In his opening keynote address at the CHIME Lead Forum at iHT2-Denver, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics through our parent company, the Vendome Group LLC), being held at the Sheraton Downtown Denver, Mac McMillan laid out in the clearest possible terms for his audience of IT executives the growing cybersecurity dangers threatening patient care organizations these days.
Under the heading, “What Is Cyber Security and Why Is It Crucial to Your Organization?” McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, used his opening keynote address to challenge his audience to think strategically and proactively about the growing cyber-threats hitting patient care organizations across the U.S.
McMillan elaborated on what he sees as 11 key areas of concern going forward right now for healthcare IT leaders: “increased reliance”; “insider abuse”; “questionable supply chains”; “device-facilitated threats”; “malware”; “mobility”: “identity theft and fraud”; “theft and losses”; “hacking and cyber-criminality”; “challenges emerging out of intensified compliance demands”; and a shortage of chief information security officers, or CISOs.
In fact, McMillan said, cybersecurity threats are accelerating and intensifying, and are coming through such a broad range of threat vehicles—hacking by criminal organizations and foreign governments, penetration of information networks via the deliberate infiltration via medical devices, and a crazed proliferation of all types of malware across the cyber universe, that the leaders of patient care organizations must take action, and take it now, he urged.
As for “increased reliance,” the reality, McMillan noted, is that “We live in a world today that is hyper-connected. When I left the government and came back into healthcare in 2000,” he noted, “probably the total number of people who looked at any patient record, was about 50, and all were hospital employees. Today, that average is more like 150, and half of those individuals are not hospital employees. And our systems are interconnected. Digitizing the patient record, under meaningful use, coincided with the rise in breaches. Not that any of that is bad,” he emphasized. “But it did become easier for bad people to do bad things; it also increased the number of mistakes that could be made. If I wanted to carry out paper medical records” in the paper-based world, he noted, “I was limited to the number I could put into a basket. Now, I can download thousands at a time onto a flash drive.”
With regard to “insider abuse,” McMillan made a big pitch for the use of behavior pattern recognition strategies and tools. “We have to actively monitor what’ going on,” he urged. “It doesn’t mean running random audits. You have to actively monitor activity, and you can’t do that manually, and we have to recognize that. Also, a lot of activity, particularly identity theft, is not captured by monitoring compliance rules, but rather, by capturing activity patterns. The fact that someone looks at information four times the frequency that their neighbor does—the fact that an individual is looking at four times as many records, is absolutely a flag. They’re either working four times as hard/fast, or are snooping, or are engaged in nefarious activities. But fewer than 10 percent of hospitals are actively monitoring behavior patterns.”
McMillan was totally blunt when it came to discussing “questionable supply chains.” “I’ll just come out and say it: vendors are a threat,” he told his audience. “We’ve had cases where vendors have been hacked or have had incidents, and the vendor didn’t have a good procedure for restoration or what have you. We need to do a better job of vetting our vendors, of holding them to a higher standard for performance. And this industry needs to create a better baseline—basic requirements—if you connect my network, this is how you have to connect, this is the basic level of encryption required, that kind of thing. This is about creating and adhering to minimal requirements, not creating a new framework,” he said. “We’re already got a million frameworks out there.”
What about medical devices? The threats there are absolutely exploding, McMillan said. He noted that successful hacks have now been documented via such devices as insulin pumps and blood pumps, all of which are relatively recent, as most medical devices weren’t networkable until at least 2006.
Meanwhile, the malware explosion dwarfs just about all other issues, at least in terms of volume. At the beginning of last year, McMillan reported, there were 100 million instances of malware floating around; by the end of the year, there were 370 million. Importantly, he noted, “Malware is no longer produced by smart people in dark rooms writing code. It’s now being produced by bots morphing old malware. And this is putting more pressure on people in terms of the integrity of the environment.” He warned his audience that “The anti-virus products we have today are antiquated products. Less than half of the malware out there is recognized by anti-virus anymore; if you’re relying on antivirus, you’ve already lost the battle. In the next decade,” he predicted, “we’ll move from a speed of computing of 10 to the 8th power, to one of 10 to the 26th power—that’s how fast we’ll be computing. That’s phenomenal. So decisions will be made by computers so fast that any technology relying on signatures to be looked up, will be blown by. It will never keep up. So our security vendors have got to get ahead of this curve, have got to recognize that this whole paradigm we’re dealing with is changing, and we’ve got to change the way we act around this.”
With regard to the rest of the 11 key areas he cited, McMillan made a number of important comments. Among them, with regard to mobility and data, he said, “We’ve got to quit chasing the device. I’ve said this for the better part of five years now. If we chase the device, we’ll never catch up. We’ve got to focus on how the devices connect the environment and how we register and protect those devices.” Meanwhile, he emphasized that while hacking and cyber-criminality represented only 10 percent of data breaches only two years ago, breaches created by hacking and cyber-criminality are now surging.
A lot of these challenges really require a level of IT security management and governance that remains lacking in U.S. healthcare, McMillan said. “I absolutely believe that we need more CISOs in healthcare. I think we need to improve the education of our CISOs and need to help professionalize them. We need to find ways for CIOs to collaborate. That’s the way we help everyone benefit and get ahead.”