats that health systems face, it isn’t enough to have a fully-staffed IT department. Experts like Muntz, Russell, and Sirius Healthcare's Cybersecurity First Responder Matt Sickles all agree that homegrown IT staff are an advantage, provided they are committed to their work.

Matt Sickles This Week in Health IT

Matt Sickles, Cybersecurity First Responder at Sirius Healthcare 

Dedicated IT teams will foster success by truly caring about the health of the organization, Sickles explained. These team members have “skin in the game.” They stand opposite to contractors who “get parachuted in to tell the CEO they’ve done a bad job” on security. 

The optimal factor of success is constructive communication, Sickles explained. Staff must be willing to express the severity of the threats staring down their health system and receive attention when suggesting preventative measures.

“Say it out loud, say it often, repeat it. And make it part of the beginning of every discussion related to information,” Sickles said. “If it is information technology or information security, cybersecurity just has to be omnipresent in the conversation.”

During his tenure as a CIO, Russell explained how the chief security officer was designed to be a thorn in his side. Russell encouraged his CISO to consistently pipe up to alert the organization of deficiencies in their security.

“His role is to get in my face and say, ‘We’re not making enough progress in these areas. How are we going to move the needle?’“

Diligence Decreases Cybersecurity Vulnerabilities

Mitch Parker, CISO for Indiana University Health, was quick to answer  what he perceived to be the largest gap in health cybersecurity.

Mitch Parker, Indiana University Health This Week in Health IT

Mitch Parker, CISO Indiana University Health This Week in Health IT

“Due diligence,” he said.

Health leaders should pay attention to the third parties that they use to provide IT services, he added. The risks are manifold. On one hand, a a cybersecurity breach can bring down clinical applications from third party providers if their services are compromised.

A more recent example illustrates the other risk: direct infection passed through a third party. During the SolarWinds breach in 2020, Russian hackers exploited vulnerabilities in the third-party software to gain access to victims ranging from US government agencies to the California Department of State Hospitals.

Parker believes true diligence means incorporating security teams into the procurement process. It can prevent uninformed decisions or panic-buying, especially in the wake of a newsworthy breach. 

“I think the unintended consequence of SolarWinds has been that a significant number of third-party vendors took their marketing materials, added the word ‘SolarWinds’ to them. And they are now making a lot of money off of CIOs that don’t know any better,” Parker said.

Cybersecurity staff should be involved in vetting potential IT partners, Parker posited.

The Simplest Cybersecurity Fixes Go a Long Way

Ryan Witt This Week in Health IT

Ryan Witt, Managing Director and Resident CISO at Proofpoint

Attacks that have compromised trusted third-party enterprise vendors, as the NotPetya attacks did, can have catastrophic consequences that are out of the health system’s control. However, most attacks are less sophisticated. Ryan Witt, Managing Director and Resident CISO at Proofpoint, insisted that health systems address the easy routes first.

“I would argue the starting point would be your email gateway. People are essentially being attacked on email or other messaging channels,” Witt said. “You need to have a sophisticated gateway that blocks about 95% of the email that comes your way, so you’re keeping almost all of the bad email away from your users immediately. You’re not forcing them to make a judgment call.”

How to Fight Cybercriminals Before They Reach Your Inbox

In addition to filtering outside emails, Witt suggested the use of domain-based message authentication, reporting & conformance (DMARC) capabilities to relieve the pressure on employees. These tools would allow health systems to verify the domain that users are sending their emails from, minimizing the risk of coworker impersonation that can result in serious data breaches.

Equipping Staff to Understand Cybersecurity Prevention

Julie Hubbard This Week in Health IT

Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare

Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare, agreed with Witt’s suggestions, but also endorsed reactive human intervention.

Her organization experiences a near-miss by hackers after they attempted to impersonate her company’s CFO. As a response, her organization created new rules. Team members must now only execute certain actions through verbal confirmation.

“We put a new control in place that basically said that no wire transfer would ever be approved via email,” she said. “We always work to validate that the information we’ve received is legitimate—so take it out of the digital communications and literally pick up the phone.”

Understanding the IT Security Landscape to Inform Prevention

Karl West, the Chief Information Security Officer for Sirius Healthcare, said that one of the simplest prevention techniques is staying up to date with the latest healthcare IT patches. Health systems must treat cybersecurity measures as preventative measures. Cybersecurity teams must enlist preventative tactics. Health leaders must treat these measures as the equivalent of a vaccination effort.

“What makes a system susceptible as if they forget to get their vaccines. This is not political and it’s not moral. Just get the vaccine and vaccinate your systems,” he said. “It’s called patch management. You need to be doing that.” 

Understanding the Entire Timeline and Potential of a Cybersecurity Attack

Even with strong preventive measures, incidents will continue to happen. West has understood that it’s vital that leaders take a measured approach to response and recovery.

“When you get hit, you must know the difference between detection, response, and recovery,” he said. “They are not the same. They’re not even close to the same.”

West has often seen a failure in understanding the full cybersecurity landscape. Organizations detect a breach and immediately fly into their response, not realizing that the strand they have detected may just be the tip of the iceberg. 

Health Systems Must Secure the Network Before Moving into Recovery

Karl West Intermountain This Week in Health IT

Karl West, CISO at Sirius Healthcare

It may seem counterintuitive. However, he explained that it is better to pause for an analysis rather than launching into a hasty response and recovery effort. If an organization were to rush into response and recovery without fully understanding and eradicating the threat, they may find themselves facing a resurgent hack or malware operation. 

“Don’t move until you’ve completely identified [the threat] in a good shop,” West said. “You should be measuring how long it took to detect and know that you have the threat vector completely understood. Measure how long it takes to respond, how long to recover.”

Health systems can also "sandbox" their systems to help contain a threat, West explained. Health organizations often run “flat networks” that are easy for bad actors to traverse. By segmenting technologies within the health system into sets with strong firewalls between, providers quickly shut down infected systems to prevent the spread of a breach—and potentially avert a full-scale system outage.

Creating a 30-Day Cyber Breach Response Plan for Your Health System

Headshot of Brian Sterud, VP of IT, CISO, and CIO on This Week in Health IT, talking about his roles at a smaller health system

Brian Sterud, VP of IT, CISO, and CIO of Faith Regional Health

Other experts agree that long-term vision is vital to full recovery and future prevention.

“Everybody is prepared for the first 24 hours or less. Once you start getting past that threshold, things get a lot more complicated,” added Brian Sterud, who serves as both CIO and CISO at Faith Regional Health

Sterud has tasked his team with planning contingencies based on key questions.

“How would we operate? How do we get bills out the door? Make sure that patient care is first and foremost, and then make sure that we can get bills out the door.”

Health Systems Cannot Run the Risk of a Compromised Network

Failure to implement simple preventive measures can spell disaster for patients and health systems. Attacks that compromise clinical care are a clear affront to healthcare’s mission. Dr. Eric Quiñones, Chief Healthcare Advisor at World Wide Technology, noted that providers are also responsible for being good stewards of their patients’ private data.

Dr. Eric Quiñones,  Chief Healthcare Advisor at World Wide Technology

In the spring of 2021, mid-size provider Scripps Health in San Diego faced down a ransomware attack that forced many of their systems offline for three weeks. The incident cost Scripps a reported $113 million in lost revenue and left the health system legally vulnerable.

“It's very bad that any organization should be held to ransom and breached, but it’s another thing when information is actually stolen,” Quiñones said. About 147,000 patients had their health and financial information compromised in the attack. “It hurts [hospitals] from a credibility standpoint. There's that indirect cost as well. Do patients trust them now?”

The Potential of Legal Ramifications Against Health Systems

Patients have now filed class-action lawsuits against Scripps, alleging that the health system should have done more to thwart the attack and protect patient data.

Unfortunately, the story of Scripps is not a unique one. Its larger neighbor, UC San Diego Health, suffered a breach that lasted from the winter 2020 into spring 2021. That event compromised about a half-million patient records and also produced a pending class-action suit.

“This breach was preventable—had UC San Diego Health had the right data protection protocols in place,” the plaintiffs’ lawyers argue.

Building a Better Future for Healthcare Cybersecurity

Kristin Myers is the CIO of Mount Sinai Health System. She knows many bleak statistics about the 2021 cybersecurity landscape, but lists them without losing hope for the future of healthcare cybersecurity.

Kristin Myers This Week in Health IT

Kristin Myers, CIO at Mount Sinai Health System

“Twelve percent of all ransomware attacks are in healthcare, and downtime on average can be around 23 days,” she said. “Just think about being down for 23 days—you’ve got to be able to reduce the attack surface, but you also need to be ready in terms of an incident response. Looking at the backups, doing tabletop exercises with our executives, I think that is extremely important.” 

Today, Myers said there is widespread executive support for the cybersecurity operations at Mount Sinai. She’s also hopeful about a new CISO hire brought in from outside the industry. Once past the learning curve of healthcare, she believes outside cybersecurity experts can bring new perspectives and skills to fill the gaps in health IT.

Still, she has understood the road to a healthier cyber future won’t be seamless. Improvement depends on simple best-practices, systemwide buy-in, and realistic expectations.

“It’s a journey,” she said. “There’s not going to be perfection with cybersecurity, it’s a maturity journey that everyone is on.”

Special Thanks to our Premier Sponsors for making this content possible

Transform Healthcare - One Connection at a Time

© Copyright 2023 Health Lyrics All rights reserved