The country has been experiencing cyberattacks for the last 20 years, but the rise of cryptocurrencies making ransoms and extortion a more lucrative practice. With the increasing pay-off potential, the cybersecurity risk in healthcare has escalated, with bad actors looking to make a profit.
Mitch Parker, CISO of IU Health, spoke with host Bill Russell about the foundational aspects of cybersecurity programs. Located outside of Indianapolis, Indiana, IU Health is a 17-hospital system with various outpatient facilities; their lifeline ambulance service also covers the entire state. The health system is affiliated with the IU School of Medicine and its campuses, where they work towards advancing their communities’ health and well-being.
Because many networks have not been updated since the XP service pack in 2004, bad actors can more easily hide their origins and actions, Parker explained.
"We need to look at what we're doing, how we're doing it, look at security better, and, honestly, get rid of a bunch of legacy applications that we have that open up our networks to make it so easy for a lot of these people to succeed," he said.
The Biden Administration has put in place an Executive Order to fight against cybersecurity risks, including in healthcare. There is increasing pressure to adhere to certain guidelines for software vendors selling to government agencies. According to Russell, these criteria would require suppliers to keep their software operating at specific security levels.
Parker is concerned about that the follow-through on the order will take a significant amount of time and effort.
"To make that executive order succeed, we have to put people in place in CISA, Homeland Security, and HHS to really ramp up what we're doing very quickly. And that's going to be a significant challenge," he explained.
For healthcare to efficiently address cybersecurity risks, systems need to rethink their applications. According to Parker, it is not an EMR vendor like Epic or Cerner that pose an issue. Instead, small bespoke apps, which complete tasks that EMRs cannot, can be unsecured. Additionally, things like the 21st Century Cures Act with FHIR APIs are opening the door to cyberattacks.
According to Parker, the first step of the process following a breach is to start at ground zero by assessing the risk within the organization. This is done by interviewing employees, understanding the environment, and performing a quantitative risk assessment.
"One of the big challenges you find in security is that the issues aren't where you think they are. You have to do deep analysis and deep research," he said.
This detailed analysis goes to senior leadership teams to determine what issues need to be first addressed.
"You are basically telling your leadership that this is the path we need to take forward. I'm going to need cooperation from your entire organization. These are the goals we have to meet as defined by the assessment. And these are the changes we're going to have to make," he said.
Parker explained that this process is collaborative. However, health systems utilizing contracting outside help may struggle as consultants are not intimately aware of the business.
"You have to do that first as part of your risk assessment before you do anything else. Because if you try putting anything in with security that doesn't meet the customer's needs or doesn't meet the business's needs, it will get thrown away," he said.
A common risk in most healthcare systems' cybersecurity is lack of due diligence, according to Parker. He explained how this leads to detriments of systems and a lack of security overall.
"Security has to be more pervasive than it ever was, and it needs a different type of professional than it did 15-to-20 years ago to make this work. And in nowhere is this more relevant than healthcare," he said.
Some health systems have set their CISOs as a peers to the CIO. Parker explained the need for this model varies depending on the structure of individual organization. However, also according to Parker, security needs to be in a quasi-independent function within any organization.
Quantitative risk assessment should inform cyber program funding, Parker explained. The funding is the function of a long-range, strategic IT plan, according to Parker, and security should be part of every project and internal process.
"The amount of funding security gets needs to be commensurate with the ability to protect the assets, people, processes, and technologies that you're utilizing to facilitate the long-range plan for you," he explained.
An IT budget should have five to ten percent of its budget focused on security and its measures, Parker explained. He gave this helpful guideline: the security budget should be built into the ROI of every major project.
However, when ROIs get cut on long-term projects to look better and have a higher investment is the most pressing concern for Parker. Cutting out cybersecurity measures in your health system's projects ROI is one of the biggest risks.
"We need to have leadership that says you're going to have the security as part of your project costs. You're going to have the proper operational staff as part of project costs... The second you have a data breach, your ROI is going negative," he said.
It is possible for small, rural health systems to keep pace with the sophistication of cyberattacks, according to Parker. He explained how managed security providers can help support a small-to-medium provider. However, there needs to be a shift in order to create access to more extensive features, which larger providers utilize.
Third-party risk is critical roles for security team to consider no matter the size of you health system. According to Parker, there is a need to have a team dedicated to risk assessments like HIPAA and PCI.
"I don't care if you're a small community hospital in the middle of Nebraska or one of the larger health systems; you’re going to take credit cards. You have to make sure you maintain some degree of PCI compliance or, if not, outsource it to someone that will," he explained.
Furthermore, security needs a strong operational team to keep services dispatched and check-up on vendors. Additionally, a security operations team would maintain equipment.
Looking towards the future, Parker desires to see advancement in medical device security. When not working at IU Health, Parker partners with the IEEE Underwriter Laboratory Group, trying to create the standard for the internet of medical things.
By looking at trust, integrity, privacy protection, safety, and security of IoT, devices, data interchanges, and architecture can be more secure. According to Parker, an architecture-level and engineering-level solution would provide significant traction.
An important aspect of this process is talking about security as it works with the rest of the delivery organization and how to integrate it more with privacy.
"Ultimately, security is an incredibly good function. We align with the mission and values. We love doing what we do. However, we need to have that 'force multiplier' to be able to be more effective. And that is working with our customers and more of a cross-disciplinary matter," Parker said.