As more and more reports of data breaches, cyberattacks, and ransomware in the healthcare industry make headlines, Healthcare Innovation had the pleasure of interviewing Austin, Texas-based CynergisTek’s Mac McMillan on Aug. 24, regarding the current state and the future of cybersecurity, cyber insurance, and ransomware for our industry. McMillan was reappointed CEO and president of the company in late July.
Can you give us a 40,000-foot view of where we stand regarding cybersecurity in the healthcare industry?
I think in some ways, we’re making some progress. But in a lot of ways, I think we’ve kind of hit a wall again. In that, I think, for a while there everybody finally got it. They said, “I have to get more serious about security. I have to put a program in place. I have to get some people, maybe. I have to do some basic blocking and tackling.” And we began to see people do those kinds of things. But unfortunately, the threat doesn’t sit there and go, “OK, I think I’ll just rest. I’ll just quit while you guys do that and let you guys catch up.” It doesn’t ever quit, right? The threat continues to evolve and get more sophisticated and more and more egregious in its impacts.
And so, to really address where we are at today, is that we have kind of gotten past that you have a basic program—that’s great—but if you do not have the technical controls within your environment that make the difference with respect to that program then you are still going to be at risk.
People have implemented multi-factor authentication (MFA) on external connections, they get it. If I go to Starbucks, and I connect to Starbucks, I need to fire up a VPN before I connect to the network, so it is a protected tunnel. So, I have that MFA in place, I don’t mind having that second factor when I’m away from the hospital. But what they don’t understand is that they need to have MFA and privileged access management inside the network as well. Because the reason these attacks are so egregious in most cases, and so damaging, is, once the bad guy gets past the first line of defense, they can go anywhere they want because there’s no segmentation, no control over elevated privileges. All they have to do is get one elevated privilege. One privilege to count. And now they can do whatever they want in the environment—and that’s what happens.
So, the problem is, and the reason we haven’t done that is, because it’s inconvenient. The doctors and nurses and everybody have to take the time to put in the second factor before they can log into an application or log into a critical system. They don’t want to have to be bothered with that. There are ways to do that, where if it is set up properly, once I have done that the first time then it recognizes me as long as I am using the right login and it allows me to carry on. We’re at a point where we’ve made it over one big hurdle but we’re looking at the next mountain. We have to change how we do things internally.
The point is, we haven’t really put in hard network segmentation, meaning real segmentation that keeps traffic moving from one part of the network to the other, or requires you to have the proper privileges before you can move from one part of the network to the other. And the reason that is a problem is that when malware gets into the system and they release it, and it begins to propagate, it flows through the network and if there’s nothing stopping it from going to one VLAN to the next, it eventually takes down the network. Whereas if I released malware in a properly segmented network, there is a good chance I would be able to stop it before it can get to the rest of the network. Because if I experience it in this part of the network, I will severe the connection between that VLAN and the rest of the network.
We have actually done a really good job of building our programs, which is basically more of a compliance-driven thing. We’re making sure we have the procedures, the polices, and controls. Now we are at a place where we need to have networks that are just as sophisticated as the guys that are coming after them. Meaning the network has to be just as sophisticated as the attacker so we have a fighting chance of either blocking it, recognizing it quicker, stopping it before it can propagate throughout the network, or minimizing the impact of the incident.
Can you tell us a little about cyber insurance and how it works?
When you look at cyber insurance, look at it as something that is only going to address the cost of the incident as it relates to the response of the incident, in most cases. It is not going to cover all of the cost of an incident. So, when you start looking at these incidents and how large they are, and the insurance companies are looking to protect themselves as well, even a $21 million payout is a significant payout.
So, if I’m the insurance company, how do I reduce the number of payouts that I have that meet that threshold? I make it harder for you to get the insurance. I up the ante with respect to the underwriting requirements, I give you more specific requirements that you have to meet, and if you don’t meet those requirements, I don’t cover you or I raise your premiums significantly. The message hospitals have been receiving recently is that their premiums are going to go up four to six times, which is huge, unless you can answer yes or have done all of these things.
How much are people paying for cyber insurance?
I’ve heard folks say their insurance costs are millions of dollars, in terms of their premiums, and the cost keeps rising each year. I’ve heard some premium costs may go up four to six times. Even if it’s $1 million, four to six times more is significant. Say the cost is $5 million a year, then it’s $20-30 million. Basically, what insurance companies are trying to do, is cover their anticipated payouts. So, insurance companies work on actuarial tables, and basically track the cost normally paid out on incidents, etc., etc. And there’s a reason the premiums are what they are—because the insurance companies pretty much try to figure out how to collect enough money to cover whatever the company is going to end up paying out. Then whatever the company wants to make in terms of profit, because at the end of the day it is a business. Essentially, what you are doing is, again, covering the cost of whatever it takes to respond to the incident, but the true cost of the incident isn’t covered.
Given how exorbitant the price of cyber insurance is, is it still worth it?
Yes, it is still worth it. Because it still does cover the cost of an incident for the most part. Assuming you do not suffer any catastrophic operational impact, then it is a good thing that you had it. Frankly, most of our incidents, that’s the category that they are in. The overwhelming majority of our incidents don’t end up like a Scripps or the University of Vermont—where they’re down for weeks.
But what would be even better, is because that operational loss is tied to the overall impact of the breach and the downtime, is that people should start thinking of cyber insurance as what it is, a part of their solution. Which answers one particular need, and then focus on the rest of it as well, meaning what do I have to do to be more resilient when these things occur, what do I have to do to be able to react faster when these things occur, what do I have to do to be able to recover quicker operationally, so that I mitigate the overall impact of this. Because if I can lower that impact and still address the cost of these incidents, it becomes a very beneficial combination.
Let’s talk about ransomware and the question that everyone seems to be asking: Do you pay, or do you not pay?
You know, that’s a tough one, because the feds don’t want you to pay, obviously. Nobody wants you to do anything that makes it lucrative for them to keep doing it because that’s why they’re doing it, they’re doing it because they are making money at it. Having said that, though, there’s also this realization that I have a hospital to keep running, and you don’t have a solution for me to get out of this mess right now, and every day that I am down I am losing X thousands of dollars per minute, per hour, per day, and/or I am not able to treat patients, I have to turn patients away.
If you can’t give me a better solution, then I am going to pay the ransom to get out of this mess. The problem is even if you pay the ransom, it doesn’t necessarily get you out of the mess and doesn’t guarantee that they’re not going to come back again and so its one of those things where its kind of an endless negative loop no matter what you do. You’re damned if you do, damned if you don’t. If you don’t pay, your business is down. And if you do pay, everyone says you shouldn’t have paid it.
Being a CEO, I like to say, come sit in my chair and make these decisions. Be the guy that has to face the microphone and explain what you are doing then tell me how easy it is to just dismiss it. It is tough and I have a lot of empathy for the folks that are finding themselves in this situation, especially in our industry. You have an industry of people who are built on a foundation of care, and the first priority is to take care of people, and now they are not able to do that, and is that worth some principle? And the answer is, the principle of care trumps everything else in healthcare. Which as a patient, is what you want.
It is a very difficult thing. And the reason there is not a consensus is, that not everyone recognizes that there is not a good answer. The truth of it is, as I say, it is easy to second guess or play armchair quarter back until you are the guy or gal that has the gun pointed at you, and you have to make the decision, and all of a sudden it becomes real. And ultimately, I would like to see us be in a position that we didn’t have to pay the ransoms, obviously. There’s no doubt about it, as long as there’s benefit in it, the bad guys are going to go there. Just like Jesse James, why did he rob banks? Because that’s where the money was, it was easier to do that than start a ranch.
What about those who say paying ransom should be against the law?
Well, it is impossible to create that mandate unless you are willing to make it a criminal offense. People aren’t paying ransoms because they want to, it is the last thing they want to do. They would love someone else to come up and say, “I can get you out of this mess and I’ve got the key that can unlock your information.”
I guess where I come down is, I would like to see us become more proactive and make our institutions and our systems more resilient and more resistance to these kind of threats. I’d like to see a set of protocols that says your first move shouldn’t be to pay the ransom, there are avenues you should at least try to go down before you get there, but I think when you get to that place, you’ve exhausted all reasonable options to resume the business, short of paying the ransom. I think there has to be some recognition; do we really want a hospital to go out of business? Do we expect the executives that are running these companies to essentially destroy all of the shareholder value in the company because they stood on principle? Or do we believe there is a point that the benefit outweighs the cost? I think in everything there has to be reason. I’ve never experienced a situation where the first thing someone wanted to do is write that check.