Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, is a very well-known figure in healthcare IT, and a widely respected healthcare IT security expert. Recently, he spoke with HCI Editor-in-Chief Mark Hagland regarding some of the most important—and pressing—developments in data security right now in U.S. healthcare. Below are excerpts from that interview.
It was great to speak with you when we were both in Las Vegas earlier this month, participating in HIMSS16. Did you find anything surprising at the HIMCC Conference this year? Did anything you saw or heard at the conference change your mind about anything? We spoke at HIMSS just two weeks after the now-infamous Hollywood Presbyterian Medical Center ransomware incident.
I don’t think there was anything that changed my mind. But one thing that struck me was that there certainly was a higher sense of urgency around these advanced threats in healthcare. And a lot of people had either been hit by an advanced threat—either ransomware or a virus—or they knew someone who had been. And everybody wanted to know what to do to avoid it, because it was becoming a big issue. And that hasn’t stopped. It was non-stop from just before HIMSS, through HIMSS, and after HIMSS.
Every week now—I don’t visit a hospital now that doesn’t say to me, we’ve had two or three ransomware attacks or incidents. And in most cases, they also know of the experiences of folks in their local area. And the number of incidents that actually get reported versus the number of incidents that are occurring, is tiny—it’s like an iceberg phenomenon.
The good news is that most of these ransomware incidents are not turning out to be debilitating for hospitals, but they’re certainly causing a loss of time and a lot of costs, and anxiety, and are causing a tremendous amount of anxiety in our IT people. No one wants to be the hospital that goes down and is capable of delivering services.
The appropriate resources have to be devoted to this. I was talking to a COO yesterday, and that COO’s hospital had just had two incidents. And there were several things we had recommended to them over a year ago, and they hadn’t done the. And his CIO readily admitted that they needed to do something about it. And do we really have hurt, do we really have to have the pain, before we do something?
What is at the core of the poor handling of these incidents by some leaders of some patient care organizations? Is it a lack of vision, strategy, tactics, resources?
At the end of the day, a hospital is a business. And there are things that they’re trying to do with their resources that enhance the business and grow the revenue. And certainly, security does not do those things. It enables those things, but it’s a cost center.
And people are being reactive, essentially, rather than proactive, about this threat?
Yes, and to me, that’s a very short-sighted way to manage. I get it that there needs to be a balance and that you only have X dollars to spend, but I don’t think you should allow this to be put off and become a problem. Now it’s affecting our ability to move forward. So at some point, you need a better barometer
Is a successful ransomware attack inevitable, or can it be prevented?
The research we’ve seen indicates that if you’re doing the right things, the majority of ransomware attacks can be avoided. But even the brand-new attacks can be avoided or controlled more effectively if you’re doing the right things. If you’re doing all the right things, and it’s a variant of one of these known types of attacks, you can avoid it. If it’s a brand-new attack and we don’t have the signature for it, we can still be more effective at identifying those things, because we now have advanced malware capabilities that look for anonymous as well as known signatures. Most organizations not getting into trouble are doing those things. So maybe the virus or malware gets past their initial defenses, and for a few minutes it’s in the environment and is encrypting file-shares or systems, or locking up systems, or whatever, but with good defenses, it will eventually be detected had stopped. For organizations doing the right things, a small percentage of attacks get through, but they’re able to stop those and be successful. So yes, the majority of attacks can be avoided, and the others we can identify them more quickly and respond accordingly.
What are the fundamentals for health system leaders to prepare for future, unknown, as of yet unexperienced, situations? Because it seems that it is very important to consider all the new, as-of-yet-unexperienced, threats that could emerge.
You’re absolutely correct. Once we figure out how to deal with this [ransomware] effectively, the threat will move somewhere else. That’s the never-ending nature of criminal activity, right? You build a better bank, and the criminals figure out some other way to rob you. So healthcare leaders need to understand that this is something that is not going away. It should be elevated to a serious business process that gets leadership attention. If you’re going to use electronic systems to support your business, and are going to rely on data, then you need to understand that this is an ongoing situation that is not going away, and that will evolve over time.