As 2018 was coming to a close, Healthcare Innovation Editor-in-Chief Mark Hagland caught up with David Finn, the former hospital CIO and currently the executive vice president for strategic innovation at the Austin, Texas-based CynergisTek consulting firm. The Houston-based Finn, who has spent many years in the cybersecurity arena, sees a complex and challenging landscape in the present moment in the U.S. healthcare industry. Below are excerpts from their December interview.
Let’s be Janus, shall we? Looking back to the year that we’re completing, 2018, and peering into 2019, how would you describe the overall landscape around cybersecurity in the U.S. healthcare industry right now?It feels like the perfect storm and déjà vu, all at the same time, I have to say. The déjà vu thing is kind of interesting. We’ve been watching the phishing trend creeping up and becoming more and more problematic over t
What are the key things that patient care organizations need to do right now, in your view?
They need to start training their people on emails. They need to train the end-users, and invest in some of the tools to monitor and track activity. And I’m not talking about unicorn-type stuff. For instance, we saw a lot of attacks in 2018 that weren’t even seen in the system.
You’re talking about behavioral monitoring tools?
Partly that, and partly the email tools that will look at incoming emails, as well as the intrusion tools that will identify activity inside the network. And often, people are synching their Outlook web access email box with their Outlook on their desktop computer, so you have a disparity of security levels when that happens, and the bad guys are either stealing credentials or spoofing email addresses, so that it starts to look like internal email. If we were to implement multi-factor authentication, we could eliminate a lot of that problem. Sometimes, you can even certify individual devices, to particular connections. There are different ways of doing this, and we just have not been focused enough on the problem.
Where are we, with regard to securing medical devices? Are we even more behind in that area than in other areas?
Absolutely. And 2018 was a turning point. At least, in 2018, we got some real focus on the problem, and people are paying attention to medical devices. And that includes not only the providers, but even the medical device manufacturers are recognizing that they can’t just shovel the problem down to the providers; we all have to work together. There’s still some hysteria. And the way we secure devices isn’t so different from PCs or mobile phones; it’s just that most medical devices hadn’t previously been connected to the network. There are new tools that help you.
And some of the new tools are doing passive network scans, so they don’t knock the medical devices off the network, which traditional scanners did. But they’re looking at the network. Because when a radiologist connects to a modality, it’s now a computer. I think everyone’s seen someone log onto an MRI browser and check their Hotmail or Gmail. Who thinks to upgrade the browser on your MRI machine? That’s a really easy fix, but unless you’re thinking about it…
On a scale of 1 to 10, with 10 the most positive, where would you say you are overall, on the optimism-pessimism scale, in terms of how you perceive the industry’s capabilities overall in meeting the intensifying cybersecurity challenges facing all of us?
I’m a David Downer, so I would give us a 4. Not because of the efforts in the industry, but the payment model is in flux, the care delivery model is in flux; providers are so involved in change. So the business is changing so rapidly, and that frequently means IT is changing, and when IT changes, security needs to change. I am heartened by one thing: I think privacy is finally going to move to the forefront, and that’s because of our friends at Marriott and other commercial organizations. Eight states are currently proposing legislated privacy rules, and with GDPR [the European Union’s 2016 General Data Protection Regulation] now in place [GDPR was implemented in May 2018], that is yet another factor. Privacy is really about policies and procedures, and it’s hard to enforce it without security in place. The legislation that’s being proposed on the House side is for a federal data protection standard, with a unified breach notification rule. Which means a provider that operates in six states, may have HIPAA and six state laws to comply with. That becomes an administrative nightmare. Doing that a different way in all 50 states, borders on insanity.
Is there a good chance that a federal data privacy bill might pass in Congress?
Yes. You’ve got Facebook lying in testimony to Congress; you’ve got Marriott and other huge breaches. So I think there will be great pressure to address privacy breaches in this country, and the change in the House next year may actually make that possible.