The conclusions in the report that the Health Care Industry Cybersecurity Task Force of the Department of Health and Human Services (HHS) released to Congress on June 2 were a bit like the conceptual equivalent of a slow-moving hurricane—devastating, but long predicted. Stating that “healthcare cybersecurity is in critical condition,” the report’s authors cited a severe lack of security talent, legacy equipment that runs on old, unsupported and vulnerable operating systems, vulnerabilities that impact patient care and an epidemic of known vulnerabilities. The report, developed by Task Force members comprised of government and private industry leaders, also cited “premature and over-connectivity” as an issue contributing to the critical state of cybersecurity. “Meaningful Use requirements drove hyper-connectivity without secure design and implementation,” the report’s authors wrote.
The report, entitled “Report on Improving Cybersecurity in the Health Care Industry,” is very much worth reading, in any case. As its authors note, “Now more than ever, all health care delivery organizations… have a greater responsibility to secure their systems, medical devices, and patient data. Most health care organizations face significant resource constraints as operating margins can be below one percent. Many organizations cannot afford to retain in-house information security personnel, or designate an information technology (IT) staff member with cybersecurity as a collateral duty. These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.” Importantly, they note that “Many organizations also have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats. These organizations may not know that they have experienced an attack until long after it has occurred. Additionally, both large and small health care delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software and operating systems) with large numbers of vulnerabilities and few modern countermeasures. Industry will need to dramatically reduce the use of less defensible legacy and unsupported products, and more effectively reduce risk in future products through robust development and support strategies.”
Also importantly, the report’s authors note that,” With the exception of IT security personnel, many providers and other health care workers often assume that the IT network and the devices they support function efficiently and that their level of cybersecurity vulnerability is low. Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false and provided an opportunity to increase education and awareness about the benefits of cybersecurity in the health care community. Moreover, recent ransomware incidents have also highlighted how patient care at health care delivery organizations can be interrupted due to a system compromise. Members of the health ecosystem reported that prior to these breaches many security professionals had difficulty demonstrating the importance of cyber protections to organizational leadership, including how risk mitigation can save money and protect against reputational damage in the long-term. Making the decision to prioritize cybersecurity within the health care industry requires culture shifts and increased communication to and from leadership, as well as changes in the way providers perform their duties in the clinical environment. Thus, health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”
On a practical level, the Task Force’s report sets out six imperatives for action. They are:
1. Define and streamline leadership, governance, and expectations for health care industry
2. Increase the security and resilience of medical devices and health IT.
3. Develop the health care workforce capacity necessary to prioritize and ensure
cybersecurity awareness and technical capabilities.
4. Increase health care industry readiness through improved cybersecurity awareness and
5. Identify mechanisms to protect research and development efforts and intellectual property
from attacks or exposure.
6. Improve information sharing of industry threats, weaknesses, and mitigations
On one level, these are all very obvious, and are all elements that every CIO of every patient care organization should already know and understand. But on a deeper level, they actually aren’t that obvious, at least not in their execution.
Here’s the thing: the proportion of patient care organizations across the U.S. that are truly cybersecurity-prepared remains very small overall. Of course, organizations all over the place across a spectrum. But certainly, far less than a majority are prepared for any but the most elementary kinds of attacks, and very, very few are prepared in the areas of medical device connectivity, workforce readiness, or heavy-duty hacker threats.
As Section III of the report, “Risks across the healthcare industry,” points out, “The attack surface of the health information system expands when interconnected devices, such as mobile devices, medical devices, and applications, are permitted to connect to EHRs. Further complicating the health information system and EHR integration is the mobile device/application component. For simplicity, the EHR is the hub and connected medical devices are spokes. The modern EHR is the central exchange of the information super-highway that provides key clinical information and analytics to providers giving quality data, billing information, etc. Most deployed EHR solutions across the U.S. are built on more than one vendor’s software solution. They are a complex mix of applications, programs, and interfaces from a variety of vendors. Implementing a patch, update, or significant data flow change requires massive support and a significant governance structure, which can destabilize the intricate and sometimes fragile connections to the “spokes”. Conversely, medical device system changes and updates typically come from a manufacturer, which makes their software easier to change compared with changing EHR software. The National Cybersecurity and Communications Integration Center (NCIC) addressed this attack surface in their 2012 bulletin.22 Though EHRs have some unique risks, the risk to this technology is similar to medical devices as far as user and device authentication, timely updates, user access rights, risk of malware, and denial of service.”
The report’s authors also note that “Cybersecurity threats and vulnerabilities can impact the confidentiality, availability, and integrity of IT networks and the medical devices and other systems connected to these networks. However, medical devices and the IT networks they connect to are unique. In addition to data security and privacy impacts, patients may be physically affected (i.e., illness, injury, death) by cybersecurity threats and vulnerabilities of medical devices. This harm may stem from the performance of the device itself, impeded hospital operations, or the inability to deliver care. As a result, addressing the patient safety risks posed by cyber threats are of paramount importance.”
With regard to that portion of the report, the reality is that, right now, only a tiny percentage of hospitals and large medical groups have worked out a feasible set of process and technological mechanisms to address threats coming in via medical devices, and that is one of the most glaring gap areas, and one that it’s good that the report has addressed.
Beyond that, though, healthcare IT leaders in patient care organizations need to move forward very quickly in several key areas, including behavioral monitoring, network segmentation, advanced backup and auditing procedures, and the use of external resources, particularly SOCs (security operations centers).
As many industry experts have told us editors at Healthcare Informatics in interviews, and as numerous speakers and discussion panelists have stated at our Health IT Summits, the time has come for healthcare IT leaders to embrace these more advanced strategies, methods, processes, and technologies. A simple focus on perimeter management absolutely no longer cuts it.
Take for example the issue of network segmentation: as data breaches become more common by the day, it is becoming clearer than ever that failing to segment means, in very stark terms, leaving the entirety of an organization’s broad IT network vulnerable to any breach, without appropriate containment. Meanwhile, while virtually every patient care organization runs regular data backups, particular of EHRs, how often are those backups audited? Leading industry experts have emphasized the need for regular (and of course, the definition of what is “regular” still varies quite wildly among healthcare IT professionals, depending on with whom one speaks) audits of backups. After all, most ransomware breaches are not discovered for eight or nine months or even longer; and on a very basic level, if one has been doing nine months of backups and one’s data has been infected for nine months, that makes for nine months of corrupted or unavailable data.
Meanwhile, behavioral monitoring is emerging as yet another critical process to engage in. Consultants working in healthcare cybersecurity are saying it over and over: behavioral monitoring works. It proactively can identify behavioral anomalies very early on; and is being used successfully to intervene very early in any endangering process.
As a panel of industry leaders discussed much of this on May 12 in Chicago, during the Healthcare Informatics Health IT Summit in Chicago. During that discussion, UC Irvine Health CIO Chuck Podesta noted that “There are ways to map out your processes; you can use rules to create spreadsheets that show behavioral patterns. You can utilize those tools—and as you avert these breaches, you can create educational programs around what you’ve found out. You don’t use employees’ names, but use circumstances. These frontline employees are absolutely essential to educate,” in order to minimize the chances of breaches, Podesta emphasized. “Of course, there are bad actors out there. But it’s so easy for breaches to occur because of mistakes made by your frontline employees. So no matter what you do on the outside, there’s always a way in. But what you can do on the inside, you can really protect against internal threats.”
And there is of course one other huge area of challenge, which is around human resources, expertise, and so on. And the reality in that context is that patient care organizations in the U.S. are hideously behind in acquiring the key personnel and resources needed to meet the cresting challenges. Not only are patient care organizations struggling to acquire chief information security officers (CISOs); many of those being named CISOs are not at the level needed to adequately manage the challenges now cresting towards them. What’s more, CISOs need entire teams of information security professionals; and the funding resources needed to adequately move forward.
So, all in all, this new report marks an important step in how the current set of cybersecurity challenges ramping up against patient care organizations in the U.S. Let’s hope that the leaders of patient care organizations in this country take this report seriously, and find its recommendations useful to the mountain of efforts they’ll need to harness going forward. The security of all the information systems—and the patient data—in this country depends on it.