Healthcare IT security was a major focus of discussion on Dec. 14 at the Health IT Summit in Atlanta, sponsored by Healthcare Informatics, and held at the Ritz-Carlton Atlanta. After a session Wednesday morning in which panelists discussed the broad policy, strategic, operational, and technological issues around IT security in the current moment, a panel Wednesday afternoon plunged into the topic of “A Deeper Dive: Understanding the Emerging Hacker Threats.”
The afternoon panel was moderated by Dee Cantrell, R.N., president of the Georgia chapter of HIMSS (the Chicago-based Healthcare Information and Management Systems Society), and president of the HIT Consultancy, LLC. Cantrell, who is best known in the industry as the former CIO at Emory Healthcare, where she served from 2000-2016, was joined by William (Bill) Fleming, director of ITS operations at Gwinnett Medical Center (based in the Atlanta suburb of Lawrenceville); Claude “Chip” Council, Ph.D., senior manager, cyber-security & end-user services, at the Shriners Hospitals for Children (Tampa, Fla.); and Ricardo (Ric) Grave de Peralta, assistant special agent in Charge, in Cyber/Counterintelligence, in the Atlanta Field Division of the Federal Bureau of Investigation (FBI).
As an illustration of how widespread malicious and criminal hacking has become, Grave de Peralta noted that “I just learned this year that one of the orthopedic clinics at which I had been a patient, was hacked. This was not a ransomware attack, it was a malware attack, but the hacker exilftrated the files and then demanded ransom from the clinic to release the patient records to the clinic rather than to the dark web. Mostly,” he continued, “people will get in criminally [into the information systems of patient care organizations in order] to exfiltrate files. There are a lot of vulnerabilities, including because of third-party partners and vendors. And if you haven’t secured your connections to third-party vendors, you’ve got the biggest open front door there is,” he added.
“In fact, what’s happening now is being referred to in some cases as ‘ransomware as a service’—it’s cybercriminals running ransomware as a service, as a business,” Cantrell noted, “and extortion attempts are definitely a key area” within that phenomenon.
“That’s right,” Grave de Peralta said. “We know of cases in which, oftentimes, these ransomware attacks are perpetrated by hackers from outside the United States. And they’ll send you the message to let you know that they’ve encrypted your files and want money from you. But they actually have a full service desk to respond to your complaints over ‘customer service.’ So it’s a whole new paradigm.”
Panelists (l. to r.) Council, Fleming, Grave de Peralta, and Cantrell discuss IT security Wednesday
What strategies and tactics are being pursued?
Cantrell asked her panelists what strategies and tactics they’ve been pursuing around data security, and how those are working out. Gwinnett Medical Center’s Fleming reported that “We’ve been working on a lot of phishing [education and training] campaigns. And we’ve been fairly happy with the results. This past month, we did a bigger one to the whole organization, and the results were kind of scary,” he said. It turned out that 10 percent of those across the hospital who had been sent an e-mail mimicking a phishing attempt, had opened it. “And 10 percent, across a whole organization, suddenly sounds like a huge number,” he said. “And so our whole theme with this campaign was, ‘protecting your data at home.’ And people seemed to embrace that idea more,” he said, because he and his colleagues were able to convey clearly to their coworkers at the hospital how the same phishing e-mails that could harm the hospital could also harm them in their home lives. “So I think it was successful. We’re going into the next phase where there will be a bit more of a punishment if you repeatedly click on things,” he added. “Our administrative staff wants to start locking down accounts on people who click and open multiple times on phishing e-mails. And the thing is, people are so busy, but we need to make it a little bit more real.”
In addition, Fleming said, “Meanwhile, we’re working on network segmentation; we’ve already created a firewall between our main network and biomed. But we’re also working on backups. We had our normal audit last spring; it was scary reading the report on it. So we’ve bought new storage that’s encrypted, and that’s going well. But we need to work on a whole new security plan.”
Turning to Council, Cantrell asked, “What scares you, Chip?” “I think the other members of the panel would agree, what scares me the most is the things we don’t even know,” Council said. “It used to be, the focus was on securing the perimeter of the network. But more and more, we have to assume, they’re already in the network. And we know that healthcare is behind other industries. We also know that our user base is far more complex than your typical user base in an organization. We have a more transient user base; there is the Internet of Things; and there is a demand for access to a lot of databases. So we need to come up with a plan for assessing risk, mitigating the highest risks, putting together a good disaster recovery plan, and educating, educating, educating.”
Educating the c-suite and the board
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.