At the California Healthcare Innovation Conference, a Sobering Discussion Around Cyber Threats

At the California Healthcare Innovation Conference, being sponsored by Healthcare Innovation and taking place this week at the Sofitel Hotel Los Angeles at Beverly Hills, cybersecurity experts engaged in a sobering discussion on Wednesday, Nov. 2, of the intensifying cybersecurity threats confronting patient care organizations across the U.S. healthcare system.

Healthcare Innovation Managing Editor Janette Wider moderated the discussion, whose panelists were Elliott Jones, CISO at Keck Medicine of USC in Los Angeles, and Richard Stayings, chief security officer at the New York City-based Cylera, and a professor at the University of Denver, under the heading, “Cybersecurity: Biggest Threats, Biggest Opportunities.” Below are a few excerpts from the extensive discussion.

Wider noted that “The landscape of cybersecurity isn’t great; the bad actors are getting ‘badder,’ so to speak, and CIOs and CISOs have more to worry about than ever. So how should organizations begin to prepare?” she asked the panelists.

“The U.S. is by far the biggest victim of cyber attacks against healthcare,” Staynings noted. There are between two and three hospitals every week being attacked by ransomware; that’s pretty alarming. A lot of those incidents aren’t publicly reported. But it’s a trend that’s getting worse, not better. As Oscar [Miranda, field CTO at Armis] noted this morning, healthcare is a lucrative target; and it’s compounded by the fact that we don’t have adequate security in place, and therefore are an easier target. Indeed, the fact that organizations are paying ransoms, is fueling that attack work.”

“And the nature of the attacking organizations is that they’re becoming more sophisticated,” Jones emphasized. “And having to invest in security to a high level is very challenging. Sophos [in its “The State of Ransomeware 2022” report] found that 66 percent of responding organizations in 2021 were directly affected.

“Two-thirds of U.S. residents have had their identity stolen in some way, at this point,” a huge percentage, Staynings noted.

“How are you preparing at USC?” Wider asked. “Obviously, you’re focusing on prevention; but that’s only half of the story,” Jones replied. “When it does happen, how do you respond? And so requires looking at how to respond. We’re seeing organizations being impacted up to the point of being down for one month. Imagine one month of working with pen and paper. It’s devastating. So it’s really about coming up with good strategies and testing those strategies with live tests, regularly.”

“And what is the impact on patient mortality, morbidity, etc.? It can be $129 million in lost revenue. Yet we take the risk and roll the decide and bet that it won’t happen on our watch, yet it will,” Staynings said.

“Let’s talk about segmentation,” Wider said. “Elliott, what are your thoughts on segmenting medical devices?”

“When we’re talking about segmentation, we’re really talking about isolating devices, such as IoT [Internet of Things] devices, and placing them into a container, if you will,” Jones said. “Historically, that’s what my peers have done. But what we’ve come to find out is that that’s only half of what you need; you need a comprehensive program in order to address devices. Look at your device inventory, your vulnerability plans, and how you’ll recover. So you have to look at this more holistically. There’s also the component of the volume of devices involved. There was a great publication by IoT Analytics; they report annually, and found in 2021 that the increase in IoT globally was 18 percent; and they’re anticipating a 22-percent Y0Y growth in IoT. At USC, we’re on pace to have more IoT devices than classic IT devices. If the IoT devices compromise more than half of my inventory, it’s no longer a segment; it’s my environment; so it requires building a comprehensive program.”

“You need to understand those devices,” Staynings stressed. “What about devices that cannot be patched because the manufacturers have been lax in publishing patches. There are devices older than 15 years old that cannot be patched, and manufacturers who refuse to patch, and who hopefully will be out of business soon. But you need to understand the threat levels involved, and need to be able to automate and orchestrate, around your network access control. The tolls are there for you to use; it’s a question of automating that process. And you need not just macro segments, such as for devices in general, but micro-segmentation. Say, all my Hospira pumps are at risk, because, say, the Chinese, Iranians and North Koreans are attacking these devices to upload software for ransomware attacks or other reasons. So I need to isolate the Hospira pumps in order to not impact the HIT systems.”

“I once interviewed someone who said it would be as though you moved into your house and never cleaned up and just threw everything on the floor and then tried to clean up,” Wider offered. And then she asked her panelists, “What about cloud security? What should we understand there?”

“The idea of being able to take on that old-school approach to security where you build your castle walls and your moat—those days are over,” Jones stated. “Data proliferation is now the norm; we’re using Azure, Google, now Vertica; name your flavor of cloud, and you’re using it; and it may be through a SAS [software as a solution] solution. So it really speaks to looking at a cloud strategy, and a procurement strategy, that incorporates security. You need to ensure that at a contractual level. And when you look at a third party that might have access to your data, you have to look at issues like contractual issues. We’re seeing much lower limits on cybersecurity insurance, which means we have to transfer a lot of that risk to our third-party vendor partners. So you need to develop a strategy.”

“In fact,” Staynings said, “It’s a hybrid multi-cloud strategy that most hospitals are in right now, so you’ve got multiple clouds with multiple sets of data, so you need to know what you have; and many vendors contract with liability limits. So you have to train people on the cloud for nuances, and make sure they’re brought up to speed. There’s also a bigger question here: breach insurance will become unaffordable in the next three years. No one’s going to be able to spend sufficient money. So you need to spend your money on cybersecurity, because you’re going to get hit. Because the insurance companies are including in their contract language that they won’t pay for incidents of war, and we’re in a war now with national government actors. And an insurance company might say, you didn’t have effective security protocols in place, such as monthly training, or effective control management, or micro-segmentation, or risk remediation; therefore, the $300 million we were going to pay for, we’ll pay for only $50 million, and good luck on the rest.”

“I agree with Richard; you can’t rely on insurance,” Jones said. “And what is the value of reputation? And what is the value of a life? And so I think really, what we’re looking at is a change, at least in our organization, is a change in how we’re doing things. Years ago, we were taught that security is like a pyramid, and the foundational element is physical security, then network security, than application layer, and the top of the pyramid is data security. And now we’ve flipped that equation and are saying that data security really is the foundation. Data governance. It goes back to that segmentation conversation; you can apply controls to achieve outcomes.”

“Not everyone works in the IT department; and cybersecurity is becoming a cultural issue in an organization,” Wider underscored. “My husband is an engineer and works for a multinational company; he used to work for a mom-and-pop organization where they were working on Windows 7 and such; now, he has to be regularly trained on IT security, and is taking regular phishing tests. So in healthcare, how are you getting it to work?”

“The time of our physicians and nurses is so valuable,” Jones noted. “And a lot of it involves trying to change culture, which is probably the hardest part of this job. Technology, we can employ in days or weeks, but cultural change takes years. So we’re looking at things like game-ification in security training; I know that sounds impossible, but it’s possible. And working with your HR and marketing departments in order to construct training that’s actually fun for people. As IT folks, we tend to be pretty dry; we need to rely on people who can help us with that. And look at physicians: they’re constantly being tempted to click on something or install something. Organizations are striving towards 3 to 5 percent as the industry standard of what’s good. And you should be able to achieve that over time. We found that once we had changed our approach and incorporated things like applications our people actually use, all of a sudden, our numbers went down to high double digits. So you have to look at your curriculum, because a sophisticated threat actor is going to send sophisticated emails that look very real. In addition, there’s now voice phishing. Are you doing phone calls, SMS phishing tests? We’ve done NFA [National Futures Association] tests, and the results have been surprisingly bad. So it’s really about creating a training program that accomplishes all aspects of that, to guarantee the biggest success.”

“It must be integral rather than a one-off,” Staynings emphasized. “We need to train our nurses in nursing school about privacy and security; we train them about some of the HIPAA security rules, but don’t really train them about modern cybersecurity issues. The same is true about med school; we need to train our doctors. New doctors are placed into the situation; and there was a situation a few years ago in which, at the RSA conference, a group of ER physicians were tested on security onstage. It needs to be an integral approach to cybersecurity, and it needs to start at the board of directors and move on down. It can’t be just an annual little test; it needs to be multimedia, game-ified, and ongoing.”

“And it needs to become cultural, and part of everything you do,” Jones affirmed.