CynergisTek’s McMillan: As an Industry, We’re Still Focusing on the Wrong Things
The threat landscape only continues to intensify for healthcare provider organizations both across the U.S. and internationally, as both private cybercriminal organizations and those with backing from state sponsors, continue to advance their attacks on hospitals, clinics, and integrated health systems nationwide.
The amount of activity, and its intensity, were highlighted last month. As Healthcare Innovation Managing Editor Janette Wider reported on May 13, “On May 11, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) announced via a press release that it released an advisory regarding cybersecurity best practices for information and communications technology (ICT), concentrating on clear discussions between managed service providers (MSPs) and their customers on securing sensitive data. The agencies expect state-sponsored advanced persistent threat (APT) groups and other bad actors to intensify targeting MSPs against both provider and customer networks.”
What’s more, as the Boston Globe’s Andrew Brinker and Travis Andersen reported on June 1, “A hacker group sponsored by the Iranian government attempted last year to carry out a cyberattack on the computer system at Boston Children’s Hospital, FBI Director Christopher Wray said Wednesday. The attempted hack, which was revealed as increasingly advanced cyberattacks targeting critical infrastructure continue to surge, was thwarted by the FBI’s Boston field office last summer after the agency was tipped off by an unspecified intelligence partner. It would have been ‘one of the most despicable cyberattacks I’ve ever seen,’ Wray said, speaking Wednesday morning at the sixth annual Boston Conference on Cyber Security at Boston College. Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids” who depend on the facility for treatment, Wray said.
What’s more, though direct attacks by Russia on U.S. patient care organizations have not yet been reported, Russians working for the Russian government have been indicted for attempting to hack our energy sector. On March 24, The U.S. Department of Justice publicized a series of attacks involving the energy sector. As a press release posted to the DoJ’s website stated, “The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries. A June 2021 indictment returned in the District of Columbia, United States v. Evgeny Viktorovich Gladkikh, concerns the alleged efforts of an employee of a Russian Ministry of Defense research institute and his co-conspirators to damage critical infrastructure outside the United States, thereby causing two separate emergency shutdowns at a foreign targeted facility. The conspiracy subsequently attempted to hack the computers of a U.S. company that managed similar critical infrastructure entities in the United States.”
Speaking of that campaign and another one announced in the press release, Deputy Attorney General Lisa O. Monaco said on March 24 in a statement contained in the press release that “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world. Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant. Alongside our partners here at home and abroad, the Department of Justice is committed to exposing and holding accountable state-sponsored hackers who threaten our critical infrastructure with cyber-attacks.”
In the midst of this intensifying environment of threat, Healthcare Innovation Editor-in-Chief Mark Hagland spoke with Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, about what’s going on right now in cybersecurity in healthcare, and what healthcare IT leaders can and should be doing. Below are excerpts from that interview.
What’s your overall sense of this moment in U.S. healthcare cybersecurity?
As an industry, we’re still focusing on the wrong things, and are knee-jerking in our responses to what’s happening. I recently got a request from a reporter that said, ‘We’d like you to review two recent OCR annual reports that just came out, and give us your thoughts.’ [The “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Year 2020,” and the “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2020,” both produced by the Office for Civil Rights of the Department of Health and Human Services] So I retrieved them and read them, and the more I read them, the more incredulous I was. It’s as though we haven’t learned anything in 20 years.
And the one that talked about breaches irritated me the most, because the thing that they focused on in their summary was that there was a 4-percent decline in the number of breaches reported last year. Yet in the body of the report, there was a 61-percent increase in the number of breaches involving 500 or more patient records. We’re not doing better, we’re doing worse. And you go through the report and see the reason for the breaches, and you find that 70-90 percent are because of hacking, and realize that we’ve seen a complete ground shift in healthcare, and you realize that the vast majority of breaches are no longer internal in origin, but external in origin. And the only thing that the OCR people came away with was that we had “four percent” fewer breaches last year. And that’s why compliance should have nothing to do with this. But what’s important is to look at the breaches and look at what types are involved. We exposed more records and saw more damage, and the bulk of it is now external, on the part of criminal elements breaking into our hospitals. And they completely glossed over all of that.
And then their sole recommendation sent me through the roof: that we need better compliance with the HIPAA security rule [which was established under the Health Insurance Portability and Accountability Act of 1996]. The HIPAA security rule is two-and-a-half decades old, and has never been updated, and everyone in the community knows that the HIPAA security rule is not an adequate benchmark for security; yet that was their one recommendation.
CISA warned about Russia. How do you see the potential that the Russian government might possibly sponsor attacks against patient care organizations in the U.S.?
They already have. When you think about the fact that a lot of these really sophisticated hacking groups are operating with the protection of Russia or China, meaning they operate with impunity out of those countries—and even if it’s not directly state-sponsored, those governments are essentially supporting it already, because they’re allowing it to happen, via big groups like Conti and Fin12. There are 250 criminal threat groups worldwide, and about 100 of them focus on the United States; and of those, some 80-some-odd already identified, focus on healthcare. So you’ve already got cybercriminal groups operating out of these foreign counties. And in my mind, who cares if it’s directly state-sponsored? If those governments are allowing them to do it, what’s the difference between allowing them to do it and telling them to do it? And they benefit from it; they get the data these guys steal.
Yes, groups in China have already been stealing clinical research for years.
And they’ve been doing it on the human side as well. They want the data. So regardless as to whether those governments have directed that activity or not, they’re allowing them to do it, so it’s a distinction that’s semantic.
There’s the level of the malicious, but it could potentially reach the level of the dangerous, too, correct?
Yes, you’re absolutely correct, if they move to that level. Right now, there’s no evidence that they’re doing that directly; right now, the evidence remains that the criminals want money. And cybercrime is almost sociopathic in that they don’t care about their victim; there’s no remorse—it’s just about making money. If I can get you to pay by encrypting your data, if I need to wipe your data and destroy it, I’ll do that to, as a cybercriminal. And last year, we saw a rise in the number of multi-tiered ransomware threats, where they were encrypting or leaking or destroying. The hackers exfiltrate the data so they have a copy of it; and then they send the ransom message. And then after the healthcare organization pays, the hackers leak the data; and can destroy it. This is all about money. And 80 percent of the attacks, across industries, were on small and medium-sized businesses.
So it’s become far bigger, far more serious, and far more destructive. So this focus on compliance and on the HIPAA security rule, it’s almost dangerous. And, thinking about this, 20 years ago, when we first started this journey, back around 2001, we didn’t have EHRs [electronic health records], smartphones, clouds, IoT, wireless medical devices. The world was a lot simpler. And they had no organized security. So back then, focusing on frameworks was the right thing to do. Policies, security organizations, all needed to be created from scratch. But now, we’re way past that. And people are still focused on compliance and grades. But it’s not just a matter of what a number is, but what makes up a number. So the vulnerabilities in my 3.2 may be very different from the ones in your 3.6. So we need to stop focusing on grades other than to understand how a program is being managed. There are grades on the elements in the NIST framework, from 0 to 5. But a grade doesn’t relate to risk; it relates to maturity. So you could score a 3 in a particular category, but still have a lot of vulnerabilities.
And the reason that this becomes so important, is this: up until about 2012 or 2013, the threat was somewhat manageable, and most of the threat was internal, not external, and it was physical loss, not data loss. But when bitcoin emerged in 2013, and hackers could be paid without getting caught, that’s when ransomware exploded; and it has plateaued since 2017 but not gone down. Hackers now have a way to monetize this activity in ways that are hard for law enforcement to track.
The fact that state actors could engage in purely malicious activity: should that change anyone’s thinking in this area?
You should understand that that’s a possibility. The same hacker who’s taking down networks for ransomware purposes, can do so for purely malicious purposes. Anybody who understands cybersecurity knows that that’s possible now; but we haven’t seen that because it’s not advantageous for them. There will always be a reason for a hack. But for now, they won’t do it, because it’s the one thing that actually gets law enforcement energized. Indeed, they’re very careful about how they conduct their ransomware attacks. For the most part, they’re careful not to damage systems, because their motivation is to get paid, to get billions of dollars. Taking people down maliciously doesn’t help that. If anything, it will cause people to then not pay ransoms, knowing they could be taken down maliciously anyway. So for right now, as long as people are wiling to pay, which unfortunately they are, attackers are going to focus on getting paid.
But if Vladimir Putin were to get really desperate and were to decide to lash out, that scenario does worry me, because if you listen to what the Secretary of Defense said yesterday—that the United States’ goal is to weaken Russia so that they cannot do this again—well, we just threw down the gauntlet. And so Putin might lash out at some point. So I don’t think you can totally rule that out as a possibility. And there are so many different factors involved; if Putin were to directly attack an entity in the United States, and it were known that he did it, that would essentially amount to a declaration of war. He has to know that if he were to do that, that we would retaliate. If the Ukraine situation is any indication of his level of preparedness, he’s not prepared. So, is it possible? Absolutely. Does he have the capability? Yes, he does. China? Iran? Yes. There are lots of nations with nation-state capabilities. But the moment you engage in cyber warfare, you’re attacking the United States, the United States will attack you back. Those kinds of scenarios are the kind that I think become possible when somebody gets desperate. If Putin gets desperate and is about to lose power, that’s when you push the button; but right now, he’s got way too much to lose.
Meanwhile, we’ve got to do a better job as an industry; we’re getting slammed by cybercriminals, and we have to do better.