With a fast-evolving cyber threat environment and a continuous flood of healthcare data breaches, chief information security officers (CISOs) at hospitals and health systems face mounting pressure to safeguard their organization’s networks as well as critical clinical and financial data. Healthcare CISOs face complex and challenging issues with respect to information security, including rapidly evolving malware threats, insider data breaches and the increasing use of medical Internet of Things (IoT) devices across their organizations.
In addition to security-focused projects, CISOs are often involved in enterprise-wide technology initiatives as well. At Texas Health Resources (THR) this past year, C-suite executive leaders have been focused on a massive data center migration initiative. THR is an integrated health system based in Arlington, Texas with more than 350 points of access, including 29 hospital locations that are owned, operated or joint-ventured with THR, 100 outpatient facilities and 250 other community access points, including the Texas Health Physicians Group clinics. THR has more than 24,000 employees and the system serves more than 7 million residents across 16 counties throughout North Texas.
The health system’s CISO, Ron Mehring, says the organization is migrating data centers housed in individual hospitals to “sophisticated, advanced co-location facilities” and the new data centers provide increased security controls and protections.
“Throughout the whole year, our focus has been on transforming our data center, and that includes improving the availability and integrity of data and overall performance. It also includes the security controls within the data centers, from the physical controls to environmental controls, to improving the general security and technologies within the data centers themselves. And that’s been a ton of heavy lifting this year,” Mehring says.
Ron Mehring
Mehring and his team also have focused on what he refers to as “blocking and tackling improvements,” ranging from multi-factor authentication enhancements to process improvements around vulnerability identification and remediation activities. “We spent a lot of time trying to improve our assessment processes to get a little bit more detailed on the way that we identify risk and the way that we articulate risk to our stakeholders in the enterprise. We focused on general improvements in those areas, but most of our efforts have really focused on our data center transformation, and some of the things that orbit around that.”
And, he adds, “That’s so important for our organization as we proceed to transform ourselves as a healthcare delivery system. It’s really setting up the playing field; setting up the infrastructure and security services to support all those future business initiatives and clinical operations.”
The Current State of Healthcare Cybersecurity
When looking at the current state of cybersecurity in the healthcare industry, current data breach reports and news reports about malware incidents paint a troubling picture. Cybersecurity software company Protenus, which publishes a “Breach Barometer” report every month, reported 233 total breaches in the first six months of 2017; in all of 2016, about 450 breaches were reported. The company also reports that the trend first noted in 2016 has continued, with an average of one health data breach per day. Protenus tracks breach incidents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media.
However, there are indications that healthcare provider organizations have boosted their cybersecurity efforts and are responding more quickly and strategically to cyber threats. In October, FirstHealth of the Carolinas reported that it had shut down its computer networks after a threat from a new version of the WannaCry malware virus was detected. The health system reported at the time that its information system team immediately identified the threat and implemented security protocols. The health system reported that because of the quick response by the information security team, the virus did not reach any patient information, operational information or databases.
In a 2017 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, more than half of respondents (60 percent) reported their organizations employ a senior information security leader, such as a CISO. What’s more, the survey results indicated that organizations that employ a CISO or other senior information security leader have adopted holistic cybersecurity practices.
Gauging the current state of healthcare cybersecurity, Mehring says, “Looking at it from a posture and a protection perspective and when I talk to my peers, it feels to me that the water line is overall rising together. Five years ago, I think, in healthcare, what we saw is the ‘haves’ and ‘have nots’ at very dramatic levels. We had healthcare delivery systems and providers with differing levels of security, where a lot of the blocking and tackling security controls weren’t in place. There was this huge disparate ecosystem, and that’s important because, especially when you get local, we all have to share; in a metroplex, all of our systems talk to each other. It’s important that we all understand that we all have to improve together.”
Mehring also says he is seeing more information sharing among healthcare security leaders, noting both informal, local efforts as well as national efforts through cyber threat-sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the HITRUST Alliance. In the Dallas area, one local hospital hosts regular summits bringing together local CISOs and security staff. Mehring says, “We share information with each other and give best practices, which is great, as when you get into the healthcare delivery ecosystem, local really matters. National is important, but when we are delivering care and sharing information, a lot of that is happening at a very local level, between health systems.”
Evolving External Threats
It’s widely known that healthcare is a prime target for hackers and cybercrime, with malware and ransomware attacks a constant concern for healthcare security leaders. In May, the WannaCry ransomware virus plagued the National Health Service in the United Kingdom and the NotPetya malware caused massive disruptions to multinational companies in 65 countries back in June, including health IT company Nuance Communications, which had to shut down its network.
Like many other healthcare security leaders, Mehring sees ransomware as a major threat to many industries, including healthcare, and one that will not go away anytime soon. As one silver lining, though, he also notes that security vendors are providing more robust infrastructures in response to the malware threats.
“I think a lot of people learned their lessons very quickly around ransomware and how to handle it. That includes, number one, putting the right protections in place on the front end, and if it gets in, having the right response and recovery strategy in place. We see many organizations being able to recover quickly from those types of destructive events. I think what you see is a lot of lessons learned being applied, so the impacts have gone down. But, do I think that threat exists? Absolutely, and it will continue to evolve.”
One way cyber threats have evolved, Mehring points out, is that hackers are starting to attack what he refers to as the "underbelly,” or the technical supply chain. In the NotPetya malware attack in June, for instance, cybersecurity experts believe that a software update mechanism of a Ukrainian tax preparation program had been compromised to spread the malware.
“When they attacked the Ukrainian application, which was associated to some U.S. companies as well as other companies, they attacked that trust that had been built with that company’s application, and they attacked, essentially, the update service associated with that application. When a malware gets in, with the right level of permission and the right level of access to the environment, it’s going to do a little bit of harm, and depending on how it’s set up, it could do lots of harm.
He continues, “This is something that we really need to pay attention to; the vendors or software services that are integrated tightly into our healthcare delivery systems. It’s probably the next attack vector in, and, unfortunately, it’s a great vector into an enterprise, because of the trust that we lay into those types of services.”
The speed of malware attacks is increasing as well, Mehring notes, and that puts more pressure on healthcare organizations to have the right tools, techniques and processes in place to respond and recovery quickly. “The organizations that are not able to start to apply automation and orchestration into their infrastructure and services will probably see in the future how the lack of that becomes the real problem and can really impact their infrastructure.”
At Texas Health Resources, Mehring says the organization’s cybersecurity strategy evolves to address these threats, with an increased focus on the security postures of its vendor partners. “You have got to ask really good questions of your vendors and how their services integrate into your environment. You need to ensure they are doing all the things that they should be doing to protect their environment, and yours, in the delivery of that service.”
He adds, ‘If you are integrating a software service into your environment, that’s managed externally by a vendor, you need to ensure you’re putting the appropriate controls in place so that any harm caused on their side does not impact the rest of the environment. And we do that through a lot of different ways, through appropriate provisioning of accessing and identity, appropriate provisioning of network services and isolation and segmentation.”
Insiders Remain a Constant Threat
Specialist insurer Beazley reports that in the first nine months of 2017, unintended disclosures accounted for 41 percent of healthcare data breach incidents. The high level of unintended disclosure incidents remains more than double that of the second most frequent cause of loss—hack or malware (19 percent), according to the Beazley report.
At Texas Health Resources, Mehring says security leaders utilize sophisticated IT monitoring systems, such as behavioral analytics, to detect anomalous behavior as well as continuous auditing and monitoring of protected health information (PHI) within the electronic health record (EHR) and data loss prevention technologies.
There are also non-technical processes and programs that should be used, Mehring points out, such as a hotline that employees can use to report anomalous behavior. “You need a good hotline that allows the reporting of things, and from that hotline, you need to make sure the information is acted upon and communicated to the right department, whether its HR or it’s the legal or security team,” he says.
At a high level, Mehring says it’s critical that the CISO have strong relationships with human resources and compliance leaders within the organization to develop processes and policies to identify and address insider threat actions. “From a policy perspective, it’s about who is going to own the policy for that type of data and who sets the rules?” A transparent sanctioning program also is key so employees are aware that activities are being monitored. “Employees need to know that there is a process in place for accountability when something is inappropriately accessed or inappropriately shared,” he says.
Medical IoT and Cybersecurity
For many hospital and health system CISOs, the governance of medical device programs is the next frontier in IT security. Healthcare provider organizations are now managing an increasing number of digitally connected devices, and, as more devices come online, the cybersecurity risk increases and intensifies in complexity.
“I think most of us are still coming to terms with how we characterize IoT. Is a medical device an IoT, is a refrigerator that stores blood an IoT? Is a monitor that is displaying our marketing information in our hospital, is that IoT? If somebody gets a wearable, is that an IoT? And the answer to that is probably, yes, to all of that in some way,” Mehring says.
A critical, foundational step to managing medical devices is developing a comprehensive inventory and asset identification of all digitally connected devices within an organization, he notes. “Then you have to start developing at least some internal rules of how we characterize those types of IoT things and make sure we can differentiate between those different asset types because they are going to get different protection profiles. A medical device is going to get a different protection profile than a monitor on the wall in a hospital passageway that’s providing branding information,” he notes.
Understanding how various medical devices communicate, both inside and outside the hospital environment, also is a vital step in maintaining and protecting devices. “Developing good data flow mapping and understanding the way that devices communicate is very important. That allows you to put in better protection mechanisms once you understand how things communicate with each other. You can ensure that the appropriate communication security strategy is put in place around those devices,” Mehring says.
At THR, health system C-suite leaders have long been aware that cybersecurity is not just an IT problem, but a corporate-wide risk management issue, and one that requires an evolving, strategic approach to address the changing threat environment.