Cyberattacks certainly did not slow down in 2021 and the forecast for 2022 doesn’t look much better. A good cybersecurity foundation is imperative for health systems and organizations because patient safety is on the line. As threat vectors intensify and the bad guys get “badder,” what can healthcare organizations do to protect their patients and revenue?
Healthcare Innovation sat down with Francois Bodhuin, technology director and information security officer at Inspira Health in Vineland, New Jersey. Inspira Health is a nonprofit integrated health system comprised of three hospitals, two comprehensive cancer centers, and several multi-specialty health centers, and has a total of more than 150 access points including urgent care; outpatient imaging and rehabilitation; cardiac testing facilities; home care and hospice; and more than 35 primary and specialty physician practices in Gloucester, Cumberland, Salem, Camden, and Atlantic counties.
Why should a hospital or health system have a good cybersecurity foundation? Why is it so important?
Let's talk about information security (InfoSec). InfoSec, the way I look at it, it’s really ubiquitous, which means it's everywhere. Everyone has data. When you get your smartphone out and you put your fingerprint on the smartphone to log in to it and also with your email, you're doing InfoSec. You're doing multifactor authentication, which is a component of information security. It's not just business, you have to protect yourself at home, too.
So, why do InfoSec in healthcare? First of all, no target is too small. It could be a big city hospital system, or it could be a small rural hospital—hackers don't really care because they have programs that surf the web by themselves, and they're pretty much looking for targets and openings. They attack and find whatever data they can because then they can monetize that data.
InfoSec is really all about risk management, and what I mean by that is acceptable risk. InfoSec has cost to it, and you need to look at what you're trying to protect and how much you decide the value of what you're trying to protect is worth compared to how much you have to spend.
The constraint that is pushing us to implement InfoSec in a in a healthcare environment is compliance. Just because you're compliant doesn't mean you’re secure. I think we get most of our money for information security because of compliance. We have to follow some rules, for example HIPAA. Everyone knows HIPAA. There are other compliance regulations that we have to follow, too. Another example is PCI (payment card industry). If we take a credit card, we have credit card machines. We have to pay attention to that. NIST (National Institute of Standards and Technology) is also a government framework which defines how you set up your information security controls.
The other thing that comes out is the media. A lot of information that comes out in the media is about hackers and information security. In the past month, there probably were two [segments] in “60 Minutes” on information security and hackers. This raises the awareness of the board. And the board is looking at this and they're saying, “Well, are we doing the right thing? And are we protecting our users? Are we protecting our patients’ information and confidentiality?” The media has a huge effect and I actually like it because it gives me the opportunity to explain what they were saying.
Additionally, there are different types of bad guys out there. There are “kiddie hackers” [or script kiddie, meaning a relatively unskilled individual who uses scripts or programs developed by others to attack] but also professional hackers and then there are nation-state hackers. They are all running programs over the web that are discovering targets. If those targets have a vulnerability that they can exploit, then they will exploit it to find data and try to either monetize it or take advantage of it. These are some of the pressures that force you to have an InfoSec program in a hospital.
What are some simple things that organizations overlook when it comes to building a solid cybersecurity foundation?
The most important control—it's not 100 percent foolproof though—is multifactor authentication. That is the number one thing that I would tell anyone to implement because it's the way to open the door to your system. If you do not have multifactor authentication, you at the mercy of someone using passwords and reusing passwords. If you use the same password at home too, for something like Yahoo! for example, and you come to work and use the same password you have a chance that that password will be discovered. If it is, then your business password is now open, and people can come in and use your account to get in the system in your [place of] business.
Another thing that I think is important, is testing your incident response plan. Penetration tests are really key to do, and to keep doing. It’s important because you’re testing to see if the protections you designed and put in place are working.
Also, testing users on a regular basis. Phish them on a regular basis—perhaps quarterly or monthly. Then, whoever gets caught, has to go to extra training that helps raise awareness. And then, the next time, you can test them with something similar and hope that they do not fall for it again.
A human is the weakest link. What I mean by that in healthcare is, that the second nature of all the people that work in healthcare is to help people. When you go to a hospital, you will get people who are compassionate and caring and who want to help you. So, if someone gets a call at an organization that says, “Hey, I’m Steve from IS and I need to reset your password because we had a problem. Can you give me your password and we’ll reset it for you?” Not only are healthcare workers really busy anyway, but they want to help and so they’ll likely give their password and that’s why phishing tests and other exercises are done so that people are aware of these types of situations.
Do you have any advice on talking to boards of directors about the importance of cybersecurity?
Board members may not have an IT background, but they have a business background—and that's how you talk to them.
First of all, with the board, you have to get their attention. Start with a good story about how you defended the organization from an attack or something similar. When you talked to the board, you usually don't have that much time, so you really have to get their attention. Do not get too technical. As soon as you throw a three-letter acronym at them, you start seeing blank stares.
Additionally, pay attention to what they have to say. You have to listen, and at the same time, you have to make them understand how you relate to the business. Because InfoSec is really an expense. It's not like we're bringing revenue into the organization, we’re protecting the organization. We work to make sure that we don't get hit with millions of dollars in ransom. We’re not really on the expense side so you have to relate to that side of the business.
There's also some concept like ROSI (return on security investment). This is basically ROI (return on investment) with security in-betweens and that’s something you can discuss with the board, because again, they are businesspeople. They understand finances and if you explain to them how your investment in security makes sense because you are minimizing risk, you will get their attention. You have to talk about things that they're interested in and that they can relate to. Like I said, the three-letter acronyms, like PCI, that's it, that's the end of the conversation. Or something like LAN, it just doesn't do anything for them, and you don't have enough time get into a detailed technical explanation. Plus, a technical conversation is not something they want anyway.
They really want to know what value you’re bringing to the organization and in InfoSec the value is how well you protect the organization. And for that, one of the first things you need to do if you come into an organization is to do a security assessment. An organization needs to learn what you want to protect in the first place. If you don’t know what it is you are protecting or where it is, get a third party to tell you. This is not only important when you come into an organization but also during mergers or acquisitions, as well.
How can an organization use its existing infrastructure as part of its cybersecurity strategy?
For example, you discover that there is no network segmentation because they didn't feel it was necessary. You would implement that. You look at the different controls that you need to put in place and ask, “Is it worth it?” Again, it goes back to acceptable risk and if it would be worth it.
And if you do decide to implement something, you should ask, “How much does that protect the organization? What is the value?” You can never ask those questions too many times.
