There’s no question whatsoever that threats to the data contained in patient care organizations’ information systems are intensifying now, a panel of cybersecurity experts agreed, in a discussion held on July 18, at the Intercontinental Hotel in Houston. The experts were gathered together to discuss those issues during Healthcare Innovation’s Texas Summit, held July 18-19 in Houston.
Managing Editor Janette Wider led a discussion entitled “Cybersecurity: Biggest Threats, Biggest Opportunities.” She was joined by Richard Staynings, a healthcare technology and cybersecurity strategist, Chad Wilson, a healthcare cybersecurity executive, and Rollin Morris, principal solutions engineer at Okta.
Wider began by asking what looks relatively new in the healthcare cybersecurity landscape. “On the defensive side, we’ve had to adapt to the pandemic,” Morris said. “And just to enable that capability set has introduced additional attack vectors. So we need to put MFAs, including biometrics, on everything. And we want a centralized identity plane, so there’s one set of analytics that we can use to determine authentication; and approach a zero-trust strategy for access.”
“It’s not just about blocking and tackling; we’ve reached the point where we need to look strategically,” Staynings said. “How do we avoid an increase in patient morbidity and mortality when systems go down?” he asked. “We are entirely reliant on HIT systems and on medical devices. And we are up against nation-state actors. We just heard about the DPRK, North Korea, which is essentially a criminal enterprise. And we’ve got other actors even better-equipped, including the Russians, and the Chinese who are the biggest perpetrators of cybercrime globally; they’ve exfiltrated a value bigger than the U.S. GDP. So it’s no longer the case of, don’t forget to add security to an application; security needs to be the very first thing we think about. How do we secure the integrity of health information systems? Because we rely on the data. And it’s getting worse, not better.”
“Just look at the city of Houston and how Houston has been planning to survive a category 4 hurricane,” Wilson said. “How will we get critical resources and workers in to get us back online? Cybersecurity is a similar situation. When ransomware happens, you can end up being 100-percent offline. So cybersecurity is not just the blocking and tackling, the thinking strategically; it’s an essential part of the operations of a hospital.”
How has consumerism in healthcare impacted all of this? What new challenges have arisen? “The digital front door” is having an influence, Morris offered. “We’re talking about your digital front door and your relationship with them even before they’re patients, along with their expectations. The expectation is that I’ll be able to message my providers, get my lab results, and so on. And the pandemic has driven the idea of expecting a first-class experience when interacting with patient care organizations. But there may be multiple data stores. We need to get a singular view of the patient. And how do we ensure that PII and PHI are secure for users? And how do we ensure the capability of the system to handle all the users logging in at once? So that all speaks to the need for the centralization of identity management.”
“It’s no longer a case of going to the doctor; you might be able to see the doctor through a telehealth,” Staynings noted. “Remote patient care is everywhere now; we’ve finally become capable of doing what Australia did a decade ago. We’re also addicted to our personal medical gadgets. The Apple Watch, the Fitbit. And many have other devices that look at your health; we have the capability… In Australia, MyHealthRecord is the national record, and you can import your Apple Watch or Fitbit data into it, and your cardiologist or dietician can important that data. We live in a highly changeable environment; but it raises questions as to the integrity of the data. Was that actually you running on the treadmill, or was it your dog? So consumerism of the data, and patient satisfaction, will change the way in which we input data, and will raise questions around the integrity of the data.”
“And you might be walking along, and your personal sensor stops sending data to your provider,” Wilson added. “Healthcare doesn’t stop because you’ve left your doctor’s office. It will be important to be able to import data safely and securely.”
“How do we train our staffs for everything that’s been happening in the industry right now?” Wider asked. “My husband is working for a multinational now, and is having to take all sorts of tests,” in order to stay in compliance with training requirements in his company. “So what works?”
“A few years ago, we did a survey for a multinational company, and we found that most folks were getting an occasional phishing test, and maybe an annual training,” Wilson said. “And really, it needs to happen about every two weeks. There’s a study by the There’s an intelligence study out of the CIA on how you educate people on not giving up secrets. How do you do that in a HC setting with doctors who don’t even like looking at emails? You need to do it regularly and then measure the effectiveness of trainings and tests. And you also need to have cybersecurity awareness and visibility into what’s happening in the organization—how often are attacks happening? Ninety percent of attacks in healthcare are phishing attacks. You should be able to measure the training you do against the threat. And we were able to advise a company that had about a 47-failure rate on phishing down…. Companies are at about 1-3 percent already, but that goes up to 20-30 percent when you include all attacks.”
“Is there any way to decrease friction while training people properly in healthcare?” Wider asked.
“I’ve worked with healthcare organizations where friction is a considerable element in retention,” Morris offered. “One particular organization wanted to modernize their IT, partly because of the expectation that people are using mobile devices at home.”
“Eighty-nine percent of successful cyber attacks start with phishing attacks,” Staynings noted. “The most successful programs involve creating a culture of cyber safety. If your CEO stands up and says, our number-one concern is cybersecurity and patient safety…We need to create a culture of cybersecurity. We’ve installed a culture of privacy in healthcare since HIPAA was implemented, but haven’t done a good job yet with cybersecurity yet. We need to make testing more rigorous. And we need to reinforce the basic ‘think before you click’ messages, with lots of other messages, subliminal messages. Intermountain Healthcare had a system involving different dinosaur types of different colors; and each dinosaur had a different message, such as, be careful if someone follows you into the building; be aware of who’s tailgating. And there would be a little purple dinosaur at entry points. Another message was, don’t talk about confidential clinical issues, especially patients, in public spaces like elevators; that was relayed by a green dinosaurs. So we need constant reinforcement and the creation of a culture of cyber safety.”
“And I need to know what your job is so that I can help you,” Wilson added. “That culture of servant leadership starts at the time and works its way down.”
“It’s a culture of ‘know’ versus a culture of ‘no,’” Staynings emphasized. “If you constantly say no, they’ll find workaround, particularly physicians. Meanwhile, you need to implement automated responses to anomalous behaviors, so you can quarantine what could be an intrusion, right away.”
