On Jan. 21, the Foundation for the Malcolm Baldrige National Quality Award, Inc. announced the 2020 recipients of the Baldrige Foundation Awards, which “recognize outstanding individuals, leaders, and supporters who embody Baldrige leadership values and principles, and who have provided great service to the Baldrige community.” A core vision of the foundation is to promote performance excellence in all sectors of the economy.
The announcement encompassed four types of awards, including the Foundation Awards for Leadership Excellence, awarded to 11 leaders working in a variety of professional fields. One of the 11 was Mac McMillan, CEO emeritus of the Austin, Texas-based CynergisTek consulting firm, of which he had been CEO until late last year.
That was not the first award recently recognizing McMillan. On Nov. 5, the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) bestowed on him the 2019 CHIME Foundation Industry Leader Award. The CHIME Foundation is the collaborative group representing CHIME sponsoring organizations. “Cybersecurity in the healthcare sector would not be where it is today without Mac,” said CHIME President and CEO Russell Branzell, in honoring McMillan in November. “When Mac founded CynergisTek, many providers were not even thinking about cyber threats and the damage they could do to patients and their organizations. Mac made it his mission to educate our community. He has been a true friend to CHIME and AEHIS. It is an honor to recognize him for all he has done over the decades.”
Shortly before the public announcement of the Baldrige Foundation Award, McMillan took the opportunity to speak with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the state of cybersecurity in the U.S. healthcare system in this moment and the challenges facing the entire industry. Below are excerpts from that interview.
What would you like to share with us regarding how you see the current cybersecurity landscape right now?
The president’s taskforce on cybersecurity recommended this. And then the follow-up on that was the 405(d) Task Group, which is part of the NIST Cybersecurity Taskforce—a public/private group that was [tasked] to come up with recommendations. They also supported the adoption of the NIST Cybersecurity Framework. It is the standard framework across all federal agencies, and it is also the most widely used cybersecurity framework across industries. That includes healthcare; yet it is not our standard. It’s not just me saying it; there’s a whole body of groups who agree with me.
So that’s a first piece of my parting message to the industry: stop messing around, recognize that the HIPAA security framework is inadequate in today’s environment, and adopt a framework that will do what it takes to protect healthcare.
The second message I’d like to share is to invest in cybersecurity education. We know we have a shortage of people with the qualifications and skill sets, but it’s not just that. In today’s environment, every single person who touches a computer for his or her job needs to receive cybersecurity education. You can’t just rely on the cybersecurity professionals to protect us; everybody has to play their role. But we have too many people touching computers and using technology who have no clue what they should be concerned about.
The third thing is to get more serious about security from a technology perspective. The landscape that we’re dealing with today is far more serious than it has ever been in terms of what the threat actors can do to an organization. There was a recent discussion about the ‘Wiper’ phenomenon from Shamoon, the Iranian hacker group. If you look at the attacks they’ve run, they’re absolutely devastating. They’re just about at the level of destruction.
When organizations get hit by these Wiper attacks, there is no recovery: they destroy the computer, they destroy the software, and they destroy the data. It is literally destructive. And they’ve done this mostly in other countries, in Europe and the Middle East. They haven’t yet pointed it towards the United States—so far only towards U.S. companies operating in the Middle East. And I can guarantee you, nobody here is ready. If nation-state actors decided to go after private business, they would devastate them. We have hospitals that still today are not monitoring their network. As the U.S. healthcare industry makes the shift from volume to value, the demand for everyone to be sharing more and more data is intensifying across the industry. At the same time, with the threat vectors accelerating everywhere, the danger to IT and data security is increasing daily now.
How do you see that tension playing out?
I see that tension escalating. The technology evolution won’t slow down and the need to share more data won’t slow down. The need to accelerate data sharing also won’t slow down. And all of those things speak to the need for greater cybersecurity; but at the same time, it creates challenges. Healthcare is not like banking, education, the government, or retailing. They treat data as a thing. They can put very stringent controls and restrictions around information, because they don’t kill anybody if somebody doesn’t get access to data. Whereas in healthcare, the information we have is tied to caring for a person, and often in a very timely manner. Oftentimes, it’s a matter of minutes to save somebody’s life. We can’t just continue to apply the antiquated practices to healthcare; we need to be more sophisticated about it. We may need to be more flexible on the access side to support operations, and more capable on the monitoring side, to catch inappropriate behavior more quickly.
If there’s a single area where healthcare is behind, it’s around behavioral monitoring, correct?
Yes, that’s absolutely correct; there’s still too much focus on compliance, and not enough on the protection of data. My experience is that when you do a better job of protecting the data and ensuring its privacy, you take care of compliance; compliance is the byproduct. Most of the tools that are out there are still designed with compliance in mind, as opposed to real security or real privacy. The behavioral-based tools eliminate more false positives and are more accurate, but are also able to see things the other tools can’t even see.
You and I as authorized users can follow the rules all day long, and still violate privacy. As long as we don’t do anything outside what our access allows us to do, we can look at things we’re not supposed to be looking at and the system will never catch that if we’re just using a rules perspective.
But a behavioral monitoring system knows how many patients we see a day, the types of patients we see, and the department we’re working in. And if it knows all those things and sees that we’re accessing the system at a time that’s not normal, it can alert us. Or if it sees us looking at patients that are not typical of the ones we look at, the system can question that. That’s the difference between a behavioral-based tool and a rules-based one.
How do CIOs make the financial argument for investing in cybersecurity to their C-suites and boards, in a time of straitened resources?
I think the first thing is that there has to be an appreciation for cybersecurity in healthcare today, just as in other industries; that this is a legitimate cost of doing business. If you’re going to have computers, and automated practices, and your business relies on these systems, which they are, then you have to provide adequate protection to protect the business.
People say, ‘I have to justify the cost.’ Well, what’s the analysis if you were to lose your systems? How much would it cost you if you lose your systems for a day? For a week? What if you got hit by a Wiper attack and lost your systems for a month? If you look at the ROI from simply applying encryption—encryption literally costs dollars per device to encrypt everything, yet it can save you thousands to millions of dollars in terms of loss and fines and everything else.
This is the age-old problem that security has always had, and insurance, too—that there are people willing to drive without a seatbelt. What kind of organization are you? Are you an organization that’s willing to take unreasonable risk? If you can’t provide services or have to turn people away from the ER, you’re putting people’s lives at risk, or at least people’s health.
We always say that healthcare cares about people; well, if that’s the case, then we need to invest in these technologies and processes. We have to stop making this a dollars and cents discussion, and make it a patient safety discussion. This puts public safety at risk, it puts your public image at risk, and puts you at risk of fines and beyond. You cannot argue to me that the cost of protecting your data and systems is not worth it. A full-blown monitoring system, a SOC [security operations center] monitoring your network costs $100,000 to $1 million a year; $100,000 is one salary. You’re trying to tell me you can’t justify spending $100,000 to monitor your network accurately in today’s environment? It’s just ridiculous.
We spend all kinds of dollars on compliance, and compliance generally is not a material risk to the business. How many hospitals have been put out of business because of poor compliance? None. But I can share with you several organizations, including some recently, that have closed their doors because of a cyberattack.
Tell me how you see this landscape five years from now?
I think things are going to eventually get there, because I think we’re going to be forced to. By that I mean if the threat continues to escalate as it’s been doing, and technology continues to increase its level of sophistication, speed, and data sharing, we are going to be forced to do it whether we like it or not. But do we really have to suffer the pain, or can we just get smarter and get there now? That’s the real issue. Do you really have to go through a breach to understand that you need to protect yourself?