"As an industry we should be implementing basic security controls a lot more"

Q. The AHA has recently issued an advisory for hospitals to be on high alert for possible cybersecurity incidents, including ransomware. What are you hearing from your membership at HIMSS and what have you learned so far in this context?

Lee: Our membership is obviously very concerned about what’s happening with the current geopolitical conflict. It’s safe to say that on any given day, there’s literally an onslaught of ransomware attempts and phishing attacks but what troubles our stakeholders is the great degree of sophistication seen when you’re dealing with the nation state actor or in some context, non-state actors as well. The time horizon in such cases, is much more compressed than regular actors, and there’s much more obfuscation in terms of detecting that intrusion into systems and networks. So, that’s a concern.

Many healthcare organizations and their IT Security departments run fairly lean. Consequently, they’re able to prioritize better and know what to focus on. For example, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services, the HSC and others share threat information, which may be of interest, especially regarding destructive malware and otherwise. Those indicators are good to have, however, there are so many threats and vulnerabilities that healthcare organizations have in terms of their IT systems and applications that, frankly, the best and most direct way for all healthcare organizations to be prepared is to prioritize and tackle their biggest weaknesses, first. Then address other things based upon priority. We always say the best kind of intelligence is direct intelligence-sharing with your peers and within your organization regarding cyber threat indicators and phishing.

Q. Is HIMSS planning to issue any kind of an advisory within its own membership?

Lee: Our efforts are not limited to information-sharing within trusted circles of stakeholders, which include providers. So, there are different units of HIMSS that are engaged in getting the word out, including a DHS, CSA and also the HHS and others. The key is to be a convener and be part of that pipeline in terms of information-sharing as it were, within our trusted circles of membership.

Q. HIMSS has just recently published your annual report, based on your survey of the state of cybersecurity in healthcare. Can you walk us through the big highlights of the report?

Lee: Absolutely. Some of the highlights of the survey include things that are already known, such as, the state of cybersecurity across healthcare organizations. We know from the headlines that phishing and ransomware are king in terms of incidents and intrusions that actually happen. But one of the ways in which our report takes it a little bit deeper, is that we test assumptions. We can glean from the report that there are some kinds of systemic weaknesses across healthcare organizations, and that the security controls perhaps, aren’t as robust. However, one of the key questions that emerged when we were developing the survey was — Is that true? If yes, how true? It’s one way to perpetuate assumptions without actual evidence but, in this case, we have actual evidence as to what Providers are doing at a granular level, such as, not including security controls. Working on the technical side for healthcare organizations, I’ve certainly seen many that are slow to patch, but we actually have discrete specific information in terms of how much time it takes to patch given certain perceived levels of vulnerabilities that healthcare organizations may have. So, I’d say that direct intelligence — the more specific and actionable it is, the better the steps healthcare organizations can take to reach higher levels of maturity in terms of their action plan or maturing their programs.

Q. Were there any big surprises from the previous year’s survey that caught your eye?

Lee: Yes, I’d say, the increased funding in terms of cybersecurity, especially during COVID-19, was definitely unexpected given various revenue sources were experiencing a shortfall. Now, COVID-19 isn’t yet over and just last year many healthcare organizations unfortunately had to cancel elective surgeries and turn patients away because of how severe the pandemic was. So yes, it was surprising and to be totally frank, that was very good news. That signaled, at least to me, that cybersecurity programs have become more of a business priority for many organizations.

In fact, if we look at what’s happening, globally, and not just with the U.S., cybersecurity is critical. Whether it’s smaller healthcare organizations in the U.S. or those in countries that perhaps don’t have the electronic health IT. infrastructure like we have, or countries that are less developed in terms of technology, they’ve been forced to adopt electronic health IT to track what’s happening in terms of COVID, healthcare, and treatments. So, it’s safe to say that cybersecurity has raised its profile as a result of a greater dependance on electronic information, which is forced by the circumstances of our pandemic. That’s certainly a positive inflection point for us in the industry.

Q. It’s certainly good news that investment levels are going up in cybersecurity. Is it because cyber criminals are getting smarter and therefore, you need to throw more money at the problem to stay one step ahead of them of is it because you are underinvested to begin with and this is just catch up?

Lee: I’d say both. Let’s look at your second point which is very well-informed and a great observation — the health IT sector. Our first publicized nation-state cyberattack was in 2013, almost 10 years ago, and now, it’s 2022. We’ve certainly had a “catch up” period for that time-period in the past decade. Whereas, if we look at the more mature sectors, as they’re perceived, such as, the chemical industry, critical manufacturing, electrical etc., they’ve had decades to bolster their security practices, turn to more electronic information, follow mature security protocols – In short, they’ve already had a playbook of sorts that’s been tested. They have disaster preparedness against natural and manmade disasters whereas we, have been playing catch-up in the last decade.

But, it’s safe to say that the pandemic among other things, has certainly accelerated our progress. Cyber-criminal activity absolutely cannot be ignored by any organization. We see the rising costs of cybercrime, and other things related to that, such as the cost of dealing with mitigation if you are breached and I’m sure many organizations have concluded that regardless of whether they’ve experienced an attack or feel one’s imminent, we must understand that it is inevitable. No one wants to be in the headlines anew so the focus will be a lot on proactive measures.

However, looking at the questions in-depth, for example, surrounding the degree to which basic security controls are implemented, we really should, as an industry, be implementing the most basic security controls a lot more, whether it’s encryption, identity and access management, or even the firewalls and antivirus. The internet has been booming for over 25 years, so shouldn’t we be on-board in terms of at least antivirus and firewalls if that technology has been around? And if the price point for that in the precedent for encryption solutions has lowered as a result of such innovation, development, and the multiplication of offerings out there, I think, the answer is, yes.

We are really reaching the point where we can’t afford to be unprotected because regardless of whether our sector is specifically targeted or there is a side-channel attack on another sector – water, electrical, manufacturing, telecom –on which we are dependent, we stand incredibly vulnerable in terms of critical infrastructure dependencies. Look at the National Infrastructure Protection Plan, the NIP, that clearly spells out all the sectors upon which we depend. I think, if people aren’t paying attention now, they will unfortunately experience the bite of a cyberattack and will have to unfortunately rethink their strategy.

Q. You make a really good point about the interconnectedness of infrastructure between healthcare and other parts of the economy. But I want to go back to one of the headlines of the report, which is that “phishing is still king.” What they are phishing for? Has anything changed about in terms of what they’re looking for or is it the same kind of data that remains vulnerable?

Lee: What needs to be traced is the motivation for the attack. For example, if I were a healthcare organization with a military base close by or some kind of defense operation in the vicinity, I may be, hypothetically, targeting people that have access to that information. That would be different from, for example, if a diplomat or someone of similar high status were treated at a hospital. Then their information would be targeted based on that. So, it truly depends upon the purpose of the attack. So often it’s assumed that the endgame for an attack is always the same, but we have to look at who’s attacking which entity and for what purpose, before we can make that determination and whether it’s because of the different geopolitical tensions currently happening or it’s because of who is being treated at your healthcare organization currently. It’s safe to say that organizations that are in those special situations are smart and layer their defenses and the strategy to account for that.

On the other hand, as we saw from the survey that money unfortunately tends to be the number one goal of attackers across nation state, non-state actors, cyber criminals, or the “kid next door.” Often, the purse strings that the accounts payable person may have is attacked or a highly compensated employee may be targeted through phishing websites that resemble a payment portal. Unwittingly, if they fall for such phishing attempts, their paycheck may be diverted. We’ve seen those attacks on providers in the past, and the way attackers work. Attackers employ efficient tactics that have worked before, whether for healthcare or another sector. They know time is money. So, the idea is highest efficiency for highest impact. That will achieve whatever their endgame is – money, stealing credentials, sensitive information – patient data, treatments, research on COVID-19, vaccines, or something more nefarious such as, disrupting business operations or even clinical operations etc. That attack is given that kind of purpose so phishing does carry with it many other things. 

Q. Is healthcare a preferred target simply because of the ease of attack and the potentially quick and high returns?

Lee: Well, certainly healthcare itself will be under attack if specific patients’ information is targeted. However, in terms of the sectors and the ease of attack, I think, it’s a bit of a myth that healthcare is easier to compromise than other sectors. Whether one is targeting government entities, other industries or critical infrastructure sectors, there are sectors that are easy to attack, such as, the financial sector. There are entities that do not fully share information within their organization, do not deploy security awareness across all personnel, so naturally, their rates for successful phishing attacks may be quite high.

I’ve heard that phrase before, and to some extent, it’s true, because many healthcare organizations have just hired their CISOs in the past five or 10 years. There are some cybersecurity professionals with really skilled backgrounds within healthcare that have been working at the helm of their organizations for 25 years. So, I can assure you that some of those organizations are very tough to break-in. But if you look at the symmetry of it all, the defense people or defenders on the provider’s side need to be right 100% the time; Someone on the offensive side needs to be right just once.

Q. We’re in an era of digital transformation. But what is the risk now that healthcare organizations are taking by choosing to partner with an increasing number of innovative startups? Is there something that we should be concerned about from the perspective of robustness of security protection and data protection, in particular?

Lee: That’s an interesting perspective. To give some context here, ever since at least January 2014 we’ve seen that the supply-chain style of attacks — whereby a vendor or a business associate has been compromised to essentially compromise the target whether it’s a big hospital or whomever is at the other end that’s receiving those services – are rampant. So, with that in mind, it’s fair to say that as a general rule, the small and medium companies and the startups may be weaker in terms of their security defenses compared with the larger organizations but that’s not always so given. You’re well aware, the asymmetric difference between the attacker’s perspective versus the person on the defense and how the person of the defense needs to always be right. Notwithstanding that, start-ups from what I’ve seen having worked with them over the years, I think, just like many other smaller organizations, they tend to outsource various tasks themselves — whether it’s development or cloud services or others.

If there’s one weakness that I’ve seen — and again, not all start-ups are the same – it’s that, often, smaller companies just assume that by partnering with another entity or individual that it’s the other person’s responsibility. So, they’re less vigilant. What’s more, the degree of vetting from a due diligence perspective isn’t given due weightage. As an attorney I always tell people to be careful about who they deal with from a business and technical perspective, otherwise, how does one know how secure an entity is, whether they’ll be around, or how robust their solution is? Being new, very innovative and perhaps very cutting-edge, doesn’t cut short the need for undertaking due diligence. One needs to see who their partners are, what information they’ll get access to – accounts, machines, systems — who else may be involved because there are various factors, including insider threat, that must be taken seriously.

Q. We’re right now in the midst of a big shortage of workers at all levels, including tech workers. On the one hand companies can spend enough money to get the talent but that talent may not be available. One Wall Street Journal article indicated around 300,000 tech jobs that are open as of January! And healthcare organizations, technology vendors or vendors to a vendor are all facing this same problem. The issue can’t be outsourced and is a bigger concern than cybersecurity. So, is there a bigger shortage in cybersecurity workers relative to other parts of the tech sector? What’s the solution — more automation? What are organizations doing to overcome this?

Lee: In terms of workforce development and having that pipeline, it’s safe to say that many healthcare organizations prefer hiring cybersecurity professionals with previous healthcare experience. Because, you can’t simply ping a medical device, for example, and expect for everything to be okay. If you see malware going into a H-back device or otherwise or some kind of potential trouble, for instance, you can’t necessarily close-off the ports to live devices that directly impact patient care. You need to be careful with that, especially where patient safety and the care of patients is directly connected. So, those are special reasons actually why healthcare cybersecurity pros do have interestingly, a specific body of knowledge that people from other sectors, such as, finance, manufacturing, chemical or even the government may not have. That’s because, if their emphasis is on confidentiality, locking up secrets so to speak, our emphasis above anything is ensuring that information is made available and has integrity so that we could rely upon that data. So that reality is quite different.

But in terms of some proactive measures being undertaken by some healthcare organizations there are things that are quite innovative. For example, some people in informatics may be trained up to assist with IT security duties. So, training from within is definitely a great thing because they’re familiar with the organization and committed to it. So, they find value in terms of what they’re doing.

Even with new individuals that are coming up from colleges and high schools and those that have certified cybersecurity credentials such as, certifications that we all know about or those that may graduate from a 2-4 year college with, you know, accreditation in terms of their cybersecurity degree — we know of some of these programs. I think that those things are prized. And once, a student with that potential, interns at a healthcare organization and is recognized by them to train, they are nurtured so they become familiar with the healthcare environment and continue to grow that way.

We may not be able to afford the salaries offered by more mature sectors in terms of cyber in healthcare but one way to combat that would be in terms of hiring students or people with less experience or training people from within, because, I think, there’s a renewed interest in terms of cyber. People are considering expanding their roles, responsibilities and wanting to delve into tech. Cyber is such a great field to be involved in. You’re always learning. We’re trained to think in ways that people generally don’t. We look at things from the reverse — how can something be attacked or breached? – And that’s like taking the glass half-full approach. We ask, “what’s not fine?” So, you know, it’s an interesting dynamic, but those are a few of the promising trends.

We hope you enjoyed this podcast. Subscribe to our podcast series at  www.thebigunlock.com and write to us at  info@thebigunlock.com

Disclaimer: This Q&A has been derived from the podcast transcript and has been edited for readability and clarity