This is part 1 of a two-part series on the presentation August 10 by Mac McMillan of the CynergisTek consulting firm, at the CHIME/AEHIS LEAD Forum event in Nashville. This article covers a portion of McMillan’s presentation; part 2 will cover the concluding portion of McMillan’s address, as well as his exclusive interview with Healthcare Informatics that immediately followed his speech on Wednesday.
Mac McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, and one of the healthcare industry’s IT security luminaries, offered a bracing view of the current IT security landscape to those attending the CHIME/AEHIS LEAD Forum Event, being held Monday, August 10 at the Sheraton Downtown Nashville, in Nashville, Tennessee, and co-sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), and its subsidiary association, the Association for Executives in Health Information Security (AEHIS), and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella).
McMillan shared his perspectives on what he sees as a very challenging health IT security environment going forward, in a speech entitled “Developing and Managing an Ongoing Risk Management Program.” The risk management perspective on the current health IT security landscape is important, he emphasized. “One of the things I’ve learned is that the teams that win, study the enemy, have a good plan, and can execute,” McMillan told his audience, beginning his speech by sharing a personal story. “Everybody in my family has always been involved in athletics,” he noted, “and most have been in the Marines or the Army. And my oldest daughter actually took it to the highest level. She graduated as an All-American in volleyball. She’s a ‘lobero.’ The lobero is the most aggressive person on the court; they’re always digging out the spikes that the other team is throwing you, so you can help someone send it across the net. And thing that made her so good is that she would study behaviors of the next team that her team was about to play. And she would have every player on the other team pegged, as to what they were like, so she knew where she would have to go. She had set the record for “digs” by the time she had graduated, in the NCAA. She studied her enemy, she studied the other side. And she and her team would work together to plan their moves against each upcoming competitor. Women’s volleyball is so exciting, because they get aggressive, and they work as a team.”
So, McMillan said, “My daughter’s volleyball team worked hard, practiced, and executed. And that’s the same thing that our military does as well, and that other organizations do that win. And all of this applies to where we are today with regard to cybersecurity. The reality is that we’re in a fight,” he said. “The fact is that your organization has something valuable that someone wants to take away. And if you don’t want them to take it away, you need to understand who they are and what they’re after. And you need to prepare and work as a team. And executing on cybersecurity is similar to how teams in volleyball and in the military work. This is a team sport. And it’s one that requires good strategy. In the case of healthcare, it’s the CIOs and CISOs in this industry who will develop that strategy and defend their organizations against the bad guys.”
Darker threats emerging every day
Meanwhile, referring to an infamous case that emerged into public view in June, when a hacker claimed to have 655,000 patient records, allegedly obtained by hacking into three different healthcare databases, and which he claimed to offer for sale on the dark web, McMillan said that, “The next time that an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, don’t take the offer. This guy is a classic criminal, and is offering you the chance to buy your data back and to cover it up for you. But what will happen? Blackmail. Fortunately, nobody’s bought into this guy’s scenario,” he said of that situation. Yet such situations, in which hackers acquire protected patient data and in some cases attempt to sell it, are indicative of the broader landscape of bad actors constantly attempting to sabotage the clinical information systems of U.S. patient care organizations.
“But that’s who we’re up against,” McMillan told his audience. “When you look at the threat environment we’re up against today, we absolutely have got to get a handle on this and realize that it is real, it is growing, and it is not going away. The minute we decided to digitize all our information and automate all our processes, we became as susceptible as any other industry, to cybercrime.” As a result, he said, healthcare IT leaders must be realistic about the fact that cyber-extortion, cyber-espionage, hacktivism, and targeted attacks, are going to be a part of the IT security landscape for the foreseeable future. As a result, he said, “We need to adopt an offensive posture. And it’s an asymmetrical dynamic: we have to win 100 percent of the time, whereas the hackers only have to win a part of the time in order to learn more with each successful attack or hack. Symantec says there are 340 million variations on malware now,” he noted.
What’s more, the landscape is constantly mutating, McMillan said. “We had 54 zero-day attacks last year, meaning that no system would have recognized that malware. Except that every version of malware has a behavioral signature that is unique. And every signature can be good, bad, or unknown. The problem is that when we focus on the old known viruses, the new ones get by our protections and cause us problems. We’re going to have to go to those advanced solutions that give us the ability to move forward.”
Inevitably, then, McMillan said, “We’ll have to focus on anomalies. So we need to do a better job of managing our environments, of keeping our environments up to date. Obsolete systems, end-of-life systems that can’t be patched, do nothing for us, from a security perspective. And we need to make sure we’re hardening our systems and configuring them against all known risks, and keep them patched.” Fascinatingly, he said, “Ninety-eight percent of attacks last year took advantage of a known vulnerability that was either a year or more old, meaning, there was a patch available for it, a configuration somebody could have made, a service someone could have used, but we didn’t. They’re counting on our being too tired and too busy to keep up normal maintenance.”
A metaphor of battleships
McMillan shared with his audience a metaphor he said he wanted them to consider.
“It’s important to think about the metaphor of compartmentalization, and the way that battleships are built. They’re built in tight compartments, so that when one compartment is hit, the ship and go on,” he said. “We’ve seen many breaches this year that have turned into many bad situations, and in most cases, it was because they couldn’t stop things fast enough” once an information system had been infected or invaded. “I talked with one hospital that had a zero-day virus that had emanated from their core, and literally, within two hours, three-quarters of their systems were infected, because of a lack of segmentation.
What might some of the solutions be? Among them, McMillan said, is to execute on a strategy of holding cyber-drills. “Some hospitals are beginning to do cyber-drills,” he noted, “and that’s a good thing. If people know each other, know their roles, they’ll be able to execute well. It’s like the baseball team that just comes together for a game and has never practiced. It’s no different here: what we execute and practice, is what we do. We need to make sure we have the right practices.”
A second key, McMillan said, is that “We can’t do this alone anymore, we really can’t.” The time has come to bring in expert outside consultants, he said, to do “monitoring, auditing, and analysis. “You always need outside help. Whenever I try to monitor myself, what do I learn? Nothing new. But when I go outside, I can get help that will help me see what I’m missing. We need to think about outsourcing things like log management, IDS [intrusion detection system] management, network monitoring. Those organizations looking at thousands of organizations across the globe, have the ability synthetize logs. Almost every hospital produces tens of thousands of logs a month. And it’s difficult to synthesize, in-house.”
What’s more, McMillan said, one factor that is transforming the landscape is the massive advances in computing capability that are taking place now and that are bound to accelerate within the next decade. “By 2025, we are going to have calculating ability to where laptops will process information at the 10 to the 9th power, or 10 trillion calculations a minute,” he noted. “What that means is that our industry will be turned on its head because of innovation; but security will be turned on its head, too. Ten years from now,” he predicted, “any system based on rules is going to be totally obsolete. Because when we have processing speeds that fast, and broader connections, any system that has to stop a packet and interrogate it to figure out if it’s good or bad is not going to be able to do it—unless vendors can figure out some new kind of artificial intelligence to do that. And I’m hearing that they’re nowhere near that. So we have to move away from rules-based technologies to behaviorally based technologies that detect anomalies in real time.”
Part 2 of this two-part series will cover the conclusion of Mac McMillan’s Aug. 10 speech, as well as his exclusive interview with HCI. That article will appear on this website soon.