Cybersecurity Readiness: CynergisTek's Leaders Look at the Major Gaps Confronting HIT Leaders
With data breaches literally becoming an everyday occurrence in healthcare, one of the overarching questions facing healthcare and healthcare IT leaders is how prepared they are for the cybersecurity future facing the healthcare industry.
That overarching question was on the minds of senior executives at the Austin, Tex.-based CynergisTek consulting firm, as they reworked what had been an annual report on cybersecurity threats that had been produced for the past decade by RedSpin, which last year became a part of Auxilio, which then merged with CynergisTek. The annual Breach Report by RedSpin has undergone a reengineering, the result of which was a broader analysis of cybersecurity preparation, published by CynergisTek on Thursday.
In releasing their report on Thursday morning, CynergisTek executives said in an announcement on the consulting firm’s website that “CynergisTek’s 2018 report aggregated ratings from assessments performed in 2017 at hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. across the nation to reveal an average 45 percent conformance with NIST CSF [National Institute of Standards and Technology Cybersecurity Framework] controls. Furthermore, the report revealed that most organizations have opportunities for improvement in all five areas of the Core Elements of the framework including the ability to identify, protect, detect, respond and recover from a variety of cybersecurity incidents. These results highlight the growing need for healthcare organizations to make serious investments in cybersecurity readiness, as cybersecurity has become one of the top business risks facing healthcare today.”
The announcement went on to say that “Additional findings and information from the Improving Readiness: Meeting Cyber Threats report include:
- Of all organization types, business associates scored the highest overall conformance
- Out of the five core elements of NIST CSF, organizations had the lowest ratings in detecting potential cybersecurity events
- The highest ratings were in the Core Elements of response and recovery
- Academic medical centers had the highest conformance ratings among provider organizations
- Not surprisingly, larger organizations performed significantly better across the board than smaller organizations
- Revenue is a less consistent predictor of CSF conformance across all Core Elements
- More organizations are beginning to treat cyber events as enterprise risk
- Machine learning and behavioral analytics will play a significant role in helping healthcare organizations improve incident detection
- Printers, as endpoint devices, present multiple risks to health information
- Adoption of the NIST CSF can raise the overall level of preparedness and resilience of healthcare organizations
“Hopefully this report can provide a vehicle for the industry to become more aware of the need for greater emphasis and investment in cybersecurity readiness,” Mac McMillan, CEO of CynergisTek,” said in a statement in Thursday morning’s announcement. “Hackers are becoming more sophisticated and we expect to see greater frequency and intensity of cyberattacks in healthcare. The NIST CSF gives healthcare organizations the framework they need to build the resilience that 21st-century healthcare is going to require.”
Mac McMillan
And, as McMillan wrote in the introduction to the report, “This report presents a sobering analysis of the results of over a hundred assessments, representing hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). It tells us that despite over ten years of regulation there is still considerable room for improvement in cybersecurity. Those same organizations overwhelmingly received passing grades against the HIPAA Security and Privacy Rules when measured for compliance, demonstrating once again that compliance does not equate to security, nor will it protect your health system from a cyber incident,” McMillan wrote.
Further, he wrote, “Everything that we have focused on in the past will not apply going forward. Knowing the bad actors is not possible as the threat has become both ubiquitous and for the most part anonymous. Building fortresses with high walls, gates and moats will not stop the threat in a hyper-connected healthcare organization that is reliant on its affiliates, associates and supply chain to provide care and services. Security will need to use machine learning and artificial intelligence to identify threats and take action. Focusing on the past will have limited value as the threat is changing constantly and more rapidly than ever before. Creating a centralized security team with all of the skills and expertise needed is also an antiquated concept.”
Further, the report’s authors stated, “Looking at all the data, we see an average (mean) of 45 percent conformance with NIST CSF. Assuming that the maximum potential is 100 percent, our average of 45 percent is not a particularly promising sign. While the NIST CSF is only four years old, the HIPAA [Health Insurance Portability and Accountability Act of 1996] Security Rule will turn 13 in 2018 and healthcare is still catching up,” the authors noted.
The report was authored by eight CynergisTek leaders, including CEO McMillan; David Finn, its executive vice president, strategic innovation; Sean Hughes, its executive vice president, managed print services; Jeremy Molnar, its senior vice president, security services; Martin Arvin, vice president, audit strategy; Clyde Hewitt, vice president, security strategy; David Holtzman, vice president, compliance strategies; and John Nye, vice president, cybersecurity strategy.
Just prior to the public release of the report, McMillan and Finn spoke with Healthcare Informatics Editor-in-Chief Mark Hagland, regarding the report’s findings, and the implications of those findings for the road ahead for healthcare leaders around cybersecurity issues. Below are excerpts from that interview.
Can you share a bit about the historical background to the change to this annual report?
Mac McMillan: One of the organizations that became part of the new CynergisTek was RedSpin. And RedSpin had put out an annual threat report for nearly a decade, looking at all the bad things that are happening. And this year, we had the same threat reports that came out last week—the same types of occurrences. So we said, maybe we what need to do is to change the dialogue; instead of cataloguing all the bad things happening and all the threats, because so many people are already doing that, maybe we should focus on what we’re doing it. So we’ve focused on readiness. Other organizations are focusing on how many incidents there have been—ransomware and other malware, etc., etc. But we’re talking about where the industry is in terms of responding to the NIST CSF, and what we need to focus on in order to be better prepared.
Why did you choose to focus so strongly on the NIST CSF?
David Finn: I was on the Health Care Industry Cybersecurity Task Force, which was established by the Department of Health and Human Services in March 2016, per the Cybersecurity Act of 2015, Section 405(c). The Task Force issued its report to Congress, per their deadline, in March 2017; Congress hasn’t done anything yet with that report.
David Finn
In any case, in our work on the Task Force, we looked at a common framework, because to share across a hyper-connected environment across healthcare, it’s important to understand where you are and where others are. And it’s interesting to me that all 16 industries that the federal government had designated as critical, have accepted the NIST framework, with the exception of healthcare. That said, in healthcare, we’ve seen a significant uptake in adoption of NIST; 60 percent of the organizations are using it, HIMSS Analytics found two years ago. Healthcare leaders understand the need for a repeatable way of doing this risk assessment and of continuously updating and monitoring your environment. NIST is a national and international standard, and we believe that healthcare will get there. We looked at business associates, academic medical centers, medical practices, across this framework. NIST gives us a framework that works across sectors.
McMillan: Everyone’s realizing that simply focusing on compliance and on the HIPAA security rule is not sufficient in terms of understanding what we need to do to protect our systems and data, and ultimately, our patients. In fact, we’ve moved 100 percent of our customers to the NIST CSF model. At the same time, we still benchmark them against other frameworks or standards, as part of our assessment of their capabilities—including the HIPAA security rule. And the results on the HIPAA security rule side were much better than on the NIST CSF side. People have pretty much gotten the compliance thing down, but that’s no longer enough.
Finn: As I’ve long said, compliance only protects you if your attacker is an auditor.
You found that only 45 percent of patient care organizations indicated that they were in conformance with the NIST cybersecurity framework (CSF). What are your perspectives on that? Is that a higher figure than you’d actually expected? Lower?
McMillan: That’s not really what that stat says—across organizations, there was a 45-percent level of conformance to meet the minimum requirement for the maturity level you’d need to be at to say that that control is effective. It’s not that 45 percent were compliant with NIST CSF; that was the average conformance level across all customers in terms of basic implementation of the controls.
David: That’s right. And when you look at the average and the median, they were both at 45 percent. But that would indicate that the standard deviation, 26 percent, was pretty broad; and that tells us that some people were very high, while others were low. And so some organizations are very advanced, some are not; but some of the very advanced organizations are connecting to physician practices that may increase their risk. If everyone were at 45, we’d feel better, but this is telling us that we have people who have done very well, but others definitely are not.
Even more worrisome than the 45-percent overall percentage was seeing the 27-percent average of conformance among physician groups. And those responses wouldn’t have been from the smallest physician groups. How dire is the cybersecurity situation for physicians in practice and physician groups, right now?
McMillan: I don’t like to use inflammatory language, but clearly, we should be concerned that we still have a lot of organizations out there that are absolutely missing this, or have very ineffective cybersecurity controls. As David pointed out very correctly, every one of our hospitals is talking about connecting with their communities; and they’ve got 30-40 percent of their supply chain being outside their control, but while being connected to their environment. And we’ll have mobile consumer devices and others creating even greater connectivity. And that ultimately affects the security of everybody. And yes, that is something we ought to be concerned about. And that’s the whole purpose of this report, to say that we’re all only as good as what any of us do. We’re not living in castles anymore.
Finn: I think Mac has summed it up well. It really is about the risk. At the end of the day, it’s about patient care and patient safety; so the Anthems, and Blue Crosses, etc., will grab the headlines when there are data breaches, because of the numbers of people affected. But a one- or two-doc practice in rural Texas gets ransomed, and patients can’t get the care they need, and that’s just as tragic. And [in contrast to data breaches that might impact people in a retailing context, for example], it’s not that you won’t get your Amazon order, it’s that you won’t have access to needed care.
The reality is that physician practices represent a point of extreme cybersecurity vulnerability, correct?
Finn: Yes, we’ve found that size actually does matter in terms of bed size of hospitals, for example. But we also found that revenue was a less reliable indicator. And with NIST, we can’t get Dottie a brand-new DLT system that she can’t manage. But NIST is not necessarily about technologies; it’s about managing the data. NIST—you still have to do something, but it may not be an expensive new technology.
McMillan: In my opinion, that got a little bit lost, meaning that I think next year we’ll have to go a bit further in terms of our analysis, because the revenues or money didn’t seem to be an indicator of how ready an organization was; size was an indicator. But in terms of scores in terms of revenue against their grade, there were some small organizations that did do relatively well. And another factor is the priority or importance that the leadership of the organization puts on cybersecurity, because when you see smaller organizations fund, and focus on, this area, and do well, it’s because leadership has focused on this priority. And when large organizations don’t do well, it’s because leadership was not shown.
What should we do to help physicians, whether their practices are affiliated or owned?
McMillan: I truly think that this industry, because of what’s going on with the threat world, is fast approaching the point where smaller organizations and physician practices are going to have to decide whether they can do it on their own, or whether there needs to be more consolidation in the industry, so that we can do this effectively. Or perhaps there needs to be some other change in the model, where we can provide support to the smaller guy, to give them the leg up in terms of what they need. Size mattered, especially in terms of resources; and the level of threat now is that we need to do something for the little guys.
Finn: How to address small providers was actually addressed in the [Health Care Industry Cybersecurity] Task Force’s report to Congress, including the idea of creating a marketplace for security for providers, so that they could pool resources, and to bring a group together to help these small practices. At the end of the day, a small provider, even a critical-access hospital, can’t really afford to do this. This will change the face of healthcare if we don’t address it; and because of our connectivity, we can’t just not talk to the small doctors and practices, or a home healthcare organization or durable medical provider in our community, so we are going to have to deal with that. The 405D Working Group, a separate step from the task force, is working under the auspices of the CIO at HHS, and they are very close to releasing the first of several reports, with tool sets. And the first one due out in March or April, focuses on small providers, and helps walk you through what you can do if you don’t have big budgets, but are small and are using cloud solutions.
Enterprise risk management is an important concept, and one mentioned in your report. Can you share your perspectives on that concept? What does it mean to you?
McMillan: Cyber risk is just another business risk that organizations have. It’s no different from medical malpractice liability or financial risk or whatever. And organizations need to start thinking about it that way, and no longer as an IT issue or a security issue. We live and work in an environment today in healthcare, where information is critical to what we do. So the thought that we can somehow not treat our information as a critical business asset, is just nonsense.
Finn: That’s absolutely correct. And I can tell you that, from the perspective of a CIO at a large integrated delivery network. We tended to see those silos around who was responsible for what. We’re starting to see GRC—governance risk and compliance—migrate into the private sector from the government sector. And we’ll add governance to next year’s report, because governance is key within the NIST framework, but they don’t have specific scoring yet. But when you started to look at integrated GRC, you see that the risks are about the data, including around availability. And that might not even be an IT issue; maybe the electricity is out.
And it also becomes an issue of confidentiality. Maybe someone printed out face sheets and they’re sitting around the office. So it’s a data issue. Data permeates everything, and if you’re not going to address this at that level, you’re going to miss those risks. One of the things I “loved” in this report was the fact that most organizations have seen an 11-percent increase in printed paper since EHR implementation. And we’ve neglected the fact that we’ve implemented EHRs, but we’re still printing things out. So you have to look at things holistically. I just did a report to a group where they had not integrated their physical and IT security. IT had done a good job, but there were physical risks.
What would your advice be to CIOs, CISOs, and all other healthcare IT leaders?
Finn: I’ve been saying it for many years: the issue is that CIOs and CISOs have got to stop talking technology with the non-IT people. The non-IT people don’t really care about the technology; they just expect it to be there, and for it to work. We have to talk business issues with the business people. If someone got surgery on the wrong side, then we’re in trouble. But if the wrong-site surgery took place because someone went in and maliciously altered the data in the EHR [electronic health record], then that’s an issue. We have to focus on the patients. We don’t leave patients sitting in parking lots, yet we’ll leave data sitting out in public view; and we don’t send patients to the wrong clinic. We’ve got to take that same level of care with the data. And part of that is telling the story from a business perspective, not from an IT perspective.