Healthcare Cyber Expert: We're Standards-Rich and Assurance-Poor
In the wake of last week’s Congressional hearing on examining cybersecurity in the healthcare sector, Healthcare Innovation Group spoke with HITRUST’s CSO, Robert Booker, a former CISO of UnitedHealth Group, who has 35 years of varied experience in the industry, on the state of cybersecurity in the healthcare field.
HITRUST, a certification company, was established seventeen years ago to address the healthcare industry's information compliance and security needs. Last week, the organization released its first Trust Report. The report findings show that only 0.64 percent of HITRUST-certified environments reported breaches in the last two years.
What lessons have been learned from the Change Healthcare cyberattack?
I don’t think we know yet. The question that's most relevant to me is the amount of time required to recover their systems. I think what we will be really looking at here is…how healthcare responded to the event and its recovery. My belief is that they’re doing the right things. I’ve known the company for many years, and I believe it is dedicated to the mission of serving the people.
They’ve spent a lot of money on this, which they’ve disclosed… in their earnings, to recover their systems. It’s taking quite some time, and I think we’d like to understand the lessons learned about the recovery aspect and what we could do better as an industry.
What are your thoughts on the interconnectivity we see in the healthcare industry?
Healthcare, by its nature, is very interconnected. In the hearing, there was much questioning about consolidation in the industry. There's this challenge of size and scale. One of the things I think is lost in the debate right now is the fact that healthcare has, by its nature, required a level of scale and size to deliver efficient payments and services to the industry.
The health system in our country is funded by a combination of private insurance and employee-sponsored health plans. Then, there are public-sponsored health plans, such as Medicaid and Medicare. Those are delivered oftentimes through a number of separate states. So the ability to just as a citizen travel our country and move around and get good health care, wherever they’re at, there's going to be a level of infrastructure and system that is needed to deliver healthcare successfully.
I think about the fact that organizations like Change Healthcare and many other companies, including the major payers across our country, are an important part of the backbone of how healthcare gets delivered. It's easy to say, and I heard this in the hearing, that we should scrutinize these systems.
I ask a different question: What do we need to do as an industry to solve the cybersecurity problem? We heard proposals to mandate some of the requirements that have already been put forward in the federal space and are voluntary today. We're standards-rich, and we're assurance-poor. We have many standards. But we have never received really great guidance.
We now have Health Industry Cybersecurity Practices (HICP), which is a new treatment of security requirements for healthcare. It’s voluntary. If you want to take advantage of some mitigations from an audit risk perspective and possibly some safe harbor considerations, you can do something called recognized security practices. Only the largest companies in our healthcare system have the resources to do all of those things at the same time.
To me, the investigation after the event is not as productive as having people demonstrate that they're doing the right things all the time. We'd like to see this energy and this attention on this important problem, focus on getting recognition of these different assurance systems, the ones that are the most reliable and relevant. And for the government to start to accept those pieces of evidence and proofs in the industry, because we think that'll motivate people to do more of the right thing, rather than wait to say whether they're compliant after they've had something bad happen.
How can standards be made more relevant?
The relevance comes from knowing that we select the right safeguards or the right protections, given the continuing and evolving threat landscape. There are some very good tools that are already in existence. The MITRE ATT&CK framework is excellent. We use it on a regular basis to check our standards to see whether we think we're still solving the right problems. Multiple times a year, we take our framework and look at MITRE ATT&CK. Based on threats and breaches and intelligence data that exist, we know that we've got mitigations for all the things that are currently happening or that are perceived to be starting to happen.
Pick the right controls. From this patchwork quilt of code standards and controls, apply them to your system and measure them with a measurable system so you can demonstrate with proof that they're being done. Then, go back and check them again and again and again. That's what makes an assurance both relevant and reliable: that it's doing the right things. It's measured continuously, and it's provable.
It's not at all a political consideration in my mind. It's a scientific consideration. Certainly, every time we look at events like Change Healthcare, we will evaluate ourselves and ask if there is more we should be asking people to demonstrate.
What was your takeaway from the hearing?
It's a clear bipartisan problem. Our legislative leaders are passionate about solving this and leaning in on it. It is a hearing we've seen before. We've had other events and in other industries. We need better standards. We need to understand whether these companies were prepared or not. And I think those are fair questions. The question for me is, are we doing something different? Are we asking different questions because we've asked these before? We've added more standards, done more things, and not necessarily seeing improvement. Do we need to think differently about the problem?
As a company, how do I know that all the people I buy from are doing the right thing? How do we know that all of the health systems are doing the right thing? I think we need to reprioritize and talk about assurances as to the outcome. The standards are the way to prove that we’ve done the right things.
It sounds like there may be a gap between events happening and things to prevent those.
I think the gap is the passage of time. Any system created by a rulemaking process takes a lot of time to move. We want to be deliberative and thoughtful about what we do. Cybersecurity systems are based on standards written by good scientists who do the right things.
Let's imagine that tomorrow, some brand new threat comes along, and we have no solution for it. In my estimation, the most optimistic situation would take a year before anything could possibly be issued. I would argue that there's much that we could do as an industry if we had a system that was continually adapting itself. I think that's where we've missed the opportunity. I don't think we've yet to come up with a system that allows cybersecurity to evolve. I think how we measure the system and select controls in the system are the tools that can get us there.
What is your advice for healthcare executives?
Let's manage the risk to a reasonable and acceptable level. Focus on building a system that is continually evaluating itself, giving you as a management team assurances that your system is continually operating successfully, and expect that of the people you work with and that of your third parties. Recognize that you're part of a system. In healthcare, we are an industry where hospitals, physician practices, and payers all work together. The industry should expect each other to do the right things, step forward into the problem, and manage the risk through things like assurances and other types of validation systems.
What has been the impact since the U.S. Department of Health and Human Services (HHS) released voluntary, healthcare-specific performance goals this January to strengthen cyber preparedness, improve cybersecurity, and protect patient health information?
It's a valuable reminder that there's more work that people could do. However, I don't see a call to action. The only way you get a call to action is to make it a compliance requirement, which I don't think is helpful because then people focus on compliance and not the outcomes. You can put a measurement system on the system that allows you to measure the outcomes, which is what I would advocate for.
We already have many standards, and more standards don't solve the problem. We need to measure what we have already issued.
What is your advice on standards implementation?
Start by knowing how you've achieved your standard. You have to always ask how I know I've achieved those goals. Do I create incentives for an industry that's spending every available dollar on healthcare? Ultimately, it starts with having a measurement or assurance system that can be used to know you're doing a good job.
What do you see as the key challenges going forward?
I think the challenge is the complexity. I have to be compliant with HIPAA, and I may have to be compliant with this new thing now. I still need to operate a system and keep my patients well-served. Every dollar I spend on compliance testing—and I'm not saying security—is a dollar not spent on security or healthcare. There are finite resources in healthcare.
What do you hope for the future?
We need to learn from the data. About .64 percent of our certifications have reported issues. I think that in the future, we would offer that that model can be used by many.
We want to see more people focus on reliable and relevant assurances and use the standards and requirements the government has set to guide them towards good security. Let's measure the system so we can actually demonstrate our ability to do what we're asked to do.