Catching up with Cybersecurity Guru Mac McMillan at HIMSS19

March 26, 2019
A leading cybersecurity expert on why hospitals are still not making fundamental improvements and investments to keep attackers away

At last month’s HIMSS (Healthcare Information and Management Systems Society) conference in Orlando, Healthcare Innovation had a chance to sit down with one of the most notable cybersecurity experts in the industry. Mac McMillan, chairman, CEO and co-founder of Austin, Texas-based consulting firm CynergisTek, spoke to the publication about the latest developments and challenges in this space, while also giving feedback on key trends that were uncovered in a recent HIMSS cybersecurity report. Below are excerpts of that discussion.

What’s new and top of mind for CISOs and other healthcare security professionals right now as they continue to stave off cyber attackers?

Even today, there are a lot of hospitals that have not made the investment in their infrastructure and technology to really defend themselves, their systems, and their data effectively. I was recently talking to a hospital CIO as we just finished the organization’s [security] assessment. We found that they had core switches that were end-of-life—that’s a really bad thing.

One of your first lines of defense is managing your environment in an up-to-date manner. This means up-to-date technology, systems, operating systems, keeping all your applications up to date, and your patch levels up to date—making it hard for the bad guys to find the crack in the armor that they can take advantage of. They already have the other cracks in the armor that you almost can’t avoid with things like user error and phishing. So if they are successful with a phishing expedition, and the systems you are relying on are not up to date, now they can take advantage of those as well.

When you mention those cracks in the armor that you can’t avoid, like phishing attacks, has it become completely hopeless to defend against them? I just read a HIMSS report that cited negligent insiders and online scam artists as still the two main primary threat actors.

You have to assume in today’s environment with all the different things that can go wrong, at some point you will have an incident. There are incidents every day of every week, every month, and every year. Typically the ones you hear about are the ones that become damaging are the organizations that haven’t made the investment, or aren’t ready to respond. It’s not about stopping all the incidents today; you will never be able to do that. It’s about stopping them before they become really egregious.

The HIMSS report also found that cybersecurity budgets are slowly increasing, or at the very least, resources aren’t being taken away. Do you think we still have a long way to go in this area?

Yes, we do. Let’s put it in perspective. Sure, budgets in security in healthcare are larger today than they were in the past, but in the context of other industries, when you think about a hospital today, 98 percent of the processes they have are automated and driven by some system or application; 30 to 40 percent of their processing environment is off-shore, meaning outside of the hospital; and almost all of their data is digitized.

So when you think of a hospital today, do you think of it being any less sophisticated from an IT perspective than a bank? Are they any less sophisticated than any technology company? No, but the difference is that banks spend between 12 to 15 percent of their budgets on security. For hospitals, it’s less than 5 percent. So yes, we are spending more on security, but it’s not enough. Every other regulated industry is spending between 10 to 15 percent of their budget on security, and healthcare—which is no less sophisticated and no less regulated—is spending less than 5 percent.

Another report I saw revealed that many non-acute providers don’t have a dedicated security professional; some lack even a single IT professional. How big a problem is this across the healthcare ecosystem?

We have experienced this with a lot of the folks we meet. But for a lot of them, their primary focus is whatever they do. So if they are a doctor, it’s about providing care. Like other small businesses, they tend to treat everything else as something they get from somebody, meaning they tend to have an outsourced IT organization, outsourced HR, and outsourced legal.

They treat security the same way. Until an organization gets to a particular size, they don’t bring the back-office and infrastructure in-house. And security is typically not the one that shows up first. Somewhere down the line they figure out they have to have compliance and security, and typically when they do finally show up in those smaller organizations, they are wearing multiple hats. That IT person might be dual-hatted as a security guy, initially. And this isn’t just healthcare; it’s the case with almost every small business.

I find that events like HIMSS offer the opportunity for cybersecurity professionals to share lessons learned, but at the same time they don’t want to give their secret recipe away. Do you agree?

Who’s in the room? Who’s listening? It’s definitely a [concern] at HIMSS and other conferences. Security people tend to not want to talk in public about not only the issues they are having, but what they are doing to defend. It’s the old axiom: if I tell you what my defenses look like, you can defeat me. In big conferences like this one with very large audiences, and you have no clue who’s in the audience, [a CISO] won’t be the person that steps up and talks about what’s going on in his or her organization. But the good thing is they do collaborate in their own communities, in local or regional groups where groups of CISOs get together.