At a time when cyber threats against patient care organizations are intensifying, where should healthcare IT security leaders place their bets—and their resources—when it comes to investing in protective technologies and strategies? That was the topic of discussion on Thursday, June 16, during Healthcare Innovation’s Northeast Summit, being held at the Boston Park Plaza in the heart of downtown Boston.
On Thursday morning, Healthcare Innovation Managing Editor Janette Wider led a panel of industry experts in a session entitled “Cybersecurity: Biggest Threats, Biggest Opportunities.” She was joined by Esmond Kane, CISO at Steward Healthcare (Boston); Chad Wilson, a healthcare cybersecurity executive; Richard Staynings, who teaches postgraduate courses in cybersecurity and health informatics at the University of Denver University College and who is also chief security strategist for the New York City-based Cylera; and Todd Felker, executive healthcare strategist at the Sunnyvale, Calif.-based CrowdStrike.
Wider began by noting the intensifying cyber threats to healthcare, and then asked her panelists, “What can organizations do to protect themselves?”
“I think COVID has been a mixed blessing,” Kane said. “It’s forced us to innovate, and we’ve had to develop new strategies. There’s a study that found that the pandemic accelerated cloud adoption by three to seven years. And the bad guys have shown us that they’re not going to wait for us to catch up. So, we need to expand our cyber hygiene. We need good identity hygiene, multi-factor authentication, everything, we need to do it and do it consistently, and do it in the cloud sphere. We need to do it consistently, to measure our effectiveness, and to report it to our staff.”
“We are condemned to live in interesting times, to quote Sun-Tzu,” Staynings said. “And healthcare organizations across the western world are all experiencing similar problems. We’ve seen the convergence this year of the criminal gangs, like the Conti Group and others, and the Russian state, (which arguably is also a criminal enterprise). The coordination between the Russian GRU, its military cyber division, the FSB, its state intelligence group, and the criminal gangs is easier to see today.
And then there is the theft of intellectual property from our clinical research, clinical trials, formularies—petabytes of healthcare data are being transferred from the U.S. to Chinese state-sponsored enterprises. The Chinese PLA is now thought to employ close to 100,000 hackers engaged in cyberespionage. And as cyber defenders we’re outnumbered by something like 15 to 1,” when it comes to the staffing available to focus on all the cyber threats being launched against the industry. “We plainly don’t have enough people in cybersecurity. We need better, smarter tools, tools that are automated, rather than a heap of complex tools that require a large staff to manage them.”
“I agree with what Richard and Esmond were saying,” Felker said. “We’re seeing the adversaries basically become more much efficient in how they attack us, and the extortion industry is booming easier to get into. Anyone can now purchase a ransomware as a service (RaaS) service and go into business for themselves. Zero-data exploits, phishing campaigns, if they’re good at that, they’ll grab credentials, so instead of having to initiate an extortion campaign, they’ll steal access and identities to remote access brokers, and use ransomware as a service,” he said. “So they’re creating kits so that less sophisticated actors can initiate ransomware attacks. And the people selling the kits don’t have to get their hands dirty any longer. So there are so many criminal elements doing this, and doing it well. They’re moving so fast that in an hour and 38 minutes of gaining access to a company, they’re seeing hits. Within an hour and 38 minutes of receiving these kits, criminals are able to initiate ransomware attacks. And so we have to have the threat hunters and tool sets be able to beat an hour and 38 minutes, not only on weekdays 9 to 5, but on weekends and at Thanksgiving.”
“They’re doing things really, really fast, so that gives us the opportunity to think about security innovation in healthcare,” Wilson said. “We have to partner with CMIOs, CIOs, legal, and the researchers, who are figuring out better ways to care for us as patients and people. Getting out there where the innovation is happening HC and partnering with them, is one of our biggest opportunities but also challenges. We need to enable healthcare security, not just saying we can’t do some forms of healthcare because they are insecure or pose a risk. And the other side to this is that we end up with a lot of repetition about what that technology does. From a communication perspective—when we mapped medical devices, we came up with 21 different communication models happening in patient care organizations. So when new devices come up into the network and want to communicate back to the server or where the data is being collected, we have to make sure that that integrity of the data remains solid. And new technology is coming up all the time. I can take an EKG and share it with my doctor. So we have to work in cybersecurity in partnership with all the areas in patient care organizations.”
Looking at lax security procedures
I was flying here on the plane, and I noticed that the gentleman next to me was clearly working on his laptop on a work document, and I could easily have spied on him,” Wider said. “How do we change work patterns?”
“I think our staff have all become lax since COVID; we’ve become used to working from home,” Staynings said. “And you used to see privacy screens on laptops on a plane and elsewhere, but people pulled those things off to save battery power. So yes, you see people working at Starbucks, at an airport lounge and elsewhere and you have to ask yourself, is someone shoulder-surfing them? Is their connection encrypted? So those are some new concerns we have to consider. But we’ve also moved towards a telehealth-based and remote model for many healthcare services, and it’s taken a lot of work for cyber teams to retrofit these services to be secure. We also have new privacy concerns that have not yet been addressed. How do you know that a Zoom consult that you’re having with a 14-year-old isn’t being spied on by their parents? Legally, a 14-year-old is an adult, medically speaking.
“It requires the CISO to really partner with the rest of the organization, to develop a different kind of security regimen,” Wilson said. “And working at home, what are the concerns that people should be aware of? Data could be lost or stolen, maybe accessed by your kids. Those are real-life scenarios that need to be addressed; and patients need to be addressed around them.”
“I wholly agree,” Kane said. “I’m also concerned with the lack of staff retention. Thanks to work from home, we no longer have work-life balance, we work all the time. And it’s great not to lose a couple of hours to a commute, but that also leads to burnout and fatigue. We’re already dealing with a staffing deficit on our cybersecurity teams, and we’re going into a recession. But the bad guys don’t care; a laid-off programmer is just someone to train to do criminal activity – willingly or unwittingly. It’s already becoming difficult to attract and train and retain staff and I worry very much that when we’re seeing these pressures return to the office, people will just leave.”
What about microsegmentation?
Wider next asked her panelists for their thoughts on network microsegmentation as an advanced cybersecurity strategy.
“Microsegmentation is a relatively newer concept in cybersecurity, especially in healthcare,” Felker noted. “Network segmentation was an old-school way of trying to control access to different parts of your network and different devices. I knew an organization that spent $1 million for hardware firewalls; and they paid for an expert to go onsite for a year to develop the authorization regimen for that. Unfortunately, that’s just not available to mid-sized or smaller organizations. Now, fortunately, there’s new technology featuring AI [artificial intelligence] to invoke the concepts of least-privileged and zero trust. The tools are finally catching up with the need. Audits, HIPAA, cyber issues—we need to try to show that we’re reducing risk, per cyber insurance. And when you have identity tools that will be able to understand what’s normal and not normal—so for example, requiring password reset if someone is trying to log into six assets within a second or two; clearly, that’s not normal.”
“Microsegmentation is another thing that everyone here in this audience needs to be thinking about,” Staynings agreed. “We have a major problem with the security of connected objects. In healthcare, the fact of the matter is that we don’t do a good job of patching anything – especially medical and other healthcare IoT devices. A lot of these devices simply cannot be patched, and retiring a $15 million asset like an Z-Ray machine that still has many years to run on a hospital depreciation schedule simply because the PACs stations connected to it will only run Windows XP or Windows 7 may not feasible or prudent. Yet, these systems may pose a significant cybersecurity risk to the entire HIT network so you have to looking for compensating security controls to contain risks into enclaves or isolated segments, and protect those high-risk assets that cannot be patched, through microsegmentation. I often hear people say, yes, my medical and other HIoT devices, etc., are all on separate VLANs. But VLANs only provide routing separation, not a security isolation, VLANs don’t create microsegmentation. So you need to essentially be able to quarantine and isolate each high risk individual device on your network into its own segment to prevent lateral spread of worm-like malware. The danger without segmentation is, as we saw with WannaCry, which took out one-third of the British NHS [National Health System] system, is that malware can spread very rapidly, and take out an incredible portion of all HIT and HIoT systems.”
“Does your CT scanner really need to connect to your EHR [electronic health record]?” Wilson asked. “Just asking commonsense questions, in any size of health system, is important. Where does the data need to go? What needs to talk with what?”
“And when it comes to building out these workflows—don’t view that as just being the end goal,” Kane said. “One of the things about creating massive data lakes to support decision-making—you can turn around and say, these units are being used in different facilities. So can I reassign a device? And how do I collect data and share it for population health management? It’s actually possible for organizations to leverage their implementation of some systems, to support them in their contracting for cyber insurance.”
Massive amounts of data, AI, and security
“To build on Esmond’s point about data lakes and data mining, we have massive, massive amounts of data today, and we’re using ML to mine this data for clinical decision support and other purposes. AI is driving a lot of technologies, and it’s transformed the medical imaging space. In the U.S., we are now using low-dosage radiation CT enhanced with AI, to gain higher levels of efficacy and capability while subjecting patients to much lower levels of harmful radiation,” Staynings said. “We can use a lot of these technologies to our advantage. And that relates to the need for smarter tools rather than more tools. We need smarter tools that do things for us, because we don’t have enough security staff to do this manually.”
“Data warehouses are becoming data lakes,” Felker noted. “And in cyber, we’re able to apply AI to massive amounts of data, with over a trillion events in a single day. So essentially, data lakes are becoming cloud-based. And we have massive numbers of applications going. And last year, we had three times the number of zero-day attacks than two days earlier. And that resulted in massive amounts of data breaches. So we’re moving everything to the cloud. So you need a set of tools to protect these workflows and data lakes that are moving to the crowd, and to be able to protect them.”
What about the next generation of cyberattacks?
The topic turned to the next generation of cyberattacks, and cyber breach insurance to guard against in such attacks. Kane said that “There are some predictions that the next generation of ransomware will involve the criminals going after your c-suite. And what you need to do as a security professional is to start thinking about this next generation of attacks, in terms of the exploitation of human behaviors, that we need to train our people about. So, you need to train your workforce to reach out to the help desk; a well-educated defender is sometimes your best resource.”
“Three-quarters of the assets on our networks are unmanaged,” Staynings noted. “We need to do assessments of all those devices and figure out what to do with those devices, and determine actions that will keep the devices functioning, while protecting the network.”
And what about the challenges of obtaining cyber insurance?
“It’s getting exponentially harder now” to complete applications for cyber insurance, Felker noted; the process involves “longer questionnaires, and higher costs, because the insurers have encountered so much loss with so many breaches, that they’re trying to understand what’s happening. And when it comes to a lot of these controls, is that so many of them are dealing with such complex challenges. We have to be able to sell our risk reduction,” he insisted; “we have to know what we’re doing and have to be able to convince the insurers of what we’re doing. We need to explain to them that microsegmentation really significantly enhances our identity protections from risk. So we have to be able to articulate to the insurance brokers and carriers how it is that our better managing risk is improving.”
“Insurance is a risk transference tool,” Staynings insisted. “It doesn’t solve security risks, it simply transfers them. I would say that you’re better off spending the money on building up your security controls. Furthermore, the insurers are now asserting ‘contributory negligence’ during claim investigations and forcing insured organizations to pay for a part of the cost of any disaster where their security controls are lacking.”
“And the negotiations are becoming highly complex, and the insurers are demanding that CISOs and others talk with them in detail and how they’re working to prevent the bad guys from penetrating your defenses and preventing ‘military strikes,’” Wilson noted. “And CFOs are getting involved.”
And, Kane added, “The cyber insurers are already now asking about supply chain risks.”