In this episode, we’re pleased to welcome back Wade Wright, BESLER’s Chief Technology Officer, to give us a glimpse into BESLER’s next webinar, Cybersecurity in Healthcare, that we’re hosting on Wednesday, October 25th at 1 PM ET.Learn how to listen to The Hospital Finance Podcast® on your mobile device.
Highlights of this episode include:
- Most common types of cyber threats that healthcare organizations are facing today
- Artificial intelligence and machine learning
- Real-life incidents where cyber attacks significantly impacted healthcare
- Lessons learned
- Key challenges in implementing robust cybersecurity measures
- How HIPAA influences cybersecurity practices in healthcare
- What role do employees and staff play in a healthcare organization’s cybersecurity posture
Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. We’re pleased to welcome back Wade Wright, BESLER’s Chief Technology Officer. In this episode, Wade will give us a glimpse into BESLER’s next webinar, Cybersecurity in Healthcare, that we’re hosting on Wednesday, October 25th at 1 PM Eastern Time. Thank you for joining us today, Wade, and welcome back.
Wade Wright: Thank you, Kelly. I appreciate it very much.
Kelly: All right. Well, let’s jump in. What are the most common types of cyber threats that healthcare organizations are facing today?
Wade: It’s the big ones that you hear about usually in the news and hopefully are being made aware about through your organizations. Ransomware is right at the top of that list. This is the act of typically encrypting systems so that people can access them, and then demanding a payment to get that remedied. Also phishing, the attempt through emails to trick people into clicking on things that are malicious and bad. And then also data breaches where PHI is captured and sold on the dark web and other places.
Kelly: Yeah, there are a lot of threats right now. How have the cyber threats in healthcare evolved over the last few years, especially with the advent of technologies like artificial intelligence and machine learning?
Wade: Like any tool, AI and machine learning can be used either for good or nefarious purposes. We’ve seen a major uptick in the quality of phishing attempts that are clearly involving AI. Often, that gets used in creating the copy that’s in the message. You can spot them still, but it’s not as easy as it used to be. These tools are getting used to scrape LinkedIn and other social media sites to get information that would probably lead you to believe that this might be more legit than it is. We use AI and machine learning in the development of our products here at BESLER, but we mostly use it defensively regarding security. Many of the cybersecurity tools we use have significantly increased their effectiveness through their use of AI and machine learning. They’re becoming much better at detecting behavior versus just looking for a specific signature of malware and other malicious software.
Kelly: There is a lot to keep in mind these days. Can you share some real-life incidents where cyber attacks significantly impacted healthcare and what lessons were learned from those incidents?
Wade: I guess just about everybody in healthcare has seen on the news, or been involved with or know somebody who has, where there’s been a major attack carried out on the hospital or physicians groups that they’re aware of. I personally was in a hospital a year ago when a ransomware attack occurred on the hospital when I was there. It happened on the second day of my week-long being there. So, I got to see things firsthand what happens. First of all, all of the computer-assisted work suffered immediately. For example, just getting meds became very paper-heavy process. The nurses had to write absolutely everything down. They had to get their phones out, looked to double check to make sure that there were no interactions with other medications. I mean, things that would just happen in the blink of an eye when they could use their systems. Thankfully, the quality of my care wasn’t affected in any way, just an inconvenience for me, but it certainly made life very hard and stressful for the staff at the hospital. At BESLER, we work with hundreds of hospitals across the country, and we’ve seen all types of maliciousness. I’m certainly not going to share any of the details of those particular things, but I will share an incident that happened with BESLER, that almost hurt us.
We had a former employee who shared the same password across many different sites, including their BESLER log on. One of those websites was compromised, and bad actors then had access to their password. This bad actor, who we think was probably from North Korea, logged into our email system, impersonating this employee, and set up an email forwarding rule that had anything to do with banking would get sent to their email address. Words such as ACH or bank account, those type of things were put in there. Obviously, this is an attempt to gain access to bank accounts and to divert any transactions or any other information that they could get. Without discussing the nitty-gritty about how our team stopped this from becoming a problem, I will say that it’s mostly due to our team’s experience with preventing data exfiltration, but coupled with our new tools that did use AI and machine learning. And they helped to solve this pretty quickly. In the old days, a few years ago, we would likely have not been able to even have known this occurred, much less been able to prevent it like we did.
Kelly: Some great lessons there. What are the key challenges in implementing robust cybersecurity measures in healthcare institutions, especially with those legacy systems?
Wade: Legacy systems are almost always coupled with legacy policies and legacy procedures, which can really further exacerbate the challenge. On one hand, you may have either hardware or software that’s simply not going to be getting upgrades or updates needed to prevent security issues. For example, we still see organizations running on Windows 7. While staying up-to-date and modern is no guarantee that you won’t suffer a cyber incident, not staying up to date makes it almost a certainty. Furthermore, organizations like this with legacy systems and those type of things, their security practices and policies are typically legacy or old as well. And bad actors much prefer easier targets for obvious reasons. If you don’t want to keep your systems up to date, it’s very unlikely that your defenses are modern and up-to-date as well.
Kelly: That makes a ton of sense. How do regulatory frameworks like the Health Insurance Portability and Accountability Act, better known as HIPAA, influence cybersecurity practices in healthcare?
Wade: Of course, HIPAA is at the foundation of protecting individuals’ protected health data. Ensuring the data is always encrypted at rest and in transit is just the first elementary step in cyber defense. A much more challenging problem is the human element. In general, it’s easier to trick people than it is to trick a computer. Embracing the spirit of what HIPAA codifies is where the real work and challenges lie. Everyone that has access to PHI on a day-in and day-out basis can become so familiar with the handling of it and can get tripped up by simple, yet very easy to make, bad mistake. For example, you might copy some PHI into an email to send to a colleague to discuss and get their input on it, and forget to encrypt that email when you send it. This obviously can lead to a very serious fine and a loss of trust for your patients. While HIPAA certainly puts teeth in the regulations, we guardians of confidential data should simply do all we can to protect it.
Kelly: Most definitely. What role do employees and staff play in a healthcare organization’s cybersecurity posture? And how can they be better educated and prepared to mitigate cyber risks?
Wade: People are easily your best defense or your worst nightmare. Normally, it’s somewhere in between on that spectrum. At BESLER, we’ve got dedicated security staff where that’s all they do. They live and breathe it all day, every day. And of course, we have everybody else in the company who, in some form or fashion, have to care about cybersecurity. What we found to be the most effective is short but frequent training, especially in regards to relevant and recent events. One of the several tools we use is called NINJIO. They produce an animated training video every month that takes no more than five minutes to do. They are almost always very relevant and useful. For example, we had a recent episode to discuss juice jacking, which most people would have no idea about or know what that means. But basically, it’s how bad actors can use hardware at a public phone charging station and steal info right off of your phone because you think it’s just charging the battery. Giving people real and useful info is the key to continuous improvement with your staff and your organization’s security posture. People need to understand the challenges your organization faces, and you need to put tools in their hands to help them accomplish your security objectives. For example, we have tools that scan an email before it is sent, looking for things like PHI or other confidential information, and ask the user if they want to encrypt it before sending it. Of course, this isn’t foolproof, but it definitely helps.
Kelly: Yes. I know I personally really like the training that we do. Especially, I really enjoyed that one on juice jacking because I didn’t know that even existed. So, thank you to Wade and your team for bringing some of that to me because I know I’ve learned something. How do you see the future of cybersecurity and healthcare evolving?
Wade: I think we’re going to see the constant ebb and flow between bad actors and security professionals. When one of those two groups gets the upper hand on the other, the other always seems to be able to turn it around. At the moment, the bad guys have a slight upper hand, but I think we’re going to see more and more tools that will help on the security front to swing the pendulum back in our favor. I would like to see some changes in regulations, too, that could help organizations versus having unintended consequences that we suffer from today. For example, the possible financial and punitive damages levied against an organization are part of why healthcare is becoming more and more targeted. We’re so scared of paying a heavy fine or losing our insurance that we can be led to make bad decisions in a crisis. For example, you may be more inclined to pay the ransom in a ransomware attack, even knowing that that absolutely will lead to more ransomware attacks because basically it was successful. The bad actors know we’re scared and therefore utilize that in targeting us. What’s worse is that it’s easy to forget that what we should be doing is protecting PHI because it’s the right thing to do. It’s like when I was younger and seatbelts became mandatory. Some people wore them so they wouldn’t get a ticket, and some people wore them to significantly improve their chances in an accident. I’d like to see cybersecurity and healthcare do the right thing, as it were, versus just doing the right thing so we don’t get fined or have some type of regulatory action against us.
Kelly: Completely agree with that. And Wade, what advice would you give to healthcare administrators to better safeguard their organizations against cyber threats? And what resources would you recommend for staying updated on cybersecurity best practices?
Wade: First, I’d say train your people. For your security people, you need to have them constantly trained on what’s new and how to combat it. You need to have your non-security people trained on practical ways that they can improve your security posture and focus on the why certain practices are problematic or what the results of those actions are. For example, in a recent security drill we did, we showed how a bad actor attacking us could lead to an employee’s personal bank account information being accessed. People’s awareness and concern exploded exponentially when they realized that not only was the company in danger by certain accesses, but so was their money. As for resources, I’d start with CISA.gov. I’d also find well-known tools and implement them. You want to avoid vendors like Joe’s Most Excellent Security, and make sure you do some research on them. We heavily utilize Qualys. Both Qualys and CISA give us up-to-date information on security issues that are live and things that are happening immediately. We get notices the same days, that same day that a vulnerability becomes exposed, and we often get hundreds of notifications each week that we review to make sure that each one of those either does or does not impact us and figure out how we mitigate those. Regularly reviewing that information and seeing if it impacts your organization can really be the difference between a mild inconvenience and your organization becoming totally crippled. But more importantly, it could be the difference between life and death for one of your patients.
Kelly: Well, thank you for sharing those resources with us, Wade. And thank you so much for joining us and for sharing this sneak peek into what you’re going to cover in BESLER’s upcoming webinar on Cybersecurity in Healthcare that we’re presenting live on October 25th. Thanks so much, Wade.
Wade: Thank you.
Kelly: And thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…
[music] This concludes today’s episode of the Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.com/podcasts. The Hospital Finance Podcast is a production of BESLER | SMART ABOUT REVENUE, TENACIOUS ABOUT RESULTS.
If you have a topic that you’d like us to discuss on the Hospital Finance podcast or if you’d like to be a guest, drop us a line at firstname.lastname@example.org.