On Monday, May 2, at Healthcare Innovation’s Southern California Summit, sponsored by Healthcare Innovation, and being held at the Hyatt Regency La Jolla Aventine in the San Diego suburb of La Jolla, industry leaders pondered the intense cybersecurity challenges facing the leaders of patient care organizations at a time of great uncertainty and intensifying threats.
In a session entitled “Cybersecurity: Biggest Threats, Biggest Opportunities,” Healthcare Innovation Managing Editor Janette Wider moderated a discussion with Richard Staynings, who teaches postgraduate cybersecurity and health informatics degrees at the University of Denver University College, and is a retained advisor to a number of governments and private companies, as well as the chief security strategist at the New York City-based Cylera; and Chani Cordero, who is chief information officer at Brooke Army Medical Center in San Antonio, Texas.
Wider initiated the discussion by asking her panelists what some of the most important current cyber threats are right now. “The current situation with Russia and Ukraine is having an impact on the rest of the world; there’s an elevated threatscape now,” Staynings said. “We’re receiving notifications from various federal agencies, about a heightened state of alert. There are broad areas that need to be protected; we need to let our staff know that there’s a heightened risk; to be especially careful when opening an email; and to be aware of what’s going on.”
Per the environment around alerts to end-users, Cordero said that “I think our users get tired of the constant alerts of threats; there’s an alert fatigue. But what we need to do is to make people aware of the constant threats. We need to be vigilant. And I’ve seen some of the threats becoming more centralized now.”
In response, Staynings said that “One of the things I teach my students is that one of the most effective strategies is to start right up at the top at the board of directors and c-suite, to create a culture of security. That needs to start at the top and become everyone’s concern. In fact, 89 percent of cyber attacks start with a phishing attack,” he emphasized. “So if we can kill off that possibility, we can massively impact the threat level. People tend to get a bit jaded by the constant threats; but statistics show that an ongoing cybersecurity training program has the biggest result; so investing in cyber education, a security awareness program, is going to bring the biggest dollar-based return on investment.”
The impact of post-pandemic work on the cyber landscape
“Post-pandemic, people are starting to come back into offices to work. What are some of the challenges we’re seeing there?” Wider asked the panelists.
“I think there’s a big differentiator between what’s happening in the United States and in other countries right now,” Staynigs said. “I was at a security conference in London, and was amazed at how many people there are working in offices. And part of it has to do with house sizes! In Europe, many people live in small homes, and there’s not an awful lot of space. We in the U.S. tend to have larger homes, and are more often able to have real home offices. And in Hong Kong and Tokyo, for example, they live in extremely small living spaces, so there’s a very different psychology. I think we’ve adapted to the culture of working from home. And now that we’re going back into the office, we need to relearn how to work in an office-type environment.”
“It’s a bit challenging as the CIO of my hospital,” Cordero observed. “Before, everyone came into the building and connected to the network, and we were giving out laptops like candy. But in many cases now, we’re not bringing people back into the office at all. So at the DoD [the Department of Defense], if you’re online, you’re required to be on a VPN [virtual private network]. But the other part of that is to continue forward on patch management. How do I ensure that the patch management is constantly being updated? We’ve gotten to the point now where we have to push these processes to ensure that the devices are being secured. So we still have to have a strategy to make sure that devices are getting updates—and that we know who’s using them and where they are. So I’m relying on the departments and divisions. And I may be military, but only 20 percent of my hospital people are active military; many are civilian contractors, for example. And how do I get those devices back?”
“We went overnight when COVID hit, as security leaders, from managing 25,000 endpoints in one location, to managing 25,000 endpoint locations,” Staynings said. “We sent laptops home with people; and we also took a lot of shortcuts in order to facilitate a lot of processes. We had to fill in the gaps and push out the updates and tell people, you need to connect back in, so we can manage you remotely rather than from the LAN [local area network]. And we had to make adjustments so that updates came directly from Microsoft or other vendors, rather than burdening the channels. And because of bandwidth constraints, we had to buy a whole new load of VPN concentrators; and we had to enable things like split tunneling to enable bandwidth. And that introduced all sorts of security challenges that we had to fix. But one thing that has not happened in the last few years has been device refreshers. We have laptops still out there in the wild, on Windows 7, that need to be fixed.”
“And now that people are coming out to in-person events again—well, nobody is looking over my shoulder when I’m working at home,” Wider noted. “But shoulder-surfing in public is another thing we need to think about again.”
“I flew several times a week before COVID, and you’d look down the aisle on a plane, and you’d see potentially 100 Lenovos open and being worked on,” Stayings recalled. “But you now see people working on Lenovos without the privacy screen; and they’re not used to thinking that the person across the aisle from me can read everything I’m typing. Also, a lot of us got used to working at a Starbucks, for example. And are best practices being used, to connect to a VPN as soon as you’ve connected to a local network?”
The complexities of telehealth
“We also all know that telehealth is very big. What are the concerns moving forward regarding privacy and security?” Wider asked.
“The application security concerns remain the same,” Cordero replied. “But for clinicians, it’s the privacy part with the patient. Clinicians are talking to patients, and finding out they’re walking around at Target! So you lack the control. And in the younger generations, there’s so little concern for privacy; people are talking very loudly in public!”
“And when you register for telehealth, the doctor assumes there’s privacy,” Staynings noted. “Medically, you’re an adult at 13, and you may not want to have telehealth sessions in front of Mom and Dad. So doctors may need to ask teenagers about that. I think that telehealth is here to stay; I think it’s a great thing. The U.S. has lagged the rest of the world in telehealth for the last two decades. Australia had effective telehealth for decades; in fact, they used shortwave radio to reach patients in the outback, then transitioned to the Web. I spoke to someone there, and he reckons that doctors can see four times as many patients through telehealth. So if we’ve got a backlog of patient visits, this is a good way to catch up. And the whole process has changed anyway; the doctor is now typing into a keyboard. Telehealth allows the doctor to be face on and at least take notes.”
Referencing a recent situation at her hospital, Cordero recalled that “We had a patient who needed translation services. And our network wasn’t that strong, and things were pixilated onscreen. A privacy issue emerged in that the doctor really wanted to talk to the wife alone because they suspected she wasn’t in a safe environment, but the spouse refused to leave the room. And because we were in the facility, we had some control of who could be in that room. And we had to bring security in to escort the husband out. But if it were a telehealth consult from home, it would have been impossible to secure that situation for that patient.”
A shifting policy and legislative landscape
“Per the policy landscape, things seem to be shifting right now,” Wider observed. “Richard, could you explain about the Patch Act, and policy surrounding security?”
“There are two bills going through the House and Senate; one is around intelligence-sharing with CISA and HHS. The other is around the PATCH ACT.” (On March 31, U.S. Senators Bill Cassidy, M.D. (R-La.) and Tammy Baldwin (D-Wis.) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act. U.S. Representatives Michael C. Burgess, M.D. (R-Tex.) and Angie Craig (D-Minn.) introduced the companion legislation in the House of Representatives.) Going on, he said that “The PATCH Act is the result of concerns around the security of medical devices. If we look at the typical hospital or healthcare environments today, three-quarters of the devices are unmanaged, and the vast majority of those are medical devices. And because 75 percent of medical devices are unmanaged, they’re not being patched or updated; and they may be managed by different groups.”
The result, Staynings noted, is that “You have different levels of responsibility, of expectations around security, and a pretty abhorrent situation around medical device security—from radiotherapy systems to diagnostic imaging systems, down to network-connected infusion pumps. The vast majority of these devices are never patched, which means that there are obvious security vulnerabilities on these medical devices. Also, there’s a steady growth in medical devices; they’re growing globally by about 25 percent per annum. And a lot of them are in Linux, written in Gen2. A lot of the newer ones run Windows XP embedded. Compounding this program, there’s about a five-to-six-year-long development path to a device hitting the market. We then have operating systems embedded into these systems.”
Addressing some of those issues, Stayings went on, “The PATCH Act will require user leaders to provide a package of explanations and details on the version and type of operating system involved, and to identify potential vulnerabilities, and to make patches available to securitize vulnerabilities. The trouble with the current version of the PATCH Act is that the language is not prescriptive, and therefore does not do much. That was the problem with the FDA [Food and Drug Administration] processes. FDA has approached this as a joint responsibility, believing that the manufacturers have some level of vulnerability; but the emphasis has been on the hospital, post-production. And that obviously is problematic for hospitals and healthcare organizations, requiring microsegmentation of networks, for example.”
All that said, Staynings added that “We’re hopeful that the PATCH Act’s language will be improved. The other problem is legacy devices, they go on forever in hospitals. And this is what CIOs and CISOs are facing in hospitals, in that you can’t retire a particular machine. And huge percentage of issues come in terms of PACS and RIS systems that are certified only to run on Windows 2000, for example. And the Act doesn’t put an onus on manufacturers, vendors, to go back and fix issues from years ago.”
“We have tons of devices out there,” Cordero noted. “And we’ve tried to solve the problem in different ways. And is ana analyzer that simply checks a patient’s blood, is that a device? We’ve had discussions about what a device is.”
“And a lot of vendors will say, this system is proprietary, and we will no longer support you,” Staynings replied. “But that device could be deeply insecure. And you could essentially assassinate someone if it’s a VIP or head of state; you could imagine that someone might want to assassinate someone. You could compromise the medical devices giving that person morphine, for example, and dispense the entire vial of morphine in a couple of minutes instead of a couple of hours. We’ve attached these highly vulnerable devices to the patient and to the network; they could be used as a springboard into your EHR [electronic health record].”
