Looking at the Cyber Threats to Provider and Payer Organizations in the New Healthcare
On Monday, June 22, Healthcare Innovation held the first in a series of virtual summits to discuss all of the impacts of the COVID-19 pandemic on healthcare operations across the U.S. healthcare system. I moderated an illuminating discussion among healthcare industry leaders. Among the leaders on my panel were Anahi Santiago and Mark Eggleston.
Santiago is the CISO (chief information security officer) at ChristianaCare in Wilmington, Del., and Eggleston is vice president and chief information security and privacy officer at Health Partners Plans, based in Philadelphia. Several key moments emerged during our June 22 discussion. One of them was when I asked the panelists, “Where are we right now in terms of addressing some of these pressing issues that we’re addressing in a different landscape from before?”
“At a very high level, I would say that we’re moving at a very rapid pace, and I don’t see that slowing down anytime soon,” Santiago said. “I think that as an organization, we were ready for this, in that we had the infrastructure, the contractual agreements, and we had the vision to be able to scale out relatively quickly. We didn’t encounter a lot of issues, per se; we were able to keep pace in terms of the things presented to us. We were able to wrap our arms around the evolving pace, and implement controls based on the pace, and were able to keep going.”
I asked Eggleston what it was like for health plan leadership. “With HealthPartners plans, we were able to leverage our business continuity programs to really help us get through it,” Eggleston said. “Having a diversification in technology stack helped us succeed here. We had people with laptops, people with hardened wise devices, VMs [virtual machines], and a mix of BYOD technologies. That diversification in the tech stack really helped us. Having some security technologies helped us feel secure in knowing that employees no matter where they were working, we had things in place. So, having security such as multi-factorial authentication (MFA), cloud access security broker, and secure email gateway — all those things really helped us a lot. Outside of that, we also had a gradual approach. In late February and early March, we convened” to discuss the pandemic in its earliest stages. “So thinking early about it really helped us. We started out early with a suggested work-from-home and moved to a mandated work-from-home. So having clear communications and good technology was very important.”
What have been the biggest challenges facing provider and payer organizations? “There are so many devices out there. One of our biggest challenges has been just the increase in the types of devices that we’re onboarding and utilizing in the face of this pandemic, and in the support of telehealth specifically,” Santiago said. “To some degree, one of the biggest challenges will be once we send them home with the patient. We’re looking at devices that can be attached to an iPhone or an Android phone, and that can take vitals and blood pressure, that can be used to monitor things like diabetes—and so these things are driving a lot of value. And not only is there a challenge in terms of their security risk, but we’re also sending them home, outside of our network, where we’re losing visibility. And ultimately, we could be putting patients at risk, because they may be connecting those devices to outdated operating systems or to devices that might have malware on them. But we’re going to continue to grow exponentially in terms of the number of devices we’ll onboard and utilize, and many are being sent home with patients.”
Eggleston said, “Again, our diversification of the technology stack really helped us out. And when you’re using a secure VM, the only thing you’re sending across the wire is keystrokes, so you’re not transferring data; a secure VM should have the USB ports blocked, as well, as that type of architecture or design lessens the risks. But how can we make sure we’re still getting referrals for privacy and security incidents? Because the eyes we used to have in the hallways are no longer there. We’ve talked about that in our privacy and security council on just that point. We had just one report last quarter, and people were focused on the immediate concerns. I think that you have to make sure your workforce is empowered to be the eyes and ears of your security. You know that if a stranger were to walk into your conference room, you’d ask them, OK, who are you? But we’ve had this phenomenon of people joining Skype calls, and I don’t know who they are, and the organizer doesn’t either. So I’ve actually created a script for the convener to know what to ask. Things are changing in the new world.”