Gauging the current state of healthcare cybersecurity, Mehring says, “Looking at it from a posture and a protection perspective and when I talk to my peers, it feels to me that the water line is overall rising together. Five years ago, I think, in healthcare, what we saw is the ‘haves’ and ‘have nots’ at very dramatic levels. We had healthcare delivery systems and providers with differing levels of security, where a lot of the blocking and tackling security controls weren’t in place. There was this huge disparate ecosystem, and that’s important because, especially when you get local, we all have to share; in a metroplex, all of our systems talk to each other. It’s important that we all understand that we all have to improve together.”
Mehring also says he is seeing more information sharing among healthcare security leaders, noting both informal, local efforts as well as national efforts through cyber threat-sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the HITRUST Alliance. In the Dallas area, one local hospital hosts regular summits bringing together local CISOs and security staff. Mehring says, “We share information with each other and give best practices, which is great, as when you get into the healthcare delivery ecosystem, local really matters. National is important, but when we are delivering care and sharing information, a lot of that is happening at a very local level, between health systems.”
Evolving External Threats
It’s widely known that healthcare is a prime target for hackers and cybercrime, with malware and ransomware attacks a constant concern for healthcare security leaders. In May, the WannaCry ransomware virus plagued the National Health Service in the United Kingdom and the NotPetya malware caused massive disruptions to multinational companies in 65 countries back in June, including health IT company Nuance Communications, which had to shut down its network.
Like many other healthcare security leaders, Mehring sees ransomware as a major threat to many industries, including healthcare, and one that will not go away anytime soon. As one silver lining, though, he also notes that security vendors are providing more robust infrastructures in response to the malware threats.
“I think a lot of people learned their lessons very quickly around ransomware and how to handle it. That includes, number one, putting the right protections in place on the front end, and if it gets in, having the right response and recovery strategy in place. We see many organizations being able to recover quickly from those types of destructive events. I think what you see is a lot of lessons learned being applied, so the impacts have gone down. But, do I think that threat exists? Absolutely, and it will continue to evolve.”
One way cyber threats have evolved, Mehring points out, is that hackers are starting to attack what he refers to as the "underbelly,” or the technical supply chain. In the NotPetya malware attack in June, for instance, cybersecurity experts believe that a software update mechanism of a Ukrainian tax preparation program had been compromised to spread the malware.
“When they attacked the Ukrainian application, which was associated to some U.S. companies as well as other companies, they attacked that trust that had been built with that company’s application, and they attacked, essentially, the update service associated with that application. When a malware gets in, with the right level of permission and the right level of access to the environment, it’s going to do a little bit of harm, and depending on how it’s set up, it could do lots of harm.
He continues, “This is something that we really need to pay attention to; the vendors or software services that are integrated tightly into our healthcare delivery systems. It’s probably the next attack vector in, and, unfortunately, it’s a great vector into an enterprise, because of the trust that we lay into those types of services.”
The speed of malware attacks is increasing as well, Mehring notes, and that puts more pressure on healthcare organizations to have the right tools, techniques and processes in place to respond and recovery quickly. “The organizations that are not able to start to apply automation and orchestration into their infrastructure and services will probably see in the future how the lack of that becomes the real problem and can really impact their infrastructure.”
At Texas Health Resources, Mehring says the organization’s cybersecurity strategy evolves to address these threats, with an increased focus on the security postures of its vendor partners. “You have got to ask really good questions of your vendors and how their services integrate into your environment. You need to ensure they are doing all the things that they should be doing to protect their environment, and yours, in the delivery of that service.”
He adds, ‘If you are integrating a software service into your environment, that’s managed externally by a vendor, you need to ensure you’re putting the appropriate controls in place so that any harm caused on their side does not impact the rest of the environment. And we do that through a lot of different ways, through appropriate provisioning of accessing and identity, appropriate provisioning of network services and isolation and segmentation.”
Insiders Remain a Constant Threat
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.