In this episode, Clyde Hewitt, VP Security Strategy at CynergisTek, discusses the current healthcare cybersecurity landscape and what hospitals should be doing to protect themselves today.
Mike Passanante: Hi, this is Mike Passanante. And welcome back to the Hospital Finance Podcast.
Today, I’m joined by Clyde Hewitt who is the Vice President of Security Strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cyber security to his position with CynergisTek where his many responsibilities include being the senior security advisor, client executive, thought leader, and developer of strategic direction for information and cyber security services.
Clyde, welcome to the program.
Clyde Hewitt: Thank you very much, Mike. It’s a pleasure.
Mike: And Clyde, we’re talking about a very important topic for hospitals today, healthcare cyber security. We all know that our hospitals are targets of many nefarious individuals out there. And we’re going to walk through a variety of things today to help hospitals know what they need to know in order to protect themselves from these types of attacks. So, we’re so glad you could be here with us on the show.
Clyde: Thank you.
Mike: So first, could you just briefly review the types of cyber attacks that hospitals could experience such as ransomware, malware. Sort that out for us.
Clyde: Okay. Mike, it’s a very challenging environment out there. I mean, if you think about the HIPAA security rule, the actual law was written in 1996, and then the rule was published in 2003. The final rule was published in 2003. And it was addressing a certain amount of cyber security threats that were out there.
A lot of them dealt with things like getting a virus on a 5 ¼ inch floppy drive. A lot of people used AOL back then. There were some viruses that could come in through e-mail. But it was nothing like the environment that we have today.
So, they tried to be technology neutral. They wanted organizations to change as the threats change.
But let’s look at those threats as we move forward. First of all, we used to deal with the individual hacker. This could have been the kid in the basement looking to basically boost their own ego.
But since that time, healthcare has taken sort of a spin. We’ve moved our electronic records from the back office in mountains of paper into an electronic form which means that they become more accessible.
By doing that, it also means that the data that is in those records become more and more valuable. So as that happened, now we start looking at things like cyber crime taking place. People or individuals, even organizations, go out and they try to steal the data, so that they can monetize that data.
And there are many different ways they can do that. First of all, they can hack the data. They can look at stealing devices that have the data. There was a case in Boston where a physician was robbed. The robber saying, “Give me your laptop. You also have to give me your password.” Criminals realize that the data is as valuable as the hardware—and in many cases, a lot more valuable than the hardware.
So, you have the physical attacks like that. You have employees inside who have access to the data. And there’s been cases published where employees have taken that data and monetized it through identity theft or opening credit cards based on patient information. So we see that.
Then recently, cyber criminals also have a chief financial officer just like many of the hospitals. The CFO’s are looking to do things like reduce the accounts receivables time.
Of course, stolen healthcare data used to take 30, 60 or 90 days to take that data and actually monetize it. If you move into ransomware, then you can actually get a return on the investment of hacking in a matter of a couple of days. So if you lock up the hospital system, you say, “Pay me in bitcoins,” those that do pay generally will have to pay within seven days. So they’ve reduced that AR flow.
But more recently, we’ve seen a very disturbing trend. And that’s the fact that there is cyber terrorism and even cyber war. We’ve seen the WannaCry and the NotPetya viruses that had been out there.
If you think about the latter one, there are some organizations and some individuals that think that maybe that was an attack on the businesses within Ukraine because it seemed to be targeted directly to them. And as a result of that, that cyber attack got in the wild, and it created havoc across the United States. We saw that FedEx got impacted, Nuance got impacted, the Maersk Shipping Line got impacted as well as other organizations outside the United States. We also saw that biomedical devices ended up getting hit with that.
So, in this case, healthcare became a collateral damage to something that could be akin to cyber warfare. So the threat spectrum is enormous. The attack surface in healthcare is enormous. And that’s what finance officers need to worry about.
Mike: And you said something interesting there. When you think about cyber security and all of the different kinds of businesses that are affected by that, what makes hospitals and healthcare providers prime targets? Everywhere I go, I read articles on this. And you see that it’s inevitably in the top three targets of industries that that these criminals are going after. Why is that?
Clyde: Well, if you think about the security in banks, banks have had electronic records for multiple decades—three, four or five decades. Healthcare is something that has started using electronic records relatively recently. Hospitals have been moving to all electronic records based on the many things with the Meaningful Use Incentive Program and the fact that they want Medicare and Medicaid billed electronically and things like that.
The other reason that healthcare records are so valuable is, unlike a credit card, a healthcare record, there’s no reset button. So what happens is, in a credit card, if someone steals the credit card number, they can issue a new credit card. So the length of time that a credit card is valuable to a criminal isn’t a matter of weeks, whereas with the health record, there’s no reset button on a health record. So if they steal a health record, they can use it for years and years to continue to basically monetize it.
The other piece is whereas banks are very closed community—I mean, we have bank applications on our phones, but that’s an extension of the internal IT environment for the banks, in healthcare, we’re moving the other direction. We’re interconnecting hospitals with ambulatory sites, with patients, with clearing houses, with data analytics organizations, with health information exchanges. So we’re going exactly in the opposite direction in healthcare that the banking industry is doing. We are expanding the amount of threat surface that is available for hackers. So it makes it easier.
Mike: That’s a great segue into my next question. These attackers can breach all types of systems from medical devices to all different types of software that the hospitals and providers use—their EHRs, et cetera. And in that situation, what are some of the preferred targets? And what do they attempt to do by infiltrating these different types of targets.
Clyde: I think of hospitals as virtual colanders. There are so many different ways that an attacker get inside.
Previously, the hospital information security officers or CISOs have focused on firewalls, workstations, laptop encryption. But now, hackers are focusing their attention on email and compromised websites to deliver this ransomware.
We’re also seeing attacks through internet of things including biomedical devices and printers to deliver malware. Now, even if they don’t serve up malware, they can take over these devices and use them as platforms to attack other systems inside of the hospital.
Another big threat area is business associates. I mean, healthcare organizations since 2003 have known what the HIPAA rules are. But for the business associate community, it wasn’t until 2013 (just a few years ago) that they were even required to become HIPAA compliant. So, the business associates, they haven’t matured their security program as much. And therefore, they are a remote vehicle to get into hospitals to basically steal the data.
Mike: And I have to imagine, for a security officer, it can be frustrating because, as you mentioned, while some of these things are new, they are known. And there’s so much publicity around these attacks. Staff, I know working for an organization that is a business associate, by the nature of what we do, there’s constant preparation and education that we all receive, but yet these breaches still happen.
So, how are these attackers always just one step ahead? Or is there just something else going on?
Clyde: There is a confluence of many different factors going on right now. First of all, we have to think that hospital providers and business associates, they need to have that security management program that addresses all risk, not just information technology risk.
I mean, historically, we have seen a large percentage of the security officers focus on technology controls at the expense of other mandatory controls. If you look at the HIPAA security rule, only 22% of the controls are technical; the other the 78% are non-technical.
So, if you take a IT-centric approach, you start to forget that there’s other management processes and non-technology things that need to take place.
I’ve mentioned earlier, we’ve also seen the expansion of cyber security threat spectrum. We’ve moved from solo hackers to smart groups to now terrorist organizations and even nation states. So basically, we’re out-staffed, we’re out-motivated. We have less, collectively, resources to fight the cyber terrorism and cyber warfare that’s going on right now.
So, I think the attacks will continue. I think they’re going to get worse.
Mike: Yeah. And we’re going to touch on that in just a minute as well. I want to get into that with you more.
But before we do, since this is the Hospital Finance Podcast, I’m just interested in your thoughts on some of the things related to cyber attacks that hospital financial professionals should be particularly concerned about.
Clyde: Hospital finance professionals, especially the CFOs, need to ask themselves first, “Is there a risk management program? Is there a risk management process? And does that process identify and escalate all cyber compliance or risk to the appropriate decision-making authority?”
I mean, I’ve seen organizations where someone who’s the senior representative on the helpdesk accepts risk for the organization that is way above their pay grade because there’s no process to formally identify risk, elevate it to the appropriate decision-making authority, and then actually track that things get done to address that risk.
That means organizations and finance officers specifically, they should be publishing a defined matrix of who can accept risk at what level based on what dollars. And those individuals then need to be held accountable to select an appropriate risk response.
There are many different ways to treat risk. You can accept the risks. You can transfer the risks by having insurance. You can also mitigate the risk. Or you could reduce the risk source by basically taking it out of play, but that means applying additional controls.
The second thing, finance professionals need to ensure funds designated for compliance and security are actually spent on mitigating the risk they were allocated for. Some are seeing that mid-year budget cuts have the potential to impact security budgets disproportionately more than an operational budget.
I mean, if you give security money, or give money to a chief information officer to mitigate security, and then halfway through the year, they take a 3% or 5% cut or some small amount, security seems to get cut first. And that happens when risk is not tied to the funds that are allocated to address that risk. That’s one of the things that’s very clear.
Third, I don’t expect cyber security investments to decrease any time in the foreseeable future. I see quite the opposite. I think they’re going to go up.
Now, finally, one of the things CFO’s need to do is make sure that they have financial reserves to help recover from a cyber security attack. I mean, this could include things like bringing in the cost of outside help, legal fees, regulatory fines. But it should also be enough cash reserves to basically carry the organization through a certain amount of time in case the data is lost due to a ransomware attack.
Mike: Those are some great thoughts there, Clyde. My last question for you—and it touches on what you mentioned before. So 2017 has certainly already seen its share of attacks as you’ve mentioned. My question is: “Is the industry getting better at preventing these attacks or are we likely to see a continued targeting of healthcare providers?”
Clyde: That is a complicated question with a complicated response. I see certain healthcare organizations accepting the new world order. I see them making investments in people, process, and technology.
Other organizations still view security as a cost, not an investment center. They want to take a minimalist approach to securing the data. Worse, both organizations may be attacked. What’s going to happen is those organizations that are better prepared will come out of that attack in a better position than organizations that are not prepared.
Mike: Clyde Hewitt, thank you for helping us understand more about the healthcare cyber security landscape and joining us on the Hospital Finance Podcast today.
Clyde: Mike, it has been my pleasure. Thank you very much for allowing me to share my thoughts.