Leading cybersecurity experts in the New York area collectively met at the local HIT Summit on Sept. 27, sponsored by Healthcare Informatics, to discuss how the healthcare cybersecurity landscape has changed, and how hospitals and health systems could better protect their data as threats get more sophisticated.
The panel discussion, held at the Convene in New York City's downtown financial district, included several cybersecurity experts: Vikrant Arora, assistant vice president, and chief information security and risk officer at NYC Health + Hospitals; Todd Regow, senior vice president and CIO at Healthix, Inc., a New York City-based health information exchange (HIE); Matt Webster, CISO at Healthix; and Keith Richard Weiner, R.N., information systems security officer at New York-Presbyterian/Queens and adjunct professor at Molloy College. The panel discussion was moderated by Healthcare Informatics Editor-in-Chief Mark Hagland.
Hagland kicked off the conversation by noting how the healthcare security landscape has changed, even from just six months ago. The panelists were asked what the biggest threats are and how prepared the industry is in addressing them, to which Healthix's Webster responded, "There are over a million pieces of malware out there" on a regular basis, specifically referring to "customized malware," which is becoming quite common as attackers target a particular organization for their next victim. He said that in healthcare, the threats have increased since medical records bring back a greater return on the black market than credit cards do.
NYC Health + Hospitals' Arora agreed that the healthcare industry is a unique one for cybersecurity in that when a Target or Home Depot store gets breached, customers can shop elsewhere if they so choose. But in healthcare, when Anthem got breached for example, its customers were not able to simply walk away and choose another insurer due to regulations in place. "You cannot change your medical identity, the drugs you are taking, or your medical condition," Arora said. You're at risk as long as you're alive. That makes healthcare very unique." And, Healthix's Regow added that $362 per medical record is now a going rate on the black market. "It's an arms race and I don't know if we will win that since these people have more time, energy and resources than those who are trying to protect the data," Regow said.
Indeed, only two years ago as Hagland noted, most threats were on an individual level, but now there is organized hacking and millions of pieces of malware, including ransomware. "What's interesting is that the bad guys are running fast and we're trying to catch up. Awareness is spiking as breached organizations get reported in the media," Hagland said, specially referring to the major breach at MedStar Health earlier this year, in which a large integrated health system had to switch from electronic records to paper for some time, having a direct impact on patient care.
"We are running out of Americans who have yet to have their data stolen," said New York-Presbyterian's Weiner. "You might get identity theft protection for two years, but it doesn't get erased after that. He added that signature-based anti-malware is "something to get used to." He continued, "In terms of a whole network shutting down, you don't want to go back to pen and paper. When you look at the Hollywood Presbyterian [breach], I met their CIO and the first thing that popped into my mind was, why not go to backup? But the backup system was affected too, as was the anti-virus [software]. You can have the best plans in place, but even those get hit," Weiner said.
The panelists agreed that behavioral monitoring strategies, in which organizations monitor their users at a high level, are critical. There are different ways to approach behavior, Webster said. Roughly 25 percent of breaches occur through phishing, but for advanced attackers like nation states, that number could be much higher, in the 60 to 90 percent range, he said. "So make sure you pay attention to people's behavior, but also to machine behavior," he said, noting that there are applications on the market that can help an organization monitor behaviors." Webster also mentioned security operation centers (SOC), advanced monitoring systems that generate security reports across by looking at business activity, network traffic, and actionable events. But Webster noted that SOCs "might not pick up certain logs or sources that are in encrypted tunnels," he said," adding that an SOC is only one part of the process since data can travel outside of the center.
Weiner, meanwhile, recommended that healthcare IT leaders engage in network segmentation, in order to protect key segments of organizations' electronic health records (EHRs). "He also advised to avoid "having all your eggs in one basket or the keys to the kingdom in one place." If malware gets in to one system, there needs to be preventions in place so it doesn't jump to other systems, he said.
Hagland added that rethinking credentials is also important. "It's tended to be loose relative to what it needs to be now going forward. And that involves a culture change, too. You have to explain to people that yes, we are clamping down, and not everyone will have same the level of authorization anymore," he said.