IT Security Guru Mac McMillan: “The Threat Is Going to Increase in a Big Way” in the Next Few Years

Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, is a very well-known figure in healthcare IT, and a widely respected healthcare IT security expert. Recently, he spoke with HCI Editor-in-Chief Mark Hagland regarding some of the most important—and pressing—developments in data security right now in U.S. healthcare. Below are excerpts from that interview.

It was great to speak with you when we were both in Las Vegas earlier this month, participating in HIMSS16. Did you find anything surprising at the HIMCC Conference this year? Did anything you saw or heard at the conference change your mind about anything? We spoke at HIMSS just two weeks after the now-infamous Hollywood Presbyterian Medical Center ransomware incident.

I don’t think there was anything that changed my mind. But one thing that struck me was that there certainly was a higher sense of urgency around these advanced threats in healthcare. And a lot of people had either been hit by an advanced threat—either ransomware or a virus—or they knew someone who had been. And everybody wanted to know what to do to avoid it, because it was becoming a big issue. And that hasn’t stopped. It was non-stop from just before HIMSS, through HIMSS, and after HIMSS.

Every week now—I don’t visit a hospital now that doesn’t say to me, we’ve had two or three ransomware attacks or incidents. And in most cases, they also know of the experiences of folks in their local area. And the number of incidents that actually get reported versus the number of incidents that are occurring, is tiny—it’s like an iceberg phenomenon.

The good news is that most of these ransomware incidents are not turning out to be debilitating for hospitals, but they’re certainly causing a loss of time and a lot of costs, and anxiety, and are causing a tremendous amount of anxiety in our IT people. No one wants to be the hospital that goes down and is capable of delivering services.

The appropriate resources have to be devoted to this. I was talking to a COO yesterday, and that COO’s hospital had just had two incidents. And there were several things we had recommended to them over a year ago, and they hadn’t done the. And his CIO readily admitted that they needed to do something about it. And do we really have hurt, do we really have to have the pain, before we do something?

What is at the core of the poor handling of these incidents by some leaders of some patient care organizations? Is it a lack of vision, strategy, tactics, resources?

At the end of the day, a hospital is a business. And there are things that they’re trying to do with their resources that enhance the business and grow the revenue. And certainly, security does not do those things. It enables those things, but it’s a cost center.

And people are being reactive, essentially, rather than proactive, about this threat?

Yes, and to me, that’s a very short-sighted way to manage. I get it that there needs to be a balance and that you only have X dollars to spend, but I don’t think you should allow this to be put off and become a problem. Now it’s affecting our ability to move forward. So at some point, you need a better barometer

Is a successful ransomware attack inevitable, or can it be prevented?

The research we’ve seen indicates that if you’re doing the right things, the majority of ransomware attacks can be avoided. But even the brand-new attacks can be avoided or controlled more effectively if you’re doing the right things. If you’re doing all the right things, and it’s a variant of one of these known types of attacks, you can avoid it. If it’s a brand-new attack and we don’t have the signature for it, we can still be more effective at identifying those things, because we now have advanced malware capabilities that look for anonymous as well as known signatures. Most organizations not getting into trouble are doing those things. So maybe the virus or malware gets past their initial defenses, and for a few minutes it’s in the environment and is encrypting file-shares or systems, or locking up systems, or whatever, but with good defenses, it will eventually be detected had stopped. For organizations doing the right things, a small percentage of attacks get through, but they’re able to stop those and be successful. So yes, the majority of attacks can be avoided, and the others we can identify them more quickly and respond accordingly.

What are the fundamentals for health system leaders to prepare for future, unknown, as of yet unexperienced, situations? Because it seems that it is very important to consider all the new, as-of-yet-unexperienced, threats that could emerge.

You’re absolutely correct. Once we figure out how to deal with this [ransomware] effectively, the threat will move somewhere else. That’s the never-ending nature of criminal activity, right? You build a better bank, and the criminals figure out some other way to rob you. So healthcare leaders need to understand that this is something that is not going away. It should be elevated to a serious business process that gets leadership attention. If you’re going to use electronic systems to support your business, and are going to rely on data, then you need to understand that this is an ongoing situation that is not going away, and that will evolve over time.

A GAO [General Accounting Office] report just came out today. An evaluation of the problems encountered around the healthcare.gov website, state by state, with regard to potential problem with criminality. The thing is that this is sophisticated activity that you need to respond to in a sophisticated way. You would never hire a general practitioner to do a heart transplant. And yet that’s how people view data security. And they need to recognize that they’ll never be in a place where they’ll be perpetually secure. So they have to do continuous testing and continuous monitoring of their environment.

And this hospital I met with yesterday, they’re still trying to do this themselves. One guy—a good kid—has been trying to manually monitor a dozen different information systems. And there’s no way he could do all this. And what happened at this hospital is that one of their security systems was disabled. And they never knew that, because he’s sitting there manually trying to look through all these events; and unless that event is configured to be reported, he won’t see it. And that’s what happened. For months, that went undetected.

The solution would have been to have a monitoring service monitoring your systems 24/7—a security operations center, or “SOC.” Because they’re monitoring your service, to make sure that those systems are still communicating with each other. Because if a particular sensor stopped reporting, they would send an alert saying, this sensor is no longer working. As it was, this particular sensor had stopped working in February. And they didn’t know that. And that’s what happens when we’re trying to monitor our own systems.

So you need to employ outside services, essentially?

You need a 24/7 SOC, as I said, really. Think of it this way: an average, medium-sized hospital probably is producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on. The problem is too big, you can’t do it yourself. This notion that we can test ourselves, that we can monitor our environment, has got to go away. We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s working at a single hospital. And to take advantage of that experience—that’s what we need to do.

It’s a failure of management to fail to engage outside services, then, in your view?

Yes, it absolutely is. In the federal government, when I needed to test my systems, someone else had to do it, I couldn’t do it; that was the rule in the Defense Department. In the banking space, they can’t do their own assessments, by mandate, they have to have an independent part do assessments; same thing in the credit card industry. In every other industry, they’re required to hire someone else. Healthcare is unique in that people are trying to do this themselves.

What will be happening in the data security arena in healthcare in the next few years?

I think that the threat is going to continue to increase in the next few years in a big way. As we become more of a knowledge-based society, more and more responsibility will fall onto technology and data. So this makes sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.

How are hospitals doing right now in terms of hiring CISOs [chief information security officers]?

I definitely think that hospitals are getting it, and that they’re trying to hire good people. It’s going to take a while for a couple of reasons: number one, there aren’t enough people to go around with the right skills. It’s hard to find the people. Second, there’s still a little bit of a challenge in understanding what they’re going to have to pay those resources. I was talking earlier this week to a large health system looking to hire a CISO, and they were talking to a recruiting firm, and they were absolutely shocked at the salary requirements involved. They thought they were going to hire a $150,000-200,000 resource, but according to the recruiters from what I heard, for the average business of that size and complexity, they typically are placing CISOs at $400,000-600,000. So the gap there was huge.

I think it’s worth it to pay someone $500,000 a year to prevent even one $1 million ransomware attack from succeeding, right?

Well, that’s what the recruiter said. And if people are coming out of other industries, that’s what they’re going to expect to be paid. And look at the breaches with Anthem, Premera, and Community Health. We’re talking about tens of millions of dollars—and you’re quibbling about $500,000? Now, $500,000 at a smaller hospital, that’s not gonna fly. But I can tell you, security people are not cheap. And the reason the cost of security is going up is that it’s tough to find qualified people, and when you do, you have to pay them well.

On a scale of 1-10 on the scale of optimism/pessimism [with 10 most optimistic], where are you right now?

I’m probably somewhere between a 5 and a 7. I believe in this industry. And I believe that it will do the right thing. The question is, how fast will it do it? And my concern is that we’re not moving fast enough to avoid some of the pain that we don’t have to experience.

Is there anything else you’d like to add?

I think it really does come down to the fact that we just have to make security a priority. And for what it’s worth, I don’t believe you can say it’s a priority in your organization until you resource it properly. Having platitudes and making speeches, doesn’t mean something is a priority. When an organization puts resources to something, that’s when it’s a priority. So show me the resources, and I’ll believe you.