On Thursday, Feb. 8, during day two of the Healthcare Innovation Mid-Atlantic Summit, which was being held at the Bellevue Hotel in Philadelphia, industry leaders parsed the complex landscape of this moment around cybersecurity in healthcare, looking at the range of threats besieging U.S. patient care organizations right now. Healthcare Innovation Managing Editor Janette Wider moderated a panel that included Julian Mihai, chief information security officer at Penn Medicine (Philadelphia); Daniel Uzupis, CIO and information security officer at Jefferson County Health Center (Fairfield, Ia.); and Richard Staynings, healthcare technology and cybersecurity strategist, affiliated with both cybersecurity firm Cylera and with the University of Denver.
Early on in the discussion, Wider asked panelists, “How are we preparing for the newer, evolving threats in healthcare? And is this situation of global concern?” Staynings said, “We are not alone. My role takes me all over the world. Nearly every healthcare system around the world is being hit by ransomware attacks. However, unlike other industries, Healthcare will typically pay the ransoms, because Administrators want to restore their systems quickly. Attacking healthcare has unfortunately become a very lucrative industry in which criminals can easily attack us, and our propensity to pay ransoms fuels a lot of this activity. The Russian invasion of Ukraine did divert some energy away from ransom attacks last year for a short while and that caused a little bit of a dip in the volume of attacks.”
What’s more, Staynings added, “There’s also been a lot of restructuring of the Russian CIS criminal gangs; but I think we’ll see a ramp-up of some activity moving forward. Whether or not the Kremlin is involved directly is yet to be determined, but it’s a grey warfare attack against the USA and other NATO countries health systems. Providers are fighting 24/7 battle to try to defend their systems from these highly sophisticated attacks, but it’s a David-and-Goliath battle, and right now, Goliath is winning.”
Uzupis, whose organization is a critical-access hospital-based system in rural Iowa, testified that “I see everything coming in waves: ransomware, business e-mail compromise; a lot of this comes cyclically. Jefferson County Health Center is located in Fairfield, Iowa, a community of 10,000 people. And people will say, ‘We’re small, who would attack us?’ But what I’m seeing more than anything else is a need to focus on policy. The one thing that has saved people in Iowa is that people are distrustful. It comes down to making strong policies. What you do in cybersecurity has to be the first thought.”
Indeed, Mihai said, “I see increasing sophistication in the attack tactics. For the first time, we’re seeing where somebody builds a small website around a niche clinical topic as a Watering Hole. They use it to infect visitors with malware. So when a clinicians looking for a small niche search are attracted to the fake site, they go in and get infected, and then infect the entire organization. So you can’t think about staff training as fixed, stock training. So my team is constantly working with our partners to determine the emerging types of attacks, and correctly training our employees. And you hear everywhere about the zero-trust concept. And it’s more important than ever for us to realize that no matter where you are, somebody in a large organization is going to click on something. So it’s very important to detect quickly, because that gives you the biggest chance to contain and eliminate the threats.
Looking at the PATCH Act—the Protecting and Transforming Cyber Health Care (PATCH) Act introduced into the U.S. Senate last year, but which was not included in the appropriations bill funding the Food and Drug Administration (FDA) for another year, that was passed in June (the PATCH Act is working its way through the Senate Health, Education, Labor and Pensions (HELP) Committee at the moment), Staynings noted that “There was legislation that went through Congress last year that addresses some of the problems of medical device security. The biggest issue is that 75 percent of connected devices on hospital networks are medical devices. These devices were designed to do one or two functional clinical things very well over their projected life cycle of many decades. Many were never designed to be connected to the medical network however. The problem is that medical device manufacturers aren’t very good about releasing security patches to known vulnerabilities. So the PATCH Act requires cybersecurity to be designed into all new medical devices, and for manufacturers to release timely security patches for any CVEs moving forward. It also has some retroactive impact on existing devices, and the FDA can pull the rug from under the worst offenders, though final FDA rules have yet to be published with the exact details.”
Staynings went on to add that “The Act also protects the sharing of security threat and vulnerability disclosure data and other information without fear of lawsuits from manufacturers. It doesn’t address all of the legacy problems of the countless devices we have in health systems across the world, or the risks these present to the medical network, but does address broad issues and the security of new devices.”
Further, he added, “FDA, CISA, HHS, are now empowered to work together in the medical device security and broader healthcare security space. Medical devices remain largely unmanaged in terms of cybersecurity thanks to a legacy reporting structure and ownership of these systems, which are largely managed by Clinical Engineering or Biomedical Departments rather than by the CISO and CIO. But healthcare IoT is more than just medical devices, it includes all sorts of connected hospital building management systems that control HVAC, elevators and other physical systems critical to hospital workflows. How would we minimize risks during pandemic care management without high-performing HVAC? However, these systems are now connected to the Internet and are often managed by groups of people hundreds of miles from the site where they are located. The same thing is true for elevators. So there are a lot of critical components in hospitals that aren’t directly managed by the CISOs or IT that could pose a cybersecurity risk.”
“What should the government’s role be then, in protecting healthcare?” Wider asked. “I do think there are certain cases where the government can make a difference,” Mihai said. “The PATCH Act was so needed. Honestly, there have been big hospital groups, and I was in one of them, trying to drive similar outcomes by trying to force contractual terms on manufacturers. But it honestly wasn’t working well.”
“Sometimes you need to have that push from the federal government,” Uzupis offered. “People will say, this legislation is for bad apples only. Well, we have a few bruises. I honestly think that sometimes legislation doesn’t go far enough.”
And, Staynings noted, “Medical devices 25 years ago were fairly inert. It’s all changed, and we now live in a hyper-connected world in which everything is connected to everything else via a network. In healthcare that can often include the indirect connection of patients via the medical devices keeping them alive or monitoring their vitals. However,” he added, “there’s another bigger question: should the government take a bigger role in protecting healthcare? Most health systems have a skeletal IT security team. Imagine you’re in a rural hospital in Idaho. How are you expected to defend yourself against the People’s Liberation Army of China or the Kremlin? There’s definitely a bigger role for the government in providing some level of protection for cyberattacks against national critical infrastructure. And healthcare is one of the 16 industries listed by President Obama under PPD21.”
“I totally agree,” Mihai said: “we’re faced with a unique situation in which there’s no downside to the criminal trying. Imagine if there were a burglar trying to break into your house, and there were no consequences for them trying to continuously break into your house. Overseas cybercriminals currently act with almost total impunity.”
“I think the big thing about policy is that when you’re talking about a critical-access hospital, if you tie CMS [Centers for Medicare and Medicaid Services] compensation to compliance with something like this, hospitals will close,” Uzupis said. “There needs to be a carrot not just a stick. Recently, the Iowa Hospital Association listed their top 15 concerns, and the first 13 of 15 came out as being around compensation and staffing. These are earnest people committed to serving people. And so they need federal policy to force improved cybersecurity. So that’s the big thing: having policies in place.”
“How do we get rural healthcare CEOs to comprehend cybersecurity risk?” Staynings asked Uzupis. “Fortunately, they trust me,” Uzupis replied,” referring to his organization’s c-suite executives. “When you talk to the CFO, you have to talk about risk and how much it will cost. And when you talk to CEOs, you have to talk reputation. And there was a records breach in Jefferson County, Missouri, and a newspaper got it wrong and thought it had happened to us. So someone from CISA called me up and offered services for free.”
“Right now, healthcare regulation is myopically focused on protecting confidentiality,” Staynings noted. “Shouldn’t we be more focused on protecting the availability of healthcare services? Or integrity of healthcare data, so that clinicians can be certain of being able to use accurate data to make clinical decisions?”
“It’s easy for me to say as a cishet [cisgender, heterosexual] white male that I don’t care if my information is out there about my Albuterol prescription, for example,” Uzupis said. “But I see a huge concern around health equity. And for some people, HIV status is everything. It’s very important that we maintain confidentiality on behalf of marginalized communities. Just even mentioning that patients have accessed care in certain locations reveals status. And if our records are out there in such high quantities, what’s to stop anyone from setting up some kind of false HIE [health information exchange] and populating it with inaccurate medical data?”
“I think integrity attacks are what we need to be concerned about,” Staynings suggested. “If my blood type is changed and my allergies are removed from my record, and I am given blood of the wrong type followed perhaps by an antibiotic I’m morbidly allergic to, I could be coding on the table in minutes. We all know that clinical mistakes happen, but if they are engineered to happen by perpetrators, the integrity of our data has to be held far more securely than it currently is. Thankfully we haven’t seen these types of attacks yet, but we need to prepare for them and protect ourselves.”
Educating the c-suite on cybersecurity issues
“How do we talk to senior leaders in patient care organizations about the importance of cybersecurity?” Wider asked the panel.
“I have a kind of unique perspective,” Mihai offered. “I’ve been in technology, I’ve worked for insurance company before starting on the provider side, and I’ve noticed that there’s a difference in the way you approach cybersecurity in order to be successful. For example, if you’re working for a high-margin company in a high-margin industry, you just go and say look, we have these technical problems. And they ask, how much will it cost to take that away? Here you go, take care of it. But in the provider industry, the mission-driven focus on the patient means investment should be focused on patients, and you don’t have 20 percent spare to focus on this, so that challenges cybersecurity leaders to be razor-focused, and instead of saying, let’s do everything under the Sun to protect identity… we have to look at how a specific initiative can target something threatening to the core business. How did something protect a specific EMR application or protect us from ransomware? So you have to be razor-focused on business impact all the time.”
“Failures in complex systems are inevitable,” Uzupis emphasized. “And risk is really how I sell this to the organization. And I’ll tell you that in a rural area, reputation is everything. We have maybe 55 percent of the market share, and 35 percent is University of Iowa Hospitals and Clinics. But if you have people in Fairfield willing to drive an hour away, that’s a huge issue. And I’m glad to see that… Working with a small organization, you usually have people wearing multiple hats and so you have your CFO who’s not only doing strategy but also doing accounting; and that leads to very bad practices. And the old joke is that we went into IT because we wanted to work with computers, but we ended up working with people! And I don’t talk tech when I’m talking to my colleagues in my organization. A lot of it is education; they just don’t see it. And we’re in a much different environment. And it’s hard to imagine there’s so much between LA and New York, and people think they’re just big-city problems, but they’re not.”
