One CISO Peels Back the Curtain on the Evolving Cyber Landscape
The healthcare cybersecurity landscape has certainly changed over the past year, on a variety of fronts. In the context of the pandemic specifically, the influx of remote work, cloud-based business operations, telehealth and remote patient monitoring devices has only added to existing hospital and health system vulnerabilities.
What’s more, ransomware continues to be a key issue that’s top-of-mind for healthcare security leaders, and one recent analysis from security company Comparitech revealed that throughout 2020, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total is nearly $21 billion, according to that research.
So what does the sector need to do to keep up with rising cybersecurity threats? Joey Johnson, chief information security officer (CISO) of the Brentwood, Tenn.-based Premise Health, has led the charge in data protection for the provider enterprise and the companies it supports. At Premise, Johnson built a security program that started with just him and one other person to a team that has more than 30 people today. In a recent interview with Healthcare Innovation, Johnson discusses how healthcare cybercrime has changed in the era of the pandemic, best practices that could help organizations respond, how ransomware attacks have evolved, and more. Below are excerpts of that discussion, edited for formatting purposes.
What has the last year, and the pandemic specially, taught healthcare information security professionals in terms of new and emerging threats?
It’s kind of been a perfect storm. If you think about the emergence of telehealth, it hasn't really been an emergence of the technology; it’s been an adoption of one. So that happened across a lot of broad spectrums, as organizations were thrust into having to adopt new technologies in rapid fashion. Anytime you do that, it's going to come with a degree of risk. And then on the workforce side, it was one thing to shift workers to remote work, but the other challenge is now you have a significant amount of workforce groups who aren’t acclimated to being in front of a screen for eight hours a day. Providers are used to face-to-face patient engagement. So, even technologies that the organization itself was already using introduced a learning curve.
Another factor that [contributed] to the perfect storm was that people’s defense and cyber instincts were down. Even when we went into COVID, all of a sudden, every department across an organization was delivering end-to-end messaging about everything [related to the crisis]. Folks’ inboxes got flooded with all this information, so their resilience to phishing decreased. One of the many benefits that adversaries have is if you can be both financially empowered and morally bankrupt at the same time, you can do a lot of things. And that's exactly what cyber adversaries saw; opportunity and chaos bottle up their attack vectors, so they capitalized on that.
Can you discuss some of the best practices your team deployed to mitigate security threats around telehealth and having a remote workforce?
Many different parts of the organization had to work collectively to do it because the response to cyber aggression is not always cyber-defense tools. Oftentimes, it's training, and also setting cultural expectations with the organization. We are fortunate here in that we have significant stakeholder [support] in everything; [security] is not just a back-of-the-house IT function. As we were engaging and expanding our technology footprint, at the onset of COVID, we had one telehealth product and now we have nearly 20. They had to be spun up in rapid fashion and our security teams were involved in asking, how quickly can we move at some degree of tolerable risk, and where are the guardrails and places where we know we can't take on that risk? We were deeply engaged with the business on the front end.
The other thing was that our back-end security operations center team began to look at different models of what remote work looks like. So we would have trained models [detecting] that a user signs on to the EHR system between 8 a.m. and 4 p.m., but all of a sudden, we were seeing sign-ons at 8 p.m., for example, and that would make our bells and whistles go off. We began to learn that in the early stages of COVID, people's work schedules were really flexing because they were figuring out what to do with their children, and were working odd hours, so when they signed on during those “off” hours, it was for legitimate work. So we had to retrain our tooling to be aware of that. We also had to contemplate what other kinds of things can happen at home that we didn’t [think about] previously. For example, we had to send out messaging telling people if they have Echo- or Siri-type devices, they could be picking up things like telehealth sessions, which should be private.
Do you believe the pandemic has acerated an adoption of more advanced cybersecurity strategies, such as behavioral monitoring, network segmentation, and audits of backups, that will continue to evolve in the next few years?
It depends on the organization’s maturity posture, because you have to be at a certain maturity point before tackling things like defining acceptable log-on times and behavioral analytics. For an organization to be good at doing things like behavioral analytics, you have to know what “good” looks like first to detect anything that's anomalous to that.
When you think about how provider healthcare grows, it’s typically through merger and acquisition (M&A) activity, so you might have a hospital group, but what they really have is 30 little independent technology stacks and technology teams. That makes it hard to get continuity across that stack, and to be able to assemble that picture to [realize] what “good” looks like across the stack, and then eventually to understand what anomalous looks like. I think we have a certain advantage in that controlling all of our wellness centers under a common security team allows us to be able to do enterprise-level things.
On the ransomware front, one recent report found that ransomware attacks cost healthcare organizations $21 billion last year, with several notable incidents making the mainstream news. What do you see as best practices for systems to better protect themselves against these threats?
Just thinking about traditional cybercrime, oftentimes it's opportunistic and it’s capitalizing on our lack of hygiene. You could also look at these statistics and ask, how many of those organizations were ultimately breached, through either phishing when they didn't have multi-factor authentication protecting email, or through something wasn't patched [properly]? Basic hygiene that wasn’t done is [almost] always the entry vector. It’s not sexy, but 101-level basic hygiene is still the best practice.
One of the challenges is that the threat landscape evolves rapidly. In theory, that should mean that your defense and depth architecture should evolve just as rapidly and be just as dynamic, but that's not true for almost any organization that I'm aware of. That inherently means there's some kind of blind spot and some vulnerability, and if you take that back a step further, SOC [security operation center] teams are struggling just to understand the architecture and its context in the end anyway. So when the [threat landscape] is shifting, it's very difficult for them to stay in front of it. With this exhausted workforce, there’s certainly an opportunity for cyber criminals to go after that.
The thing that obviously makes ransomware so powerful is that it can be opportunistic without having any of the overhead bureaucracy of traditional crime. If you think absent of ransomware, you have to break into an organization, you have to find where its sensitive data crown jewels are, you have to find some way to exfiltrate those data assets from the organization without being detected, and then you have to find a market for that data. That’s a lot to go through and you have to be prescriptive and make sure you're going after an asset that has enough data to make it worth it.
Ransomware pivoted all that because it’s opportunistic and indiscriminate. At the end of the day, it doesn't matter what the value of the data is to anyone else; it has value to your organization, it exists for some reason, and therefore it has some value in that if I encrypt it and hold a ransom, I have affected some kind of business process for you. Then if you are now motivated to fix that problem, [that means] from a criminal perspective, you don't need to go find a buyer for your compromised assets. You just created an immediate one-to-one relationship as soon as you broke in. This is why ransomware has been super powerful and why healthcare is ripe for it. If you look at a fairly immature provider healthcare sector that's under duress, that has a trove of data assets, and is very easy to breach, why would you not go after that asset?
Medical devices connected to hospital networks haven’t yet been the source of high-profile catastrophic cyberattacks, but some believe they are coming next. Do you agree?
It is an imminent threat. While we haven't seen it totally cross the line of loss of life due to compromising IoT or medical IoT assets, we have seen them be leveraged for things like large-scale denial of service attacks. The [exponential growth] of devices is only going to continue, and from an enterprise perspective, particularly in healthcare, the provider sector is having a very difficult time getting tabs on their medical devices.
Some of these [devices] can cost a quarter of a million dollars, and when they buy them, the expectation is that that device is going to last 15 to 20 years. Meanwhile, the typical lifespan for a workstation, say a Windows desktop, might be three to five years. So what you have is devices that are inherently bound to much older operating systems, and can't be fixed, can't be patched, and nothing can be done without breaking the warranty. Or maybe you have a clinical engineering team, which typically sits outside of that device, that says you can’t touch this [product] because it’s a life-saving device and it must be up and running all the time. Meanwhile, you have a security team saying there could also be a loss-of-live scenario if this device gets breached.
Then, with wearables or glucose monitors that are not traditional healthcare devices, let’s say you take your blood pressure and you put that into an EHR application; 100 percent of that is HIPAA-covered PHI data. Now let’s say you take those same exact data elements that you gather yourself on your own, with your own Fitbit or your own mobile app, and you put the data into that device. All of a sudden, the same exact data is not regulated. I do think we'll see more regulation change that but for today, there's a huge threat and vulnerability posture with those devices in that you can start altering people’s blood levels, for instance. That’s a whole new level of danger.