Shifting the Conversation to Security by Design

May 28, 2019
The Institute for Critical Infrastructure Technology’s Parham Eftekhari says HIT products should be built to higher security standards

In late February U.S. Sen. Mark Warner (D-Va.) issued a series of questions related to cybersecurity to 12 private-sector and four public-sector healthcare organizations. The Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, wrote a white paper summarizing some of the responses he received and some implications. Healthcare Innovation recently spoke with Parham Eftekhari, ICIT’s executive director, about the issues at stake.

First, do you think Sen. Warner got the questions right?

One of the things that occurred to us when we read the questions was that they were well-worded and well-informed. Often you see Congress getting involved in cybersecurity issues only after an incident happens. It was great to see this inquiry was proactive in nature. We want Congress and policymakers to proactively, not reactively, be engaging with members of critical infrastructure sectors to get this type of input and propose responsible legislation in a calm environment when there is not pressure to react to a major incident.

Were there some common themes that emerged from the public responses to Sen. Warner?

We saw that five of the respondents—the Healthcare Leadership Council (HLC), Virginia Hospital and Healthcare Association, American Hospital Association, HITRUST and the College of Healthcare Information Management Executives (CHIME)—voiced a desire to have a Health & Human Services (HHS)-developed certification program that would incentivize improved cybersecurity and cyber hygiene across the healthcare ecosystem, which could include changes to existing laws to reduce the fear of violating mandates.

That is indicative of what we are seeing in other sectors. It wasn’t a surprise that healthcare organizations were asking for this as well. We think that asking for changes to a mandate or regulation is a good thing in theory, but it’s tricky; you don’t want to over-mandate or over-regulate, but you also don’t want to under-regulate either. With cyber hygiene, if you are going to have meaningful regulation, you want to make sure it balances the technology side of the equation with the people side. You often hear the individuals in an organization getting blamed as the weakest link. We don’t like to think of it that way. We like to say individuals can be your strongest line of defense if they are adequately trained and have the right tools and resources, both from a technological perspective, but also from a training perspective.

The responses also mention the idea of “safe harbor.” What is that referring to?

Safe harbor would remove penalties for healthcare organizations that suffer a cyber incident if they were in full compliance with HIPAA requirements and any other mandates that could secure the network or data. No matter how much money you spend, there is no protection that will render a system completely secure. But if you do audits, some security programs are superior to others. Safe harbor would say if you are already mitigating known vulnerabilities, patching and updating systems regularly, and following relevant industry security standards, then you should be exempt from penalties. Reducing or removing the penalties would also allow organizations to instead spend those funds on improving cybersecurity and modernizing systems.

One of the of the common themes of the responses is that stakeholders need to do a better job of collaborating. What are some of the efforts that share cyber threat information across healthcare organizations? Is the H-ISAC (Health Information Sharing and Analysis Center) one of them? How could they be improved or extended?

The ISACs exist for most, if not all, of the major critical infrastructure sectors. As of a few years ago, there are also ISAOs—information sharing and analysis organizations. Some people found that ISACs were not inclusive enough to meet the complexities of threats facing different sectors of the economies, and the ISAO model was born. So there are a number of opportunities for information sharing within the sector. But for ISACs and other organizations that require paid memberships to access Indicators of Compromise and other threat intelligence, the challenge is that if you are not a member you are excluded, and don’t have the opportunity to gain access to that information.

These collaborative programs are extremely vital, but we also need to be thinking of how to proactively stop introducing more threats into the ecosystem. This is why we have to shift the conversation and focus on security by design, better practices with regard to engineering, responsible software development practices, and building technology that has fewer vulnerabilities that can be exploited in the first place.

One common theme of the responses is that a national strategy is necessary and federal guidance must be clarified. What could the feds do differently?

I think there is consensus that there needs to be a better-focused national strategy, and HHS needs to have a leadership role in that process. Where are all these vulnerabilities coming from? They are coming from the fact that healthcare organizations are using legacy technologies that have been built insecurely or are buying new technologies that continue to be built insecurely. HHS can offer new guidance and we can have more collaborative engagements on how to mitigate the threats that currently exist. Those are all good things.

But to really get ahead of the problem, we ultimately need to address the core issue, which is why software providers and technology manufacturers continue to produce technologies that are not responsibly coded and built to higher security standards. What I would love to see is for HHS and hospitals to start to use their influence with electronic health record (EHR) vendors and medical device manufacturers and say, we know it is difficult, costly and time-consuming, but we want to find ways to incentivize you to make this a priority. Those conversations are starting to happen, but we need to ramp it up. In my opinion, that should be the No. 1 priority for us in order to see meaningful long-term change for the security posture in our healthcare sector.