Cybersecurity Guru Mac McMillan: Progress Forward Is Proving To Be Glacially Slow

June 11, 2019
Mac McMillan, CEO of cybersecurity consulting firm CynergisTek, discusses the current moment in U.S. healthcare—and worrying signs that provider leaders are taking too long to achieve preparedness

A range of areas are concerning chief information security officers (CISOs) and others, according to a new survey produced by the Austin, Texas-based CynergisTek consulting firm. On Tuesday, CynergisTek’s leaders announced findings from the firm’s first “CAPP Conference Survey.” The survey was administered to attendees of the company’s first inaugural CAPP Community Conference: Cybersecurity 2019 this past May, which focused on tackling some of the most pressing issues facing healthcare cybersecurity and privacy, including vendor breaches and risks, new state privacy laws, privacy and security culture, and medical device security. The survey of approximately 60 C-level healthcare executives revealed the greatest perceived threats and current challenges these organizations are facing in cybersecurity and privacy.

As noted in a press released Tuesday morning, “Overall, the findings highlighted that the issues respondents were most concerned about were the risks associated with Internet of Things (IoT), medical devices, third-party vendors, and program development/management. However, the data also pinpointed some of the barriers or disconnects within the organization to solve these issues, like executive leadership buy-in. Most notably,” the press release noted, “[F]orty percent [of respondents] responded that third-party risk is the threat that concerns them the most.”

Further, among those surveyed, “Of the emerging threat areas (5G, AI, IoT, and supply chain) discussed, over 50 percent responded that they were the most concerned about IoT.” In addition, “Nearly one-third of respondents reported that medical device security is one of the top five risks facing healthcare according, to the Health Industry Cybersecurity Practices, however, most reported not having an effective strategy in place to assess the risks posed by medical devices. Even more alarming, 26 percent said they don’t have any process in place at all.” What’s more, “Almost half of the organizations reported to have conducted an incident response exercise only one time, or to have never done one at all.”

In addition, “’Culture’ was listed as the leading difficulty (overcompensation and training) in retaining cybersecurity professionals.” And, importantly, “Fifty-four percent of those surveyed said the biggest barrier to meeting privacy and security challenges was due to lack of adequate resources (tools, money, or people), and only 13% was due to senior management buy-in. However, in a follow-up question, 40% responded that they didn’t know if their Boards were more or less involved with cybersecurity and privacy programs than they previously had been.”

Meanwhile, recently, CynergisTek executives released their 2019 annual report. And, importantly, one passage in that report noted that, “Looking across all the data, we found an average (mean) of 47% conformance with NIST CSF. Assuming that the maximum potential is 100%, our average of 47% – a 2% improvement over our 2017 average – is disappointing, at best. And yet, not surprising. In a year of more breaches, new attacks, increased phishing, and yet another year into HIPAA’s Security Rule – which is not aging well in terms of actually improving security – it makes NIST CSF an even more compelling need for the healthcare sector. Conformance with this “new” standard, however, continues to lag across the healthcare industry at large.”

Just prior to the public release of the survey, Mac McMillan, CynergisTek’s president and CEO, spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding both the findings of the CAPP Conference Survey, and some of the key points in the company’s 2019 annual report. Below are excerpts from that interview.

What are the latest things you’re hearing from your firm’s client organization leaders?

Looking at the 2019 annual report we put out, one of things that’s telling is that, between the publication of our 2018 and 2019 annual reports, we haven’t seen a lot of improvements in healthcare. Improvement in cybersecurity preparedness in healthcare is still moving forward fairly glacially.

Why do you think that is?

Because there are a lot of competing priorities in terms of dollars, and in terms of the things that hospitals need or want to do. I think it’s because there’s still too much focus on compliance, as opposed to real security. In other words, if I get a good grade on HIPAA or meaningful use, I must be doing alright. And the report makes it pretty clear that regulatory compliance doesn’t equal security.

Meanwhile, in terms of the survey, the key thing that came out at the conference is that the things that senior healthcare executives are most concerned about are third-party risks, IoT, and continued lack of staffing and resources; those were their primary concerns. There was still obviously a lot of concern around ransomware and attacks, as we’re beginning to see a resurgence of that activity this year. But the biggest thing that came out of the discussions at the conference was that everybody has finally gotten to the place where they realize that risk is absolutely a part of their everyday lives, that incidents are going to happen, and the realization they’re beginning to come around to is that we really need to have a higher degree of readiness in terms of how we react, respond, and recover.

And if you look at the NIST framework [the cybersecurity framework created by the National Institute of Standards and Technology in the U.S. Department of Commerce] around five categories—identification, protection, detection, response, and recovery—and if you think about detection, which is in the middle of those columns, detection is where the incident happens. It’s the “boom” event. To the left of the “boom” is all the things we do to prevent the boom, all the things we do to prevent an incident. And then to the right of the boom is where we respond and recover.

So if you accept that you’re going to have incidents no matter what you do, no matter how well you prepare, what actually becomes even more important is your ability to respond and recover, because everything that happens to the left of the boom is a cost to the business, and everything to the right of the boom is a cost avoidance to the business. And everything to the right of the boom costs more than everything to the left of the boom. In other words, if I have a breach and I don’t respond quickly enough, and it becomes a major breach or major outage, my recovery becomes much more difficult and much more costly, and I could have lawsuits, including class-action lawsuits. Bad things happen to the right of the boom.

Do you think that c-suite executives and boards of directors get it now, or not yet?

I don’t think they completely get it yet. I went to talk to a board a couple of weeks ago. I had the primary board, I had their advisory board, and all the senior executives from the organization, so there were more than 40 people in the room. I talked about where the threat was, what was going on, everything we’re seeing in the industry. But when I got to the portion of my talk where I used the analogy of the boom and the left and right of the boom, it made it easier for them to understand. The lightbulb went on, and that’s where they realized they needed to invest in advance, to avert costs later. So if I really want to manage risk in the business, which is what boards are supposed to do, then I need to look for ways to reduce the need for us to spend when there’s an incident.

When you start talking to boards about the NIST Cybersecurity Framework and identification and protection and all that, they just don’t understand that. So you have to say, here’s the “boom,” here’s where something bad happens, and everything to the left of that boom is everything you’re doing to prevent a bad thing from happening. But the bad thing will happen. And everything’s changing, technology’s changing, and the bad guys are always one step ahead of us anyway. So what really matters at the end of the day is how ready you are to respond to and recover from the boom, from the bad thing. That’s how you’ll mitigate the costs to the business. That’s where your risk is, and that’s where you need to manage.

What does the healthcare cybersecurity landscape look like five years from now, and how do we get to a different level of preparedness as an industry?

I think it depends on what happens to the threat. In 2016 and 2017, we had this huge onslaught of ransomware-based attacks, and immediately, the industry started spending money. When it started impacting them as a business, patient care organization leaders started spending money to do something about it. There have been two things that have driven spending in security; the first is regulation, and the second is threat. When the threat goes up, they start spending. When regulation happens, they start spending.

So in the next five years, one thing that will happen is the threat. The IoT-based threat, the threat coming out of the use of AI and machine learning—we’ll see new threats that will create whole new needs for investment in security. The other thing that will affect things is the privacy regulatory front. The CCPA—the California Consumer Privacy Act of 2018—is the first in what I predict will be a long line of states becoming more active in pursuing privacy investigations and complaints, and as the line begins to blur between health information and personally identifiable information and financial information, at some point, we’re going to see a federal privacy statute, and that will change the landscape once again, because you can’t have privacy without having security. Those are the things on the horizon that could potentially create the next acceleration in the evolution of security in healthcare.

Is there anything that you’d like to add to this?

Third-party issues and IoT remain areas of great vulnerability, as our survey and discussions with client organization leaders are confirming.