The landscape around cybersecurity in healthcare remains highly fraught and highly perilous; indeed, cybersecurity experts agree that there has never been a more challenging time than now. Are leaders in patient care organizations charged with managing cybersecurity stepping up to the plate? Somewhat.
Here are several key results from a survey that Healthcare Innovation conducted this summer of senior health information technology leaders in hospitals, medical groups, and health systems:
> Asked whether the threat level they’ve been experiencing is now higher than it was a few years ago, 71 percent of survey respondents reported that it is higher now; 27 percent said it is about the same as it has been; 2.44 percent said it is lower.
> Asked how often they back up their core electronic health record (EHR) systems, 54.93 percent of respondents reported that they back up their EHRs daily; 11.27 back them up weekly; 5.63 do so monthly; 1.41 percent do so quarterly; and 26.76 percent said that they don’t know.
> Asked whether they perform audits on their EHR backups, just 18 percent said they audit their backups weekly; 21 percent said they perform backup audits monthly; 12 percent do so quarterly; 5 percent do so annually; and 44 percent said they don’t know.
> Asked whether they are engaged in a range of advanced cybersecurity strategies, the results were as follows: 14 percent have done advanced network segmentation; 27 percent have segmented medical devices; 25 percent have performed behavioral monitoring of systems; and 32 percent have engaged a security operations center (SOC) to help them execute on cybersecurity.
As for whether they participate in a cybersecurity framework, such as the framework provided by NIST (the National Institute of Standards and Technology of the U.S. Department of Commerce), 40 percent of survey respondents reported that they participate in NIST or in another framework, while 29 percent do not, and the rest didn’t know.
As the FAQ page on the NIST website notes, “The Framework is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.” It also notes that “NIST is not a regulatory agency and the Framework was designed to be voluntarily implemented.”
Per all of this, Healthcare Innovation Editor-in-Chief Mark Hagland recently interviewed Angela Rivera, market leader and cybersecurity adviser at Chartis, the Chicago-based consulting firm. Angela Rivera leads the consulting firm’s cybersecurity practice. Hagland and Rivera spoke about a number of issues facing cyber leaders in healthcare; below are excerpts from that interview.
A recent survey of readers that we conducted found a disappointingly low level of adoption of some of the key strategies that experts like yourself agree are advanced, including micro-segmentation, audits of EHR [electronic health record] backups, behavioral monitoring, and the engagement of SOCs [security operations centers]. What’s your reaction to those results?
I’m not surprised by them at all. We work with a very broad range of organizations, from smaller hospitals to large IDNs [integrated delivery networks]. And there’s a lot of maturing that needs to happen, and a lot of organizations don’t have the capacity, funding, or resources to do those things. Per audits, many organizations still haven’t tested their DR [disaster recovery] plan. Have you tested your backups? How often? And auditing your EHR has been a key element in cyber success.
One of the things that I’ve discussed with other experts is the fact that, if the leaders of a patient care organization fail to audit their backups of their EHR, they can end up with several months of corrupted, and therefore, worthless, backups, when they’re hit with ransomware or other malware. Doesn’t the auditing of backups seem like an obvious procedure?
Doing some of the things to make sure you’re not going to be attacked, the defensive strategies seem to be the focus still. You had asked about behavioral monitoring. If you’re able to set that up and see anomalies, you can see things more quickly, in terms of systems sitting out there with malware. They can be more proactive on defensive strategies.
And in terms of SOCs, there are pros and cons: for one thing, some organizations just don’t have the budget to engage SOCs. Also, sometimes, you end up with so many alerts that, if you don’t have anybody to monitor those alerts, you’re still behind. AI [artificial intelligence] might help with that. But if you’re not focused on some of those defensive strategies, the auditing won’t matter. Both are necessary. Most people are focused on the defensive strategies to try to avert an incident.
What should the frequency of audits of backups be?
Really, ideally, every day. It’s based on what your organization has established. How long do they feel comfortable being without their data. You do your backups every day. If your leadership is willing to take that level of risk to only do audits every six months, then that’s what they’ve set up.
A lot of hospital-based organizations are still very far behind. How do you see the landscape overall in that regard?
I agree that that’s true. Yet some organizations that aren’t small, still are under-funded. We work with some of the best organizations, and they try their best with the people and funding that they have, to eliminate the highest levels of risk. I’m seeing some success with some of the worst issues. Vendor security management is still such a big issue. And yes, it’s easy to become a hacker; you can buy manuals on the dark web; they don’t even have to be very good at it. But they are getting smarter now by attacking third-party vendors that have contracts with hundreds, or even thousands of hospitals, now.
It's also true that you can be big and well-funded and still not be advanced. With regard to advanced network segmentation, it’s important for everybody. But why is there such low adoption? The more complex the environments become, with more partnerships and business lines—organizations are connected with their payer, they have services they’re performing for other entities—those are the organizations that really should be thinking about their advanced network segmentation strategy and about how to limit their attack surface and the damage, if something does happen. Bigger organizations are thinking that way; but smaller organizations just don’t have the staffing and budget.
Surveys are consistently finding that only half of hospital-based organizations have CISOs. Thoughts?
Boards and c-suites are better these days at understanding the value of security than they used to be; but I think they still don’t yet see it as a strategic role for the organization. Often, organizations have directors of IT security. And those directors should be doing the same thing, but they don’t have the right audience. I wrote a leadership piece targeting CEOs on what you should be asking your CISOs or directors of security. So, if you’re not doing this, you’re not living up to your fiduciary responsibility. We can send it to you.
How would you describe the overall level of awareness of CEOs, c-suites, and boards of cybersecurity issues?
I think it’s getting better; but I still don’t think there’s yet enough recognition that the CISO or security leader needs to have a seat at the c-suite table. I led a panel at HIMSS about this, in terms of strategic imperatives. How can we help CISOs to elevate their position as a strategic enabler, as opposed to somebody to be the fall guy if there’s a ransomware attack. As you know, most CISOs don’t last if there’s a major attack. They have to be a true partner. And that’s where we don’t yet have that level of maturity, in terms of the CISO being one of the partners in helping the organization achieve its strategic security goals.
What will the cybersecurity landscape in healthcare look like in a few years?
I think right now the increasing excitement around AI, everybody’s probably going to get distracted by AI for a time, and they shouldn’t. And AI will just increase the number of ways that you can get into an organization, but if you still have a mature foundational element, it won’t be as impactful to your organization. But there’s a bit of a concern that AI will be a major disrupter, a major threat. I don’t think it will have quite the impact that people imagine. AI will be a bit of a distraction, but as long as you stay the course, you’ll be fine. But more focus needs to be put on cloud, particularly among smaller organizations. So many organizations are moving to the cloud to save money and resources; but you really have to fortify your security as you move to the cloud; but you still have to ensure that your network security perimeter is ready for cloud. And you’ll get increased traffic.
You still have to have a really strong security infrastructure as you move to the cloud. And there’s this misperception that you won’t have to worry about data security; but in fact, you still have to work a heck of a lot. And I’ve mentioned vendor security management: organizations still lack robust vendor security management programs. There are still gaps there, and more breaches than ever before are being caused by third parties.
Is there anything you’d like to add?
We’ve all been talking about this for so long, but if you can just mature your foundational elements—CEOs need to understand that if we don’t have our basic foundational elements in place, we’re at higher risk. If you’re going to look at new service lines or at acquisitions, I can help you do that through these advanced programs, like advanced network segmentation, like behavioral monitoring. We’ve been saying the same thing for years, and it still isn’t getting that much better. Every time a new tool comes along, we have the “shiny object” problem. That’s why I think AI is a bit of a distraction right now. We just need to move forward in a strategic, organized way.