Just How Secure is Healthcare?

HIMSS Interview with Richard Staynings

During HIMSS 2016 in Las Vegas I was interviewed by the press for my thoughts on the cybersecurity risks now facing the healthcare industry, and how effective healthcare boards were in managing down these growing risks to their business. While some of the content was broadcast, the following is an edited transcript of the full interview:

Welcome.  I'm here with Richard Staynings, Security Principal and global leader of cybersecurity for the Healthcare Industry at Cisco. Richard is a respected thought-leader in healthcare security and is here at HIMSS with us today.

Richard, I know that you're on a journey talking with healthcare executives and their boards about cybersecurity risks, threats and security best practices, but how receptive, and how aware is the industry to your message? What level of awareness and understanding are you finding when meeting with healthcare leaders?

Richard S.:
I think healthcare executive and Board understanding of cybersecurity has evolved quite radically from where it was, say as little a five years ago. Most of this evolution has occurred quite recently in fact.

I think there's been a late awakening amongst Boards of Directors of healthcare providers, payers, and pharmaceutical organizations; a realization of the cyber security threat, and the way that that impacts not only their current business, but also their future business. If we talk about intellectual property loss within the pharmaceutical industry for example, it's a huge concern. The next generation of genomics-based medications is already assumed to have been stolen, largely by foreign nation states, in order to bolster their own pharma sector. All this, largely because of ineffective security across the industry to protect its intellectual property.

At the same time, we're seeing a large amount of media attention generated with regard to cyber breaches of our healthcare systems - patient health information being stolen and exposed, or patient information being encrypted and held to ransom, as has been the case at several hospital systems over the past month. Or malware infestations on hospital networks that have resulted in the hospital having to revert to paper, or even worse, to unplug their network core so that they could deal with the outbreak.

Boards are now aware of some of these issues, many of them have a good understanding of the enterprise risk and potential impact to their business of cyber security, which I think is something that historically wasn't the case. Security and the Board to a large degree speak different languages and its taken a new breed of security leadership to bridge that gap and to translate. By and large, that language barrier caused some historic rifts, and didn't go far in engendering trust towards what security leaders were telling their Boards and executive leaders.

I think there's been a growing realization that in order to communicate to boards, you need to use appropriate language. You need to talk in terms that board members will understand: profit and loss, balance sheets, the cost of action versus the cost of inaction, for example. I think there's a greater risk in healthcare however, because it's not just a question of fines, penalties, restitution costs, or even loss of reputation, it's the fact that there could be physical damage caused to patients, where cyber attacks could compromise patient safety. Protecting patient safety has been the holy grail of healthcare risk management for as long as I have been working in the industry, and now we are seeing a convergence of cyber risks and patient safety concerns.

Cyber attacks can now be leveled against the actual delivery of care to patients in hospitals. Many medical devices are easily compromised to the extent that it's not inconceivable that patients could soon be assassinated in our hospitals. Its relatively easy to compromise the medical devices that patients are attached to, and which maybe keeping them alive, or surgical devices being used in an operating theater. This is something I think boards of directors are beginning to recognize, though from what I've seen, most have yet to fully comprehend the magnitude of the threat.

Do you think that once they understand the risks, that leaders have the ability to react quickly? Is it something that they have to go back to their foundation to fix, or is it something that they could put a task force on it and get remediation fairly rapidly?

Richard S.:
The healthcare industry is a juggernaut. It's quite conservative. It takes a lot of effort to stop, and doesn't change direction quickly. Security has largely been an afterthought in the healthcare space. The focus has always been on patient care. Security across the healthcare industry has been massively underfunded and understaffed compared to other industries. Healthcare is probably 10 years behind financial services in most areas of security, and even more so in the formation of high caliber security teams for example. Healthcare is not seen as a glamorous destination for many security professionals. Most transfers into the industry recognize that they will be fighting an uphill battle just to play catch-up to where they were in their previous organizations.

With the right Board and executive sponsorship, reinforced by effective governance and security leadership, and of course funding, the security gap could be narrowed quickly, through more effective adoption of expert managed security services. This would allow the small number of experienced professionals that work in security to focus on higher value tasks.

More importantly, I think there are some more fundamental and structural problems in the way that security is viewed within most healthcare organizations today. Security needs to be elevated in terms of priority at the executive and board level. Security leaders need a seat at the table in Board meetings, so that Boards can effectively discuss, and be made aware of cyber risks and issues that may accompany new service offerings, new business ventures, mergers and acquisitions, etc. The Board needs to be fully informed to make the right decisions and that's not going to happen if the security message is being relayed through the CIO, or someone else with direct access to the Board.

Given Board understanding of the risks, and the desire and funding to secure their organizations, what should security leaders focus on first?

Richard S.:
Healthcare security leaders would love an unlimited budget to go out and secure their environments. They have years of under-investment to catch up on, but we need to recognize that Rome wasn't built in a day, and healthcare doesn't have unlimited funds. If anything funds are getting tighter, which means dollars allocated to security need to come from elsewhere, IT, charitable patient care, etc.

Realistically, and to answer your question, I think that comes down to fully understanding the risks that are being born by the organization, and the potential impact to the organization's ability to function. That means understanding how the organization works, where there are opportunities to make significant improvements to the risk/reward balance, and to target scarce resources most effectively.

One of the most effective ways of understanding risk is to conduct a risk assessment but then to prioritize the remediation of risks and control gaps based upon the reduction in enterprise risk. What level of risk can I reduce with the least amount of money? Can I tackle remediation of these really big risks over the course of many years? (Because hospitals have very limited budgets and that situation is not getting any better.) There's an increasing squeeze on healthcare provider budgets especially, because of reduced reimbursement rates from insurance companies and government, and that is really compounding the difficulty for CISOs to block gaps in their overall infrastructure, through the implementation of new more effective security controls.

I think there's also been a historic problem with what I call the "shiny object effect."
"There's a new tool out there that looks to be a panacea to many of the security problems that I have. It's very expensive; the cost to implement is not really fully understood; the time to implement is not really fully understood, and it may be many years before the new tool is able to effectively reduce risk from the time its purchased."
There's been a temptation by CISOs to go after that shiny object, rather than to look at what is the most effective use of the scarce resources at their disposal. There are many opportunities for CISOs to reduce risks very quickly without the outlay of large sums of money, however these opportunities are often missed because security leaders fail to look at security through the conceptual lens of enterprise risk management and risk reduction.

One particular concern in healthcare has to do with the growing security resource shortage. The whole of security is suffering from a massive shortage of qualified, experienced, security professionals and this was reflected in the 2015 Cisco Mid-Year Security Report which found that there's a 12x demand over supply for security professionals. Healthcare doesn't pay as well as financial services and many other industries, and therefore, it's lower down the stack, in terms of its ability to attract and retain top cyber security talent; skilled resources needed to help defend against the attacks that are being leveled at the industry.

I think there's a growing recognition across the healthcare industry, of the need to look at optimizing the scarce security resources that it's able to attract and retain, and to focus the attention of those professionals, at the areas of greatest need in healthcare security. Areas like security architecture and security awareness training for example. Healthcare is a very labor-intensive industry, and users have largely disparate levels of computer literacy and security awareness. I think we do that by looking at what can we accomplish more effectively; by procuring services from service providers, that can provide expert services that we could never justify staffing ourselves; and to do that cheaper, better, faster, than if we were to build those capabilities internally.

You've dealt with high-level executives and boards, can you compare and contrast the ones that 'get it' versus the ones that don't get it? What's contributing to that?

Richard S.:
I think there's been a change in the makeup of healthcare boards over the past few years. I've been presenting to boards of directors for probably 15 years or more. I think historically, healthcare boards were made up almost exclusively of clinicians or those sponsoring health services, - nuns for example in the Catholic Health System, retired and active physicians, line of business owners, as well as the CEO and his team of direct reports.

More recently I've seen a diversification of typical board membership, and the skills and backgrounds of members. This is a big differentiator to those boards that 'get it' and those that have a hard time understanding cybersecurity. It's not universal across all organizations by any means, but there is a growing trend towards diversification.

I'm seeing expertise brought in from other industries, from banking and finance, and some retired military. Also, some people from government and defense backgrounds, that are on the boards of larger healthcare organizations, and are able to bring experience of how other industries 'do security', and an understanding of the cyber risks that they've seen during their active career, or in their full time jobs. They're able to share those experiences and contribute to a much richer board decision-making process.

I hear a lot of times that the biggest risk factor for security is just workforces themselves. How do you believe companies are dealing with that issue - that the workforce may be the weakest link in security?

Richard S.:
Well, your people are your greatest asset, and also your biggest risk. This is particularly so in healthcare. You have at one extreme, some of the brightest, smartest people on the planet - physicians. Very computer literate, many of these physicians are extremely capable at working their way around rudimentary security controls that IT may have put in place over the years. At the other end, you have scrub nurses, food services, and janitorial staff that may almost be computer illiterate. It creates an interesting challenge when it comes to the question of, "How do we take a security message out to our entire workforce?" Whether they're contractors – (most physicians for example), or whether they're employees – (nursing, admin and billing staff), or whether they're contract service providers for janitorial services, maintenance or food services.

How do we take a message out so that all of our people are working together towards a common goal of securing the network, securing the hospital, and protecting patients? I think we have to do that via a quite elaborate security awareness program, and it can't be a just one-off program where all users sit down in front of the same computer and answer a few questions at the end of a video. It also can't be something they do once a year, as part of a staff or contractor attestation that they will follow security and privacy policy.

It needs to be an ongoing process, and it needs to be differentiated and targeted to different types of users. Physicians should see one type of training program, executives see another type; those people who work in IT and may have elevated permissions see yet a different type of program, and those people that are on the cutting edge of delivery out at the nursing stations, should be provided a different type of awareness program that's more privacy focused, and more targeted towards the types of phishing attacks and social engineering that they may experience while fulfilling their jobs. They are in a very different situation to IT, admin or senior executives who, by and large, work most of their days behind closed doors, or at sites where they don't see the public at all.

On that note, where I've seen the most effective security awareness program is where there's a rich and diverse multimedia approach. Where there are a variety of web-based delivery systems, classroom based lectures, and brown-bag seminars / group lunch discussions, and where users are required to participate. Most importantly, where there are constant reminders to awareness themes throughout the workplace, so its not forgotten.

One particular health system I do a lot of work with, has little cartoon characters on their elevators and at doorways. It's to remind the staff subtlety not to talk about patients in public areas because they could be overheard. Most patients that walk through the hospital probably just think it's a cute little animal for the kids, and have no idea of the value it's also providing to staff privacy and security awareness. The value that these animals provide is immeasurable in terms of making the staff aware and making them think,  "Hey, I'm in a public area. I can't discuss patient issues here".

Healthcare rightly or wrongly is seen as an increasingly highly regulated industry. Have you found that these governing organizations are helping to advance security?

Richard S.:
I think compliance in the healthcare space was the initial spark that really led towards improved security and privacy across the industry. I don't think it's necessarily as effective as it could be however.

In the United States, we have the HIPAA regulations. They were written in 1996 when most of us didn't even have modems attached to our home computers, and many of us were running Windows 95. We didn't have web 2.0 social media technologies. We didn't post to Facebook, Instagram, or SnapChat every 10 minutes, as my kids tend to. We didn't have instant message, or many of the technologies many of us live on today – especially the younger ones! 

Hospitals were largely paper-based back in 1996 when the HIPAA regulations were created. HIPAA was a political compromise in order to put something in place to protect the privacy, initially, and later security of healthcare. It's been enhanced with the HITECH Act and Omnibus changes, but it's still a high-level advisory type regulation, and is widely open to interpretation. It's not a prescriptive rule set in the way that we have in other industries, like PCI DSS that says, "You shall do this, this way, and this way only, and if you don't do it exactly as written, you're non-compliant."

HHS OCR, the Health and Human Services, Office of Civil Rights, has come in with its audit protocol and looked at HIPAA compliance from a very different paradigm. OCR looks at it from an audit compliance perspective, more so than the checkbox mentality that the healthcare industry itself has tended to follow. OCR assessors look for the effectiveness of controls in the same way that a financial auditor would, and they look for evidence that a control has been tested for its effectiveness and that this has been documented. That's beginning to change things across the industry.

In other jurisdictions, we have new regulations that are slowly being implemented or enhanced: Singapore Privacy Act, Caldicott, Australian Privacy Act, European Privacy Directive, etc. These tend to be more privacy focused, but increasingly cover many aspects of traditional security – cyber attack and breach notification for example, or use of patient data in research. And we've got other regulations in the process of being revised or expanded in other countries, as well.

I think compliance was the initial spark that led to awareness of the need for security in healthcare, but I think that's now minor compared to other risks, particularly around cyber attacks and breaches of PHI, which seem, almost every other week, to be all over the papers and TV news channels. We're seeing a growth in targeted attacks against healthcare; ransomware, for example, the encryption of medical records, and then holding them to ransom for tens of thousands or dollars, or even larger sums of money in some circumstances. That's just the beginning in my opinion. Where I see things going, is towards not so much the ransom of information, or the theft of PHI, but towards open extortion and ransoming of patient lives, where hackers may have gained control of entire parts of our hospitals and be able to inflict real life-threatening damage.

I don't think we are far-off before we're going to see ransom attempts leveled at hospitals to say, "If you don't pay a thousand BitCoin, I'm going to start killing babies in NICU" or, "I'm going to start assassinating people on life support in your ICU, or undergoing surgery in your operating theaters."

One massive attack vector that very few hospitals have considered is their ICS or Industrial Controls Systems. Systems that manage HVAC for example, which are critical in healthcare for disease control and for clean rooms like operating theaters. As a hacker, if I own your HVAC systems, I can mess with the airflow, temperature and humidity levels, and render whole parts of the hospital useless – and lock everyone else out of the system at the same time.

If I've gained control of your elevator systems, I can prevent you from transporting patients between floors – maybe on their way to or from the operating theater.

If I own your water management or electrical management systems, even for a short time, I can wreak havoc. Many of these ICS systems are totally automated in our hospitals today, and are remotely managed over the Internet by a service provider. 

All of these are very feasible attack vectors against healthcare, and most of the people running these attacks live tens of thousands of miles away, in other countries, out of the reach of law enforcement. There's recent evidence to suggest that many of the perpetrators of some of the recent ransomware attacks against healthcare, are in fact, employees of state cyber espionage units, moonlighting after hours.

I think some more forward thinking boards of directors are slowly becoming aware of the real risks to their organizations and patients, and are beginning to look at ways that stronger controls can be put in place, to manage the very broad range of threats that could be leveled against healthcare.

That's amazing stuff. It's almost like a controlled outbreak ...

Richard S.:
You imagine a man made Hurricane Katrina. During Hurricane Katrina, the New Orleans hospitals were rendered useless because the water, sewer, power, air circulation, all eventually came to an end. Back up generators ran out of fuel. Fuel trucks couldn't get to those hospitals. Flooding rendered large parts of the hospitals inaccessible, and very quickly full of mold, such that patients could no longer stay inside for their own health and safety. Patients were carried out (where they could be carried out) and placed on flood debris in many cases, which was on dry ground to get them out of the hospitals that were filling up with airborne mold spores. Many patients were too heavy to carry down flights of stairs. Elevators didn't work because there was no power, so they died in their beds.

Imagine if I were a rogue nation state or a well-organized and skilled terrorist group conducting a cyber war against the United States. I would most likely first go after power generation and distribution systems, water management and other critical infrastructure to disable the domestic systems the military and modern Americans have come to rely upon – running water, regular power, etc.

After critical infrastructure, I would attack hospital systems, because that's where the weakest and most vulnerable people in American society would be found – those unable to look after themselves. I could tie up thousands of National Guard troops forcing them to care for, or rescue, the most needy in society, divert them from defending against other attacks, and weaken a speedy counter-attack by the military. These are all feasible, albeit unpleasant, scenarios and many people have written and published in this area.


Richard S.:
Oh, it's scary alright!

What's the biggest leap forward that you've seen within the last year with regard to security?

Richard S.:
Security is always developing and there are a lot of cool new capabilities every few months so it seems. However, given the kinds of attacks we are seeing against healthcare, I would have to say Real Time Threat Analytics. Understanding where threats are coming from, and recognizing an attack almost immediately; the ability we have now, to identify anomalous user and system behavior, and to light up our networks so we can use the network as a sensor and as an enforcer of the security policy that the board approves, and is enforced by the CISO or security leader.

Recognizing when an attack is underway is incredibly valuable so we can block it, and thwart the attack before data is stolen or compromised. Historically, we've looked at things forensically and 'after-the-fact', when damage has already been done. We bring in forensics teams to investigate the integrity of file systems that may have been compromised; we bring in forensic investigators to work with law enforcement and to preserve evidence for prosecution. But in healthcare a breach is a breach and I'm already in a world of hurt!

In most hospitals we're not being active in terms of saying, 
"There's an attack coming in. There's some malware that's just been added to my network. I've got suspicious behavioral activities, and new communications out to the Internet, that are out of the ordinary. They don't fit the usual pattern of activity on my network. I'm under attack," 
and be able to pull the plug or to block that attack; to put defensive measures in place to thwart that attack before the damage is done; before my files are encrypted; before I need to notify patients that their records were compromised; before I need to contact the OCR and let them know that there's been a breach, and my reputation is tarnished, because I'm now on the HSS OCR 'Wall of Shame'.

I like the predicative nature of that.  What do you think differentiates successful attacks on some healthcare providers from those that fail?

Richard S.:
Let me start by saying that across healthcare delivery, the vast majority of attacks go totally unnoticed. Healthcare simply doesn't have the resources to monitor what's happening on all of its systems, and its rapidly expanding network of partners, suppliers and HIEs. There's no single regulatory body to identify a common point of information disclosure for identity theft, or medical insurance fraud, etc. like there is in the payment card industry for example. And information stolen from healthcare, by and large doesn't expire, in the way that a credit card number does after a certain period of time. I can use or sell that stolen information whenever I like.

With the exception of the very largest providers, most organizations lack a security operations center, or have staff viewing event management systems 24 by 7. Those that have invested in a SIEM have a hard time getting usable, high-fidelity information from alerts. 'False-positives' keep security operations staff chasing their tails, rather than quickly being able to identify real attacks and risks, and to remediate them. SIEM alerts need to be validated before the truth is known. This can be very time-intensive, and will ultimately delay response to an attack.

The critical differentiator between successful attacks and unsuccessful attacks is the ability of the organization to quickly recognize when an attack in underway, such that the attack can be blocked before damage is done. Before PII, PHI or IP can be exfiltrated from the healthcare network. Speed is key today. Attackers are in and out in a matter of a few hours in most cases.

Once you're looking at things forensically and after-the-fact, then the damage has already been done. You've already lost patient information, your IP is gone, and it's out on the Internet. Once an attack is underway against a patient, then that patient could have already been harmed.

Is healthcare under attack more than other industries do you think?

Richard S.:
Healthcare by and large provides easy pickings for cyber criminals. They've been after banks and credit card companies for a number of years and that water fountain is drying up. What I see is a concerted attacked against healthcare. Big payer breaches, big provider breaches, and pharma networks are largely owned by foreign states, and their well-funded cyber espionage units. This is not going to stop anytime soon. We need to put in place effective security controls wherever possible, wherever feasible, and to do it quickly before more damage can be done, and we suffer a widespread loss of confidence from patients. Before hospitals are forced to close, because they can't afford to pay the fines, penalties, identity theft monitoring, and other standard restitution expenses. Before they get hit with a billion dollar class action suit from patients, that is going to force them out of business!

How has the digital era changed the way we're facing security?

Richard S.:
The digitalization of healthcare has brought around a large number of changes in healthcare delivery particularly. We now have the capability to provide all kinds of new services to patients, and most patients are very eager to consume those services, but they introduce new risks to our healthcare organizations. I refer particularly to the meaningful exchange of health information, to and from the proliferation of other service providers out there. 

I'm no longer tied to a single service provider and can shop around to get the best deal. I no longer need to go to the hospital to get my X-Ray, and pay $1,000 for that X-Ray. Most of us are now on High Deductible Health Plans, which means we now pay for service rather than insurance. I can go to a simple imaging center and pay $300 for the exact same thing, with probably half the wait.

I can go to a web portal that my provider has put up that allows me to communicate with my physician or my specialist. I can look at my images from my X-Ray or my cat scans, and I can read the diagnosis online, rather than have to book an appointment, drive across town, come into see a specialist, consume his time and my time, to basically reiterate something that's already been written down, that I could read myself. In order to provide these types of services, we need security around them however.

I'm seeing a growth in a large number of opportunities for increased Digitalization, Telehealth, Telemedicine, all types of new services that are more cost effective in the delivery of healthcare services to patients, but again, we need security in order to facilitate that. I need to be able to authenticate legitimate users, and to communicate with them securely, I need to be able to store information securely, and I need effective security controls so that I don't introduce new risks as a result of the new services I am providing to patients.

I think payers and providers are now recognizing the fact that Connected Care, and increased Digitalization, will provide opportunities for huge cost savings and new avenues for revenue generation, while simplifying and improving patient experience with their care team. However there's a huge cost to this if its not done right. You need to apply appropriate security controls, before you can provide these services to patients.

How is healthcare going to cope with this new reality?  What trends are you seeing?

Richard S.:
I'm seeing a consolidation within the healthcare delivery industry, particularly in the US where we've had a multitude of different standalone small hospitals and health systems. Its driven by cost pressures and the need to spread meaningful use costs, and the need for improved security over a greater number of beds and patients. 

The same is true in the payer space. Organizations are coming together under one umbrella, and building shared services organizations to better leverage scarce resources, and this is saving healthcare money, and at the same time improving technology, security and other services.

I've seen a recent increase in the adoption of cloud-based services, and wider use of mobility as payers and providers become more comfortable with these things. This is all helping to drive growth. I've seen a syndication of technology services to smaller hospitals. Larger hospital systems that have the money to invest in new clinical technologies, in expensive, state of the art systems and applications, are able to recoup some of that investment by providing IT or application services for example, to smaller hospitals that can't afford the investment needed for those types of things. Of course wherever systems are being shared you need to segment and secure, to prevent a whole host of possible issues down the road. It's a decent revenue generator for a lot of health systems, and I see that trend continuing.

Thank you very much Richard for your insights. I'm hoping that some of your predictions don't come true, but recognize that awareness across the industry may help to avert some of these security risks and threats.

Richard S.:
Lets hope so!