Errol Weiss is chief security officer at the Orlando-based Health-ISAC, a non-governmental body involved in supporting healthcare leaders’ work to achieve cybersecurity across the global healthcare system. Recently, he shared his perspectives on the current moment in healthcare cybersecurity with Healthcare Innovation Editor-in-Chief Mark Hagland. Weiss will be participating as a speaker at the Healthcare Innovation Capital Area Summit, to be held at the Ritz-Carlton in Tysons Corner, Virginia, on May 2. Below are excerpts from that interview.
For those not familiar with Health-ISAC, can you explain the organization’s origins, purpose and focus?
If you go back to the mid-1990s, when the Internet began to become important in e-commerce, in the mid-to-late 1990s, the U.S. government released a report noting that much of the critical infrastructure was owned by the private sector, and encouraged the creation of information-sharing and analysis centers—ISACs—in a variety of fields, and ultimately, 16 of them, in industries like finance, healthcare, transportation, energy, defense. So the entire point is for peer-to-peer information-sharing. So it’s become something like a virtual neighborhood watch program.
What is the status of the 16 ISACs across the various industries now?
Most are non-profits owned and operated by the private sector; we’re completely funded by member and sponsor fees.
Can you share about the size and scope of the Health-ISAC?
We’re approaching 900 institutional members globally, and our members are organizations, and anyone inside an organization can actively participate. So when we send out an alert, we’re reaching more than 12,000 individuals in 140 countries around the world. So we have individuals in organizations all over the globe.
How would you describe the current threat landscape in U.S. healthcare?
Unfortunately, the landscape worsens every year, because the threat actors become more sophisticated, with greater scope; so, ransomware, data breaches, third-party data breaches. And phishing attacks and social engineering continue to plague the industry, and we only have to look as far Change Healthcare and that debacle.
It seems to me that there has been a lack of imagination in U.S. healthcare, per what’s happened with the Change Healthcare attack. Everyone was taken by surprise both by how extensive the damage has been to patient care organization operations, and also by the fact of the area that was hit—pharmacy processes and pharmacy claims management. The threat surface keeps expanding, yes?
Absolutely. We do tabletop exercises and other exercises all the time. But no one thought about how reliant the entire industry was on one company, Change Healthcare, for claims adjudication and facilitating prescription fulfillment.
We need to step up, because the threat surface is expanding and intensifying, right?
Yes, and the healthcare ecosystem is complex and vulnerable. We’re going to get more government help.
How do hospital leaders think and plan smart right now, at a time of straitened finances?
They need more resources—technology and the people to operate that technology—to do a better job. But yes, they’re struggling with finances. So they need more help; I think the government also needs to step in with some incentives. The government is providing some cybersecurity best practices, so there’s a lot of informational resources out there.
When I look at four advanced strategies: auditing of backups, behavioral monitoring, engagement with security operations centers (SOCs), and network micro-segmentation—all of which have been recommended by experts for years—why do you think the adoption of those advanced strategies remains low in patient care organizations?
It comes down to resources again: we just don’t have the right number of staff. ON the backup side, one of the key strategies to fight ransomware is making that data worthless to the criminals. Or I want a fast, recoverable event. It’s going to come down to availability of resources, and to organizational priorities.
What practical advice would you like to share with our audience in this fraught moment?
That you have two-factor authentication everywhere, that you’re backing up and testing your backups, that you’re patching and keeping patching up to date, and testing vulnerabilities.
Also, even now, only about 50 percent of hospitals and health systems have hired CISOs. Do you see that as a problem?
Yes, when I got here five years ago, coming from finance, where you have to have a CISO, according to regulations, I was shocked that healthcare didn’t have CISOs. We need someone in that CISO position and make sure they’re in charge, monitoring, putting a program into place, and making sure that program is effective, and keeping the organization secure. There are a lot of resources out there, and we can benefit from what’s been done. They can bring someone who’s worked in a mature organization, often from another industry, and bring them into the HC organization. And many retired CISOs are working as virtual CISOs for shorter periods of time for organizations. I’ve heard one person can effectively support up to ten organizations a year for a time; but we need the resources.
What will the cybersecurity landscape look like a few years from now?
Cybercriminals are making a lot of money and have a ton of money to invest in future criminality. And you have AI; and when you put those two elements together, we have a pretty tough set of threats we’re dealing with the future because of that.
