Leading cybersecurity experts in the New York area collectively met at the local HIT Summit on Sept. 27, sponsored by Healthcare Informatics, to discuss how the healthcare cybersecurity landscape has changed, and how hospitals and health systems could better protect their data as threats get more sophisticated.
The panel discussion, held at the Convene in New York City's downtown financial district, included several cybersecurity experts: Vikrant Arora, assistant vice president, and chief information security and risk officer at NYC Health + Hospitals; Todd Regow, senior vice president and CIO at Healthix, Inc., a New York City-based health information exchange (HIE); Matt Webster, CISO at Healthix; and Keith Richard Weiner, R.N., information systems security officer at New York-Presbyterian/Queens and adjunct professor at Molloy College. The panel discussion was moderated by Healthcare Informatics Editor-in-Chief Mark Hagland.
Hagland kicked off the conversation by noting how the healthcare security landscape has changed, even from just six months ago. The panelists were asked what the biggest threats are and how prepared the industry is in addressing them, to which Healthix's Webster responded, "There are over a million pieces of malware out there" on a regular basis, specifically referring to "customized malware," which is becoming quite common as attackers target a particular organization for their next victim. He said that in healthcare, the threats have increased since medical records bring back a greater return on the black market than credit cards do.
NYC Health + Hospitals' Arora agreed that the healthcare industry is a unique one for cybersecurity in that when a Target or Home Depot store gets breached, customers can shop elsewhere if they so choose. But in healthcare, when Anthem got breached for example, its customers were not able to simply walk away and choose another insurer due to regulations in place. "You cannot change your medical identity, the drugs you are taking, or your medical condition," Arora said. You're at risk as long as you're alive. That makes healthcare very unique." And, Healthix's Regow added that $362 per medical record is now a going rate on the black market. "It's an arms race and I don't know if we will win that since these people have more time, energy and resources than those who are trying to protect the data," Regow said.
Indeed, only two years ago as Hagland noted, most threats were on an individual level, but now there is organized hacking and millions of pieces of malware, including ransomware. "What's interesting is that the bad guys are running fast and we're trying to catch up. Awareness is spiking as breached organizations get reported in the media," Hagland said, specially referring to the major breach at MedStar Health earlier this year, in which a large integrated health system had to switch from electronic records to paper for some time, having a direct impact on patient care.
"We are running out of Americans who have yet to have their data stolen," said New York-Presbyterian's Weiner. "You might get identity theft protection for two years, but it doesn't get erased after that. He added that signature-based anti-malware is "something to get used to." He continued, "In terms of a whole network shutting down, you don't want to go back to pen and paper. When you look at the Hollywood Presbyterian [breach], I met their CIO and the first thing that popped into my mind was, why not go to backup? But the backup system was affected too, as was the anti-virus [software]. You can have the best plans in place, but even those get hit," Weiner said.
The panelists agreed that behavioral monitoring strategies, in which organizations monitor their users at a high level, are critical. There are different ways to approach behavior, Webster said. Roughly 25 percent of breaches occur through phishing, but for advanced attackers like nation states, that number could be much higher, in the 60 to 90 percent range, he said. "So make sure you pay attention to people's behavior, but also to machine behavior," he said, noting that there are applications on the market that can help an organization monitor behaviors." Webster also mentioned security operation centers (SOC), advanced monitoring systems that generate security reports across by looking at business activity, network traffic, and actionable events. But Webster noted that SOCs "might not pick up certain logs or sources that are in encrypted tunnels," he said," adding that an SOC is only one part of the process since data can travel outside of the center.
Weiner, meanwhile, recommended that healthcare IT leaders engage in network segmentation, in order to protect key segments of organizations' electronic health records (EHRs). "He also advised to avoid "having all your eggs in one basket or the keys to the kingdom in one place." If malware gets in to one system, there needs to be preventions in place so it doesn't jump to other systems, he said.
Hagland added that rethinking credentials is also important. "It's tended to be loose relative to what it needs to be now going forward. And that involves a culture change, too. You have to explain to people that yes, we are clamping down, and not everyone will have same the level of authorization anymore," he said. And, Arora strongly advised committing to a framework, be it NIST [National Institute of Standards and Technology], ISO [International Organization for Standardization], or any framework that "allows your approach to be holistic." He said, "When you present a framework to your stakeholders, it shows that you are doing your due diligence even if your board doesn't fully understand cybersecurity." Hagland added, "It took years for hospital boards to understand the value of IT and data; now you need to get them to understand the value of protecting the data."
Arora also posed a question to attendees on if security really adds value when clinicians are trying to deliver care. About half of the audience raised their hands in the affirmative, but that also meant that half considered security "fairly useless" when it comes to improving patient care," as Arora said. "I deal with doctors all the time who think [that security does nothing for care delivery]." As such, Arora said the problem is not primarily a technical one. "Malware has become advanced, but most of the time you will get hit with something basic. Yes, they have the capability for customized malware if they really are interested in you, but that's not [the norm]," he said. "We need to articulate what the actual risk is from a cybersecurity incident. There is nothing exceptional about ransomware; it encrypts your files. Why would you not have a backup? These are basic things. You need leadership from the board and you have to get through to the people who are using the technology and get them to understand the true risk," he said.
For strategies specific to each organization represented on the panel, Weiner emphasized the need to balance convenience with security. He gave an anecdote in which he once had to give a username and password that was long, random, and complex, and if he presented it wrongly he had to send the company a fax, and wait three days for a response. Indeed, "You need to make compliance easy enough," he said. "One thing I assign my organization to do is to enter two-factor authentication for email, the VPN [virtual private network] and for accessing the EHR from the outside." He went on to add that an 80-year-old-woman, a demographic that might struggle with added technology requirements, even said the two-factor process was an easy and simple step.
Webster noted the importance of "covering the basics," so making sure to disable the account of an employee who leaves the organization. Reviews are important too, from a security or IT standpoint, he said. "Make sure you check the account when someone leaves, and check with human resources. Don't have accounts just left out there. If you don't [review], they might have access to the data center for another three to four years. That's scary," Webster said.
At NYC Health + Hospitals, Arora discussed the replacing of a legacy EHR with a new one across 26 hospitals. "We see 1.5 million patients every year and have been in business for 100 years. So we were worried about data being moved form one system to another and one person to another," he said. Arora explained the organization's data loss prevention technology that it implemented, which shows when data gets moved from a computer to a smartphone, for example, or whenever sensitive data flows within the system.
The Evolving CISO Role
With multiple CISOs on the panel, Hagland asked them about the biggest challenges involved in this growing role in healthcare. Most of the security experts agreed that there is no silver bullet for the CISO reporting structure, as factors can vary, from what type of organization it is to how mature it is to what kind of budget there is to what the risks are.
Arora said he is reporting to the CIO, which means he can influence things as a team member rather than as an outsider. Weiner, meanwhile, is seen as somewhat of an independent at New York-Presbyterian, and reports to everyone from the vice president of IT to legal to clinical to leadership, and to the board. "It's important to be multidisciplinary and collaborative. Security touches so many different points so it's important to be connected," he said.
Hagland concluded by noting that physician consolidation will only continue to increase in the future of healthcare. "You have one and two-doctor practices without a CISO," he said. "What small physician office manager can do network segmentation? That just won't happen. And the same could be the case for small hospitals, too: many small hospitals will end up choosing to be absorbed by integrated health systems, with one factor being the burden of developing comprehensive IT security strategies and executing them."