Leaders at the Ormond Beach, Fla.-based Health-ISAC—the Health Information Sharing and Analysis Center—continue to engage in working to connect healthcare stakeholder organizations globally, including across the United States, to address the ever-intensifying cybersecurity threats facing the healthcare industry these days.
And, with news of ransomware attacks and data breaches hitting the mainstream media seemingly every week, Healthcare Innovation Editor-in-Chief Mark Hagland spoke recently with Errol Weiss, Health-ISAC’s chief security officer, but where the U.S. healthcare industry, in particular, hospitals and health systems, is right now relative to the intensifying threat landscape, as we plunge into 2024. Below are excerpts from that interview.
When you look at the overall threat landscape facing the leaders of hospitals, medical groups, and health systems, what do you see right now?
Well, the threat landscape never gets better; in fact, it’s getting worse every year. In terms of what Health-ISAC has been doing—I’ve been here four-and-a-half years now—and we’ve really been doubling down on our efforts to grow, here in the United States, and in Europe and the Asia-Pacific region as well. We already have members in over 100 countries globally. And we’re dealing with large, multinational corporations with staff all over the world. We have an active European office is in Brussels, while the operations head for that office is in Athens. He’s able to work with the European governments. And we’re trying to extend the reach locally. We don’t yet have a physical office in the Asia-Pacific region, but we’re working on that.
And what are you looking at most intensively right now?
The top things we’re worried about are phishing attacks against organizations, and ransomware—and they’re closely related; those remain the top two, as they have been. And data breaches are still happening. We did an analysis looking at the HHS-OCR report on data breaches [encompassed in the report entitled “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services,” published in December 2023]. And there were 3,604 patient records breached every hour and reported to HHS, on average.
That’s so mindblowing.
Yes; I have that number in my head, and when I do presentations, I bring up that number as representing the average number of breaches that will happen during the time of my presentation. That’s one of the key pieces of the puzzle. And number four will be third-party partner breaches. The security of partners remains a huge concern across healthcare. And the final broad concern is around social engineering.
Does that mean people manipulating social media platforms?
Classically, it’s a person interacting directly with someone else, where the bad guys call up the help desk of an organization and pretend to be traveling and have lost access to the network, and are able to get access to something they shouldn’t have gotten access to.
We’re hearing there is greater knowledge and awareness on the part of patient care organization leaders, but it’s probably not evolving forward fast enough, correct?
Yes, that’s correct. I came into this sphere from the financial services industry. And what happened in HC is that when you look at the move to electronic health records and the ongoing digitization of healthcare. And in the 1990s, with HIPAA [the Health Insurance Portability and Accountability Act of 1996, which for the first time set a federal frame around privacy and security issues], the focus was on compliance: organizations needed to comply with new regulations around privacy and security. I used to do penetration testing when I worked for the National Security Agency; and we were always able to get in. And when we were doing a debrief once, the network administrators—in the defense area—said, how could this be? We just went through a whole securitization process. And that’s the problem with compliance-based processes. There are all sorts of avenues of opportunity for the bad guys; that’s the difference between compliance and security And the spending in healthcare has been on compliance versus security. But healthcare leaders are learning that they need to spend and invest, even as the bad guys get smarter.
What are the smartest patient care organization leaders doing right now?
One of the things I learned from my time in financial services—what I saw at Citibank is what we call the intelligence-led security mantra. What’s happening in the threat landscape? In market forces, so that you can react to change in the landscape? Some organizations that have done well try to have threat intelligence operations in place.
Are your conversations different now from how they were a few years ago, with hospital and health system leaders?
For the time I’ve been here with Health-ISAC for over four years, it’s been pretty consistent that the focus has been on ransomware. I think the conversations now are about trying to convince more on cybersecurity; the industry as a whole has been talking about establishing minimum best practices. And the federal government is looking at mandates.
Would you favor financial penalties? As you know, a controversy has erupted over HHS officials’ suggestion in December that the agency might ultimately impose financial penalties for lack of preparedness, and the American Hospital Association has spoken out forcefully against any such possibility.
I’m not a big fan of mandates. I think that the help hospitals need is on the investment side. We know how strapped for resources they are. They need the help; they need the staff. And it’s tough to hire; and they’re competing with everybody else.
And only half of hospitals have CISOs, even now, which is another obstacle on the journey forward.
Yes, that’s shocking. And do we spend more money on cybersecurity, or do we spend our resources on better patient care? It’s definitely a tough balance when it comes to providing life-saving care versus security. So government can help in terms of providing financial incentives to do things like that. And the New York Governor announced that that state is investing $500 million in the hospitals in that state. We need those things. Penalties don’t work; they won’t help.
In this moment, what would your advice be for patient organization leaders tasked with the responsibility for cybersecurity?
The bad guys continue to innovate. We need to stay ahead of the curve and be vigilant and stay up to date, and understand what’s going on. I heard a great quote: the promise of all this new technology (in healthcare) brings new peril. So we need to stay ahead of those things—constantly.