With the recent and ongoing cyber-attack scare on Change Healthcare, the Department of Health and Human Services (HHS) is encouraging healthcare systems to look at their vulnerabilities and beef up cyber security.
Healthcare Innovation recently spoke with Steve Cagle, M.B.A., H.C.I.S.P.P., on the topic of cybersecurity in healthcare. Steve Cagle is the CEO of Clearwater, a Nashville-based healthcare security company, and a board member of the Association for Executives in Healthcare Information Technology Security (AEHIS).
What can you say, if anything, about the security breach at Change Healthcare?
Our healthcare environment has resulted in the adoption of a lot of technology as one trend. We're creating a lot of data. We've also had a lot of mergers and acquisitions in healthcare, both from the hospital perspective and with technology providers. Technology providers are becoming increasingly interwoven with healthcare system providers, payers, and other participants in this connected healthcare space.
Change Healthcare is a very critical part of the payment processing system, it being very important for prescriptions to be authorized by various payers. These trends are creating more vulnerabilities within the healthcare ecosystem, and those vulnerabilities are providing more opportunities for threat actors to target those vulnerabilities, exploit those vulnerabilities, and launch a ransomware attack. The data is very valuable, as we know because it's protected health information. A ransomware attack on a provider or a critical service provider that providers rely upon can impact patient care. Patient outcomes are affected, so we're seeing that with the attacks on the hospitals. We're seeing it now with physician practice management groups and service companies. We saw it with laboratories. All these things are impacting the ability of patients to get the care they deserve. So, cybersecurity has become a patient safety issue.
There is also a very big financial impact when there's a breach. Healthcare is the most expensive industry in which to have a breach. The overall sector is one in which we need to ensure that we have very strong security controls in place that meet industry standards. There are standards like the cyber security framework and cyber security practices that align with the top five threats in healthcare. We need to do ongoing risk analysis because the bigger an organization, the more opportunity there is for risk. We have to do that risk analysis at a very detailed level throughout the organization.
I’m not commenting on Change Healthcare’s security program. It was reported that they've had an exploit of the ConnectWise ScreenConnect™, which was a vulnerability. When we have these zero-day vulnerabilities, organizations should be moving very quickly to patch them or take those systems offline. It was posted that BlackCat said that's not how they breached Change Healthcare and that they used some other means. Whether that's true or not, we don't know because it's not uncommon for these cyber criminals not to be truthful.
All organizations need to be reminded of just how crucial it is to ensure we are patching these vulnerabilities as quickly as possible. As an industry and as an organization in the industry, we need to be able to withstand an attack and continue to operate our business in a way that doesn't impact patients and hopefully doesn't result in very impactful financial costs to the organization.
What are the biggest lessons learned from this event?
We have systemic risk in health care. The way the sector works, is that every organization is responsible for its own security program and its own compliance program with HIPAA and other regulations. There's inconsistency, I would say, across the industry. The key lesson here is that as we become more connected and rely on each other, one organization’s risk is somebody else’s risk. We really need to have a set of standards that we agree upon as an industry or that are established for the industry. Those standards need to be specific, and incentives need to be implemented to adhere to them.
We need to provide help for smaller organizations because they don't necessarily have the resources to implement all these security controls. The need for security has outgrown the means of a small organization. We need to have a realistic way of implementing standards for smaller organizations that don't have the resources or the experience to implement a reasonable and appropriate cybersecurity program. They should look to partners and advisors to help them with that. Over time we need to have a way to ensure we have accountability to standards.
Another lesson learned is that we need a faster and more coordinated way of getting information out to the sector. There was a lot of information flowing between text messages and people calling. The government organization is getting information out. Other organizations were also sending information out, some of which was not accurate. When there's a vacuum for information, people go where they can get that information. We need to have a faster means to get that information out to the people in the sector who need that information, not just the providers but also the other vendors and the people who are connected to them. We need to ensure we're giving very actionable, timely information because the cybercriminals are not waiting around. They're very fast, and they move very, very quickly; we can't wait three or four days to get indicators of compromise.
Could you speak more to standards?
We do have practices and standards. We have the HIPAA security rule. We have the NIST cyber security framework, which is very appropriate for the healthcare industry. We have the 405 D health industry cybersecurity practices guide developed between public and private partnerships under the cybersecurity task force of the Healthcare Sector Coordinating Council. Those standards exist, and many organizations are adopting them. But some are not necessarily doing it. When I'm really talking about standards, I'm really talking about accountability to those standards.
Every organization needs to do a risk analysis and understand its specific vulnerabilities and threats. You have to do that risk analysis, and you might need to go above the baseline and above the standard to bring risk to an acceptable level.
What are your thoughts on the future of cybersecurity in healthcare?
There's been a lot of activity in healthcare. In March, the Biden administration released its Cyber Security Strategy, followed by the implementation plan. In December, HHS released its Cyber Security Strategy concept paper outlining principles or pillars. In that paper, they talked about the cybersecurity performance goals, which are currently voluntary. The 405 D health industry cybersecurity practices guide talked about more incentives and asked Congress to provide more incentives. We need to see more regulation. Also, they talked about a more coordinated response. They released cybersecurity performance goals a few weeks ago.
Hopefully, we'll see more incentives, such as more financial support for smaller organizations. I think it's very likely that we're going to see some of these controls outlined in some of the practice guides, as well as cybersecurity performance goals that could potentially be implemented in the HIPAA security rule. HHS has said that they're going to revise the HIPAA security rule and start that process in the spring. I think that that will lead to more regulation. They have also stated that they're going to be, or they are in the process of, asking Congress for more resources to enforce those regulations.
I also hope we will see this type of event as a wake-up call. So, besides all of the things that might happen from a regulatory or federal support perspective, I hope that executives and boards will understand the impact of a cybersecurity event and prioritize it. As one CIO said on LinkedIn recently, whatever you're planning on spending on cyber security this year, double it because the attacks are going to increase.
Do you believe these types of attacks are on the rise?
It is on the rise. The number of records breached doubled last year, and ransomware attacks globally have been up 95 percent. In healthcare, we had about 46 hospital systems in 2023 that had a ransomware attack versus 25 the year before.
It's not just hospitals that are affected. These types of breaches also affect physician practice management groups, payers, health services, and healthcare technology companies.
When you have very valuable data, and that data becomes much, much larger in terms of its volume, and as we're increasing the number of places where you could potentially get to that data, that attracts a lot of criminals. More and more criminals are targeting healthcare because, quite frankly, it's pretty easy to get to relative to other industries, and it's worth a lot. Criminals are not going to change their motivation, and we do have criminals that are being harbored or even supported by nation-states. We have a number of nation-states that we are not very friendly with right now.
Could you speak to the cybersecurity investment of healthcare versus other industries?
The healthcare industry is playing catch-up after many years of underinvesting. Hospitals and health systems have been under a lot of financial pressure, especially since the pandemic, and they've never fully recovered from that. Inflation has gone up. A lot of nurses and doctors have left the workplace, so it's very expensive and difficult to get replacement staff, not just in clinical care but in operations as well. They're dealing with higher costs and reimbursements, which are not going up proportionately. When you have an industry already having financial trouble and underinvested, it's difficult for them to play catch up. Healthcare is one of the lowest-spending industries when it comes to cybersecurity.
What do hospitals need to do regarding external entities?
It's very important to have at least a well-developed risk management program on how to manage risk for those third parties. How do you tier your third parties in terms of impact to the organization? For those that are more impactful, you probably want to do a more rigorous risk assessment, and it's not just answering questions and checking a box. It's ensuring that you're assessing those high risks and that you're working with that third party to bring risks to an acceptable level. What’s really important is that we have third parties that are addressing their security programs and that there's a limit to how much influence one’s going to have on their third party at some point.
It is important to have a backup plan, assess and work with third parties, and use whatever leverage you can to get them to improve. However, having a strong incident response plan, a business continuity plan, and a disaster recovery plan that incorporates third parties is also key.
Do you have any additional advice for the healthcare sector?
It’s really important not to wait. When people have asked me that question, I say my number one advice is don't wait. We had an experience just last night where somebody waited too long. They had an incident. It's amazing how quickly the organization can move once there's an incident.
Do your risk analysis. If you haven't done one recently, do it now. If you've done one at a high level, do it at a deeper level. You want to understand where you are relative to the current risks and do it at a level of granularity and rigor that is going to go deep enough. Have you gone deep enough in today's environment based on the current threat landscape? Be rigorous, be comprehensive in your risk assessment, and make sure you're doing that on an ongoing basis.
