This is part 1 of a two-part series on the presentation August 10 by Mac McMillan of the CynergisTek consulting firm, at the CHIME/AEHIS LEAD Forum event in Nashville. This article covers a portion of McMillan’s presentation; part 2 will cover the concluding portion of McMillan’s address, as well as his exclusive interview with Healthcare Informatics that immediately followed his speech on Wednesday.
Mac McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, and one of the healthcare industry’s IT security luminaries, offered a bracing view of the current IT security landscape to those attending the CHIME/AEHIS LEAD Forum Event, being held Monday, August 10 at the Sheraton Downtown Nashville, in Nashville, Tennessee, and co-sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), and its subsidiary association, the Association for Executives in Health Information Security (AEHIS), and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella).
McMillan shared his perspectives on what he sees as a very challenging health IT security environment going forward, in a speech entitled “Developing and Managing an Ongoing Risk Management Program.” The risk management perspective on the current health IT security landscape is important, he emphasized. “One of the things I’ve learned is that the teams that win, study the enemy, have a good plan, and can execute,” McMillan told his audience, beginning his speech by sharing a personal story. “Everybody in my family has always been involved in athletics,” he noted, “and most have been in the Marines or the Army. And my oldest daughter actually took it to the highest level. She graduated as an All-American in volleyball. She’s a ‘lobero.’ The lobero is the most aggressive person on the court; they’re always digging out the spikes that the other team is throwing you, so you can help someone send it across the net. And thing that made her so good is that she would study behaviors of the next team that her team was about to play. And she would have every player on the other team pegged, as to what they were like, so she knew where she would have to go. She had set the record for “digs” by the time she had graduated, in the NCAA. She studied her enemy, she studied the other side. And she and her team would work together to plan their moves against each upcoming competitor. Women’s volleyball is so exciting, because they get aggressive, and they work as a team.”
So, McMillan said, “My daughter’s volleyball team worked hard, practiced, and executed. And that’s the same thing that our military does as well, and that other organizations do that win. And all of this applies to where we are today with regard to cybersecurity. The reality is that we’re in a fight,” he said. “The fact is that your organization has something valuable that someone wants to take away. And if you don’t want them to take it away, you need to understand who they are and what they’re after. And you need to prepare and work as a team. And executing on cybersecurity is similar to how teams in volleyball and in the military work. This is a team sport. And it’s one that requires good strategy. In the case of healthcare, it’s the CIOs and CISOs in this industry who will develop that strategy and defend their organizations against the bad guys.”
Darker threats emerging every day
Meanwhile, referring to an infamous case that emerged into public view in June, when a hacker claimed to have 655,000 patient records, allegedly obtained by hacking into three different healthcare databases, and which he claimed to offer for sale on the dark web, McMillan said that, “The next time that an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, don’t take the offer. This guy is a classic criminal, and is offering you the chance to buy your data back and to cover it up for you. But what will happen? Blackmail. Fortunately, nobody’s bought into this guy’s scenario,” he said of that situation. Yet such situations, in which hackers acquire protected patient data and in some cases attempt to sell it, are indicative of the broader landscape of bad actors constantly attempting to sabotage the clinical information systems of U.S. patient care organizations.
“But that’s who we’re up against,” McMillan told his audience. “When you look at the threat environment we’re up against today, we absolutely have got to get a handle on this and realize that it is real, it is growing, and it is not going away. The minute we decided to digitize all our information and automate all our processes, we became as susceptible as any other industry, to cybercrime.” As a result, he said, healthcare IT leaders must be realistic about the fact that cyber-extortion, cyber-espionage, hacktivism, and targeted attacks, are going to be a part of the IT security landscape for the foreseeable future. As a result, he said, “We need to adopt an offensive posture. And it’s an asymmetrical dynamic: we have to win 100 percent of the time, whereas the hackers only have to win a part of the time in order to learn more with each successful attack or hack. Symantec says there are 340 million variations on malware now,” he noted.