Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

The Growth of Medical Tourism 3

This is a multi-part story over 3 days. Take me to the beginning.

Trends in Medical and Dental Tourism

Patients Beyond Borders, a publisher of guidebooks for "medical tourists" estimates that more than 20 million people will travel to another country for medical treatment this year, up 25% from 16 million last year. Meanwhile, a 2016 report by Visa estimated that the medical tourism industry was worth $50bn a year, and continuing to grow.

In fact according to Deloitte medical tourism has been growing at 10% per annum or greater for the past 15 years. BCC Research predicts that double digit growth is expected to continue for at least another five years with destinations like Mexico, Thailand, Malaysia, Taiwan and Costa Rica leading the popularity charts.

But it's not just a migration of US medical consumers to these locations. Its a global trend of Americans and Europeans looking to cut costs and avoid wait times on one side, and the super wealthy in developing nations like China and India in search of specialist treatments not available in their own countries going the other way.

Despite its free National Health System, many UK residents are avoiding long wait lists for consults and procedures and traveling overseas for medical and dental treatment for less than half of private treatment at home. This includes cosmetic surgery and other treatments not covered under the NHS.

Medigo, a German-based medical travel company says that queries from UK residents jumped 53% last year. Official figures from the UK's Office of National Statistics also show that a rising number of people are going abroad for treatment.

The trend is similar in the US where the number of American health tourists goes up every year. About 422,000 traveled outside of the country for medical and dental procedures in 2017 according to the US National Travel and Tourism Office. That is up from 295,383 in 2000.

As the number of uninsured Americans continues to climb, it seems more than likely that high deductibles and reductions in insurance coverage are pushing more Americans to search elsewhere for affordable medical and dental care. With more attacks underway against the US Patient Protection and Affordable Care Act and companies increasingly shifting healthcare costs to employees, medical tourism looks to become a key facet of most people's healthcare and dental care.

Read the entire story:

The Growth of Medical Tourism 2

This is a multi-part story that launched yesterday.

My employer-sponsored-health-plan provides me and my family with an annual physical with our primary care physician. This normally involves a 40 to 60-minute appointment where a nurse measures my height and weight, checks my vision, draws some blood and has me pee in a cup before my doctor gives me a physical examination. Thanks to Obamacare this little interaction is annual and free, meaning no co-pay, no-deductible or other disincentive to see someone. It also provides the opportunity to discuss with my primary care provider anything that concerns me but didn’t warrant me shelling out money to book a regular appointment with the him or her. Finally, it also allows me to unlock and renew my prescriptions for the medications I am supposed to be on for another 12 months - even though I have been on the exact same stuff for more years than I can remember.

Sure, my free annual physical is valuable but just how valuable is it someone like me? I am at early risk of coronary heart disease, to a stroke, cancer or some ailment that will one day take me surprise and whisk me off to an early death, or worse, a lingering and expensive demise that medically bankrupts my family when my employer sponsored health insurance runs out? Welcome to US healthcare!

Would my 40 minute interaction with my doctor once a year actually discover such a risk?
Highly unlikely I suspect.

Would my health insurance pay for me to undergo a battery of tests to find out?
Also highly unlikely!

The current US Payer-Provider preventative care system is nowhere near as good as politicians would have us believe, and nowhere near as good as physicians would advise or recommend.

I guess my concerns are shared by many people over 40 and that may be why many of us receive flyers in the mail advertising advanced cholesterol or cancer screening – the “Plus Version” of an annual physical if you like. One where you are made to run on a treadmill while connected to an ECG and put through a battery of other tests not covered by your “free annual physical". “Prevention is better and cheaper than cure” as the saying goes and I’m sure all of us would agree.

So my wife and I looked into the costs of a comprehensive health check at home and abroad, including travel. We also looked into the costs of a dental checkup cleaning and treatments since we didn’t elect dental insurance this year. We both look after our teeth and the costs of dental insurance just didn’t make economic sense. What we found surprised us.

We could fly all the way to Bangkok, Thailand, stay in a 5 star hotel, enjoy a highly comprehensive health check - including in my case a full workup, get our teeth cleaned and fixed (and take a short vacation) all for significantly less than what it would cost us in the US..... And do it all at top-notch hospitals and dental clinics.

Our Medical Health Check

We selected Bumrungrad International Hospital in the heart of Bangkok for our health check and City Dental Clinic just down the road from the hospital for our teeth cleaning and maintenance. Not only is Bumrungrad reportedly one of the top ten JCI accredited hospitals in the world, it has one of the best hospital workflows I have ever seen. They have the health check workflow down to an art. It truly was a pleasure to witness and observe.

From the pleasant greeting upon entry to the five-star service throughout including lunch catered by the nearby JW Marriott, everyone spoke excellent English as well as half a dozen other languages to cater to guests from Europe, Australasia, the Americas, the Middle East and Asia, including a number of local Thai and Burmese.

No "nickel and diming" either and no unexpected costs. You select exactly what you want in advance from a menu of different health check options when you book your appointment, so you know what you need to pay when you show up on the day. If you need to add extras after your health check, like a consult with a specialist, the hospital will do its best to schedule you in that evening or the following day - even over the weekend. And the costs of an additional specialist consult? About $22 in my wife’s case.

What makes it all the more convenient, is that you can charge it to your healthcare savings card and pay for your medical treatments with pre-tax US earnings.

Need a procedure like a biopsy? $100 to $200 often on the same day and certainly while you are in town. Now if only US healthcare could be as efficient! For that reason, it’s probably best to schedule your health check on day 2 or day 3 of your stay so you have time for any additional follow up.

The only thing to look out for is that the hospital pharmacy is quite a bit more expensive than pharmacies outside. That's generally the case everywhere, but you don't have to purchase your meds from the Bumrungrad hospital pharmacy if you don't want to. You can just ask your doctor to write them down and have the billing clerk remove them from your bill when its time to pay for any extras if they were added. No need for official prescriptions in Thailand either. Pharmacies abound on every street and every mall in Bangkok so you have your choice of drug suppliers. Most Pharmacists speak excellent English and are very well trained and qualified. Don't have what you are looking for? The Pharmacist will be able to recommend a different drug and dosage and discuss side effects or other concerns with you.

The other thing to beware of is that some doctors will only schedule office hours in Bumrungrad on a couple of days per week so if you want to see a certain named specialist, then its best to plan a little extra time. Of course you could always opt for someone else in the same specialty area as we did and still get excellent advice. Many doctors we found will schedule office hours from 5pm onwards or weekends only, which was a little unusual from our experience in the US. In actuality, this worked out well for us as we were busy during the normal business day anyway.

Our Dental Checkup

Our dental checkups were equally as pleasant at the City Dental Clinic across the street from the hospital. A young but very well qualified dentist checked my teeth and then sonically cleaned them all for about $20. My wife needed a couple of fillings for a chipped tooth and some depleted enamel. Her clean and procedure came to a whopping $195 – way less than US dental insurance payments let alone the so called insurance-subsidized co-pays for treatment at our local dentist.

Why would anyone NOT take a trip to Thailand or other parts of the world for elective procedures and proactive health checks? Beats me - that’s all I can say! In fact, we are already planning our checkups and dental cleanings for next year.

Concerns about quality medical and dental staff? Bumrungrad International Hospital achieved Joint Commission status years ago and continues to be one of the best hospitals in the world. It serves over 400,000 medical tourists annually who by all acocunts save between 50% and 75% on medical expenses they would have incurred for similar services in the US. The hospital's repeat international clientele is probably testament to its reputation and the quality of service patients receive.

Everyone we met was top notch – as good as you would find at home – just with lower hospital billing and insurance overheads, and significantly lower malpractice premiums to pay, thanks to the absence of ambulance-chasing lawyers in Thailand.

Why the US is falling so far behind the developing world should be obvious to all of us who work in the industry, but no one seems interested in fixing a broken system, removing overheads and getting healthcare costs down. With so many vested parties needing to be involved that may never happen here. And so, medical tourism is likely to continue to grow, and consumers will continue to vote with their feet.

Continue on to the final chapter of this story

The Growth of Medical Tourism 1

Despite the United States having arguably some of the best healthcare in the world, it also has the singularly most expensive. We have all heard the story of the hundred-dollar Aspirin. Many of us have witnessed or been fleeced by the ridiculous markups some US hospitals attempt to profit from - sometimes in excess of 1,000% or 1,500%. The US spends twice as much on healthcare as most comparable nations, yet has highly unequal access to healthcare services, and quite frankly, terrible patient outcomes if you happen to be poor, or live in the wrong part of the country.

As the costs of US health services continues to spiral, consumers are facing ever-increasing healthcare charges. This includes massive annual deductibles which effectively render insurance useless for most until the end of the year when deductibles have been met, and increasingly high co-pays that cause many to forgo their prescription medications and doctor visits in order to pay rent or put a meal on the table for their family.

Just ask anyone who works in the profession how the advent of high-deductibles and other rising out of pocket costs is affecting their businesses. Designed to contain employer and employee healthcare costs, high deductibles have led to much higher out of pocket costs for consumers and quite seriously changed user consumption patterns. Many medical practices are empty at the beginning of the calendar year when a fresh deductible kicks in, for all but the most serious of emergencies. What's more, it stays that way for months till patients have met their deductible and are no longer dis-incentivized to visit their medical providers.

Most of us who have tried to purchase medications in the US that are not included in our medical insurance formulary list have experienced first-hand unregulated US pharmaceutical prices that gouge consumers for $200 or more for the exact same medication that sells outside of the US for $20. It’s no wonder that so many Americans stock up on their prescriptions when on vacation abroad, regardless of whether they have health insurance at home or not.

Yes - Your over-the-counter drug price in other countries is often cheaper than your insurance co-pay at home!

But what other aspects of their healthcare are Americans looking abroad for?

In this multi-part blog, I explore the rise of medical tourism and how it is often better and cheaper to get on a plane and fly across the world for treatment in a modern top-notch accredited hospital rather than subject yourself to the co-pays, high-deductibles, obscured billing practices, and unexpected / underhanded out-of-network surprise charges not covered by your US health plan.

Read Part 2 of this story


Jason Hawley & Richard Staynings co-present at HIMSS19 today in Orlando.  Photo: Ty Greenhalgh.
Don’t Let Your IT and OT Systems Become Antiques.

The problem of out of date legacy hardware, operating systems and applications across the healthcare industry is endemic. This is especially so at small hospitals and clinics where tiny IT and security staffs and highly constrained budgets, prevent the upgrading of end-of-life and often vulnerable technologies. Aggressive sun-setting of Windows versions by Microsoft and near constant patching requirements compound the pressure on small IT staffs to support and secure their health IT infrastructure. This situation introduces risk into the healthcare delivery environment as IT systems continue to operate with unpatched CVEs and unsupported hardware and software.

Poor coordination between HIT vendors and Microsoft causes healthcare applications to break if patched or remain vulnerable if unpatched. Lack of support for current Windows operating systems means that new workstations and servers need to be downgraded in order to run EMR or other HIT applications.

"Windows 10 comes with .NET version 3.5 built in, however our EMR only supports .NET version 3.2, so when we upgraded our desktop OS from Windows 7 to Windows 10, we had to uninstall .NET and reinstall an old out-of-date version" claimed Jason Hawley, CIO of Yuma District Hospital and Clinics, a critical access system in rural Colorado. "We can no longer run automatic updates from Microsoft as patches break our EMR. HIT software developers are constantly behind the Microsoft development curve," he added.

Going to to the CFO and asking for money to replace and upgrade, just because systems are end-of-life doesn't work according to Hawley. "The money simply isn't available to upgrade or replace",  he states. "We don't have the man-power and we can't justify the re-licensing costs."

Jason is not alone in his experience. Many security and technology leaders in similar-sized facilities make the same complaint, where IT hardware is used till it breaks and software is run well beyond its vendor support.

So how can CIOs and CISOs of small or critical access facilities get away from having to support dangerous legacy hardware and software?

"The obvious solution is to move what you can to the cloud as soon as possible, but this presents challenges in itself," claims Richard Staynings with the HIMSS Cybersecurity Committee. Regulated data needs to be highly secured - especially if its being moved off-site. Consequently, many CEOs are reluctant to take the leap of faith needed to support this change.

However most cloud service providers probably do a better job of securing their customers' PII and PHI data than any critical access hospital is able to do anyway. Especially given small IT and security staffs, low levels of security expertise and limited budgets for upgrading. In fact for most critical access facilities migrating to the cloud is a major security improvement over the current state.

"Cloud providers have an added incentive to double-down on security as their reputation is highly dependent upon the security of their services," claims Staynings. "Educating the CEO and board to that fact is however a different issue and an often lengthy process that should probably be started sooner rather than later," he adds.

Moving the IT budget from a 'CapEx' model of asset purchase and depreciation over a long period of time to an 'OpEx' model of annualized services, will likely take some persuasion and the support of the CFO. However once approved will enable small providers to finally retire out-of-date and end-of-life assets.

"Cloud migration is not as straight forward as simply moving a VM from a data center hypervisor to a cloud one," claims Staynings. "There's a lot of planning and optimization that needs to take place to make sure that you don't get unexpected usage bills for running AV and other scans 24 by 7 on each of your systems. For that reason, if you've not done this before you should probably seek help"

In the mean time CIOs and CISOs have a duty to report the risks of legacy no-longer-supported hardware and software in the organization's Risk Register. This should include OT devices like hospital building management systems and medical devices which have even longer life-spans than IT systems like servers and workstations. Most of these OT devices have little to no built-in security and require compensating security controls such as network segmentation to protect themselves and the rest of the network from attack. But first you need to find these devices, which isn't easy. Fortunately there are some new tools from the likes of CyberMDX, ZingBox, ClearData and others entering the market to help you with your medical device asset inventory and initial threat assessment.

CEOs and their boards need to make well-informed risk management decisions to accept, transfer or remediate those risks. 'Ignoring' or 'avoiding' a risk should not be an option, which unfortunately is an all-too-common process being used today in small under-funded healthcare delivery facilities.

Jason Hawley is CIO, CSO and Biomed Director at Yuma Hospital and Clinics - a critical access system in rural Colorado. Richard Staynings is a Global Healthcare Security Strategist. Both currently serve as members of the HIMSS Cybersecurity Committee. Slides from their HIMSS presentation can be viewed or downloaded here.

Converging Paths

Patient safety has always been a major concern for healthcare providers but never before has it been so inextricably linked with cybersecurity. This is a subject I have blogged about, lectured to students of healthcare and cybersecurity, and spoken about to audiences of senior healthcare leaders at conferences and summits all over the world.

It's a convergence that we all need to become familiar with as enterprise risks change across the industry and the threats to the business evolve as we increasingly digitize.

Today, I had the pleasure of sharing this message with the HIMSS Cybersecurity Community. A community of healthcare leaders, technologists and security professionals that do their best to make sure that your non-public information remains confidential, integral and available, and that the IT systems employed to diagnose, treat, and monitor you as a patient, do not become compromised by nefarious nation states or cyber criminal actors. The HIMSS Security Community does a great job of sharing information across thousands of providers globally, to help leaders protect their patients and their patient data.

We all know that the global healthcare industry has problems and needs all the help in can get at a time of aging populations, static budgets and increased cyber risk. What compounds these concerns is a long history of under funding for the day-to-day security of hospitals and clinics, and  the longer term maintenance and replacement of end of life IT systems.

This is a subject that I will be addressing in more detail with Jason Hawley, CIO and CISO at Yuma District Hospital at the HIMSS Annual Conference this year in Orlando on Monday February 11th. If you are planning to attend HIMSS19, please come along to the Security Forum and join us as we dig deeper into this subject.

For those able to attend my webinar today, many thanks and it was great to address many of your questions. For those unable to attend I have posted a link to the WebEx recording and to my presentation slides below.

Webinar Recording


The Cybersecurity Skills Shortage

I read a great article this morning by Dr. Magda Chelly published in the Singapore Independent. The article discussed the cybersecurity skills shortage and the immediate need for more cyber professionals to fill existing job vacancies in Singapore.

The shortage of cybersecurity professionals is a global concern however, and Singapore is far from alone in its need for more qualified and experienced technical and managerial security professionals. The Cisco Annual Security Report has, for the past three years, highlighted a huge gap between demand for security professionals and the available supply, and that defenders are outnumbered five to one by attackers. Universities across the globe are struggling to adapt to changing demands from government and business in order to train the workforce of the future. A future where nearly everything will be conducted virtually via cyberspace and the inter-network of government agencies, businesses and individuals that power commerce, education and just about everything else. Securing that future will be critical for everyone.

Even in the United States where arguably there are more certified cyber professionals than any other country, a recent survey found 82,000 open positions requesting a CISSP yet at last count there were only 79,000 CISSP holders in the USA, nearly all of whom were already working at least one full time job. In fact, a recent study conducted by (ISC)2 found that cybersecurity workforce gap has increased to more than 2.9 million globally. The report goes on to state that of the 2.93 million overall gap, the Asia-Pacific region is experiencing the highest shortage, at 2.14 million, in part thanks to its growing economies and new cybersecurity and data privacy legislation being enacted throughout the region.

The (ISC)2 CISSP (Certified Information Systems Security Professional) is not the only cybersecurity certification however; GIAC Security Expert (GCE) and ISACA (Information Systems Audit and Control Association) certifications in security governance (CGEIT), security audit (CISA), information risk (CRISC) and security management (CISM) are equally prized. Most however require some level of experience putting potential candidates in a catch-22 position – you can’t get the certificate without experience; and you can’t get the security job in order to build the experience without the certificate. Maybe recruiters need to re-think this demand and look for broader skill sets and capabilities from entry or mid-level candidates!

That’s also one of the reasons why many people looking to enter the profession are completing university degrees in a cybersecurity related discipline. In fact, there are a heap of accredited universities today offering quality bachelors, masters and doctoral degrees, especially in the Australia and United States. Many of these are available entirely online and therefore accessible to Singaporeans, just as they are to residents of other countries who are willing and able to invest in the time and effort in their future. The nice thing about online degrees is that you can study at nights and weekends while holding down the current day job and salary, rather than take an unpaid sabbatical for 2 years or more to attend a bricks-and-mortar university as was the case just a few years ago.

A cybersecurity degree not only says a lot more about you as a candidate compared to someone who simply paid and took the CISSP or other exam, it also in many cases, will exempt you from the work experience requirement, thus opening the door for you to have both a degree and a professional qualification at the end of the day.

Unlike a professional qualification however, your cybersecurity degree will not expire if you forget or elect not to pay the annual club membership fees to the body issuing the certificate. Let’s not forget that these bodies have made a highly profitable business out of certifying cybersecurity professionals and each requires the payment of annual maintenance fees along with evidence of continuing education for you to keep your certification. A degree on the other hand is a qualification for life and will never expire.

So when should you embark upon an academic qualification like a cyber degree and when or who should just go for the CISSP or other professional certificate? The fact is, that depending on your age and experience, you will likely benefit from both. However, no qualification is a substitute for experience and that’s probably why it makes most sense for those in the profession with 5 to 10 years’ experience to get their CISSP or other professional qualification, and those entering security management to get their CISM. However, there’s nothing like a Masters or Doctoral degree to show a prospective employer that you really are an expert with deep cybersecurity and information assurance knowledge.

The profession needs more practitioners at all levels however and there are good rewards for those at the top of their game as I wrote about in a prior article discussing the role of the CISO or Chief Information Security Officer. A role which is quickly changing with the times.

My friend and fellow security evangelist Dr. Mansur Hasib from the University of Maryland University College has spoken extensively at numerous security conferences, as have I and many others, about the cybersecurity skills shortage. No matter where you are located, there is a drastic need for more entry-level security professionals, so if you are reading this while contemplating your future, this is one profession you should probably look at closely. With a 12x demand over supply for security professionals, a career in cybersecurity is not one about to go away any time in the near future. What’s more, where ever demand outstrips supply, professionals are usually going to be well paid and well looked after.

Warning – Highly Competitive Environment: Once established, you may be mildly harassed by recruiters wishing to hire you away from your current role for double the money to work somewhere else! (At least, for the immediate future.)

This blog is also posted on Linkedin

A Pattern of Complacency

A recent story which ran on CBS News entitled “How medical devices like pacemakers and insulin pumps can be hacked” highlighted deficient plans and processes by the US Food and Drug Administration for addressing medical device cybersecurity compromises. The report issued by the Inspector General has been disputed by the FDA which says that it has worked proactively on the issue with security researchers and ethical hackers to identity and fix many of the problems.

This may be the case, but the fact remains that the industry as a whole has been largely in a state of denial over the breadth of depth of cybersecurity vulnerabilities in medical devices and has been very slow to inventory and remediate risks – even when researchers have shown evidence that many security vulnerabilities pose a significant patient safety concern.

The FDAs close working relationship with manufacturers and its preference for constructive ‘guidance’ rather than ‘enforcement’ has been criticized many times before. Despite a growing body of evidence of medical devices being hacked in research lab environments and live on stage at security conferences around the world dating back nearly a decade, it is only within the last couple of years that new devices were forced to undergo any sort of cybersecurity risk assessment prior to being approved for use on patients. Some say the FDA acted too slowly to bring about change and that nobody yet has really dealt with the legacy device problem. Medical devices have long expected life-cycles and more expensive systems like X-ray, CT and PET scanners are often depreciated over 15+ years, meaning that near-term replacement of insecure legacy devices is not a feasible option.

Whatever the case, the fact remains that most manufacturers have not taken any sort of proactive role to risk assess the security of their legacy devices in use today, even when informed of security vulnerabilities long before public disclosure. The onus for risk assessment of these devices currently seems to be placed squarely on the shoulders of providers, who in turn are ill-equipped to assess or remediate problems. Solving this problem will take a strong and concerted effort on all sides with robust leadership and oversight provided by the FDA.

The issues highlighted in the CBS report is remarkably similar to another case that I wrote about in 2016 concerning St Jude Medical, (now owned by Abbott Labs). Despite being informed of major patient safety risks to its implanted Cardiac Rhythm Devices (pacemakers), St Jude Medical chose not to do anything about these risks till Muddy Waters Capital made an example of the company by trading on futures while engaging a security firm to hack and disclose significant weaknesses in the St Jude devices, thus gaining from a downward adjustment of the St Jude stock price.

The St Jude disclosure caused the first ever FDA intervention in medical device security after mass public concern. The fact however remains that security vulnerabilities in medical devices are likely not limited to only a few manufacturers, but common across the thousands of vendors and hundreds of thousands of medical devices that are in circulation globally. Many, of not most of these are responsible for keeping patients alive. The trouble is that we don’t really know the true extent of vulnerabilities and the risks posed to patients by these potentially insecure devices.

Manufacturers do not have programs to risk-assess and penetration test their legacy medical devices and only the most recently approved devices were tested at all from a cyber risk perspective – all other testing being primarily functional in nature, in order to obtain FDA approval.

Hospitals and other healthcare delivery organizations that use or surgically implant medical devices in people’s chests rarely if ever test medical devices either. Even devices that remain in hospitals like network attached morphine and insulin pumps, X-Ray and CT scanners are rarely tested for their cybersecurity vulnerabilities, let alone devices that leave with patients and may not be seen again.

Without testing and without performing a thorough and bone-fide risk assessment to NIST SP800-30 standards in line with HIPAA and OCR requirements, we will probably never really know just how big a problem this is across the entire industry.

Until such times as a full forensic examination of implanted medical device takes place, rather than simply being burned or buried with the patient, we will probably never know the true number of deaths caused by device failure, how these devices failed exactly and whether a cyber-attack against the device caused its failure and the premature death of the patient.

The United States does a great job of evaluating and under-writing all kinds of risks – everything from crop yields, to natural disasters, to the likelihood of flood, fire or theft, yet as a country we really are rolling the dice when it comes to medical risk, and particularly medical device risk. In short, we as a nation, are gambling on the security of the medical devices that keep many of our citizens alive each day.

To learn about how you can evaluate medical device risks in your hospital environment ask Clearwater about its leading Medical Device Security Program or contact us to schedule a conversation.

Third Party Vendor Risk Management

Richard Staynings addresses the need for better Third Party Risk Management @VAHIMSS18
Lets face it, most Healthcare Covered Entities do a lousy job of managing risk - especially cyber risk in a world where data is flowing everywhere to meet government Meaningful Use requirements. In fact as an industry, we almost myopically interpret risk to refer to clinical procedures or hospital-borne post operative infection rates. In an HDO, risk is all about patient safety. But patient safety is much more than clinical risk, it includes the availability of IT systems to diagnose, monitor and treat patients; its about being sure of the validity and integrity of health IT data in order to treat patients; and it includes the entire healthcare delivery supply chain.

Cyber risks in healthcare are not just confined to the data center, to nursing stations or to the PHI data that flows back and forth between health insurers, HIEs, government agencies and patients. The risk web is very much bigger than that. It includes thousands of suppliers, vendors, and partners that stretch right the way across the globe. Everything from business process and IT outsourcers in India, to complex manufacturing supply chains for medical equipment in China, Brazil, Germany, the UK and Australia. It includes the company that provides hot meals to patients and food and coffee for the hospital cafeterias, to the pharmaceutical companies conducting clinical trials, and biomedical engineering companies that provide prosthetic limbs to your patients or an IMD that leaves the hospital with them. Anyone in fact who has physical access to your sites, network access to your IT, or who processes your data, regardless if they ever see one of your patients or not.

A recent Vendor Vulnerability Index research report released by Bomgar, showed that breaches occurring from third parties account for two-thirds of the total number of reported cyber breaches. The study found that only 46% of US companies said they know the number of log-ins that could be attributed to vendors and that less than 51% enforce policies around third party access. Furthermore, 69% of respondents said they 'definitely' or 'possibly' suffered a security breach resulting from vendor access in the past year.

Lets not forget that the Target breach of 40 million credit cards and 70 million customer records was caused by weak security of one of Target's HVAC vendors. It cost Target over $300 million and the jobs of everyone on the leadership team as well as lasting damage to the store's reputation.

The consensus by security professionals is that the risk posed by third parties is not only substantial, but it is increasing each and every year. Gartner stated in its June 2017 Magic Quadrant for IT Vendor Risk Management that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. So why is it then, that health system CEOs are focused on other things? It could be that the healthcare industry has SO MANY challenges that TPVRM is just further down the list, it could be the fact that very few HDOs feature in the prestigious Fortune 500 list, or it could just be that healthcare CCOs, CROs and CISOs, just haven't gotten the message across to their CEO yet. Either way they need to!

I shared a number of tips and suggestions during my presentation today at the VAHIMSS Annual Conference to aid executives to construct or refine their TPVRM process. My slides can be found here.

Thanks to everyone who attended and asked some great questions and to the leadership of sponsors of the conference who helped to put on a great 3 day event in Williamsburg, VA.

Strategic Cybersecurity | Making Intelligent Cybersecurity Investment Decisions

Studies show that in the face of cyber-crime costing the global economy ~$450 billion per year, organizations are investing in cyber security safeguards on an unprecedented scale. A 2017 Accenture / Ponemon study indicated that current spending priorities are often misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness. The quality of cyber security decision making can be improved dramatically with some basic initial focus on a true risk-based approach.

This was the subject of my webinar today with members of the College of Healthcare Information Executives (CHIME).

Listen to the recorded session below to learn what Boards and Executive Teams are demanding from their privacy, security, compliance, risk management and procurement teams to improve their return on security investments (ROSI).


Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 3

Is there a more challenging position anywhere in information security than that of a healthcare organization’s cyber risk management leader? If there is, I can’t think of what it would be. Whether your title is CISO, CSO, CTO, CIO or some variation thereof, the task is daunting.

As we mentioned in Part 1 of this series, healthcare as an industry has a huge target on its back. Cyber attackers focus on healthcare not only because patient information is valuable, but also because patient lives are at stake. That can make threats such as ransomware attacks more effective. Cyber attacks in other industries – banking, for example – can have devastating financial consequences, but people’s lives aren’t generally at risk, as they are in healthcare.

At the same time, healthcare IT environments are exceedingly complex, which makes managing information security that much more complicated. The healthcare IT ecosystem typically includes dozens – if not hundreds – of applications, including the electronic health record (EHR) system, administrative and operational applications (scheduling, patient tracking, billing, claims, insurance and payer systems and interfaces), clinical applications (patient monitoring systems, radiology information systems, lab results reporting, clinical decision support, patient portals, etc.) and others too numerous to mention.

On top of this, add the countless devices that connect to a healthcare organization’s network, from the desktop computer at the registration desk, to the tablet the physician or nurse uses, to the smart infusion pump at the patient’s bedside, to BYOD devices like the smartphone a patient uses to access lab results through a patient portal.

Enterprise-wide Cyber Risk Assessment

Because of this complexity, no single “shiny object” or new security tool will be sufficient to mitigate all of the critical information security risks in a healthcare environment. As we discussed in Part 2 of this series, the only way to approach cyber risk management in a complex healthcare organization is to begin with a comprehensive, OCR-quality, security risk assessment and analysis.

Healthcare organizations must conduct this type of analysis in order to be HIPAA-compliant. But just as important is the fact that healthcare organizations cannot begin to develop a meaningful and effective cyber risk management program without first gathering the information that a comprehensive risk analysis provides.

As mentioned in the previous post, a security risk analysis essentially boils down to three tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
The HIPAA Security Rule, OCR Guidance, and resources developed by NIST provide plenty of details on how to properly conduct a risk assessment and complete these tasks. These resources are freely accessible on the internet. In theory, any healthcare organization could use these resources to conduct and complete an OCR-quality risk analysis without any outside support. However, that’s easier said than done.

Task 1: Identifying Risk

Risk identification begins with creating an information asset inventory that documents each asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI). This includes not just the obvious choices, such as laptops, servers, and enterprise applications, but also less obvious choices, including medical devices, backup media, and nonclinical, internet-connected assets such as building management applications and networks.

A typical healthcare provider has hundreds – if not thousands – of individual information assets that need to be documented.

One way to accomplish this is to create an enormous spreadsheet, starting from scratch. A simpler way is to leverage a solution such as Clearwater’s IRM|AnalysisTM. Clearwater’s IRM|Analysis TM includes an easy-to-use ePHI inventory system that uses data upload and guided data entry to help healthcare organizations rapidly develop a comprehensive, customized information asset inventory.

As noted in my previous post, creating an asset inventory is only the first step in risk identification. Risk has three components: an asset, a threat and a vulnerability. OCR guidance specifies that healthcare organizations must identify and document threats and vulnerabilities to each asset, in addition to creating an inventory of information assets.

If you are creating your asset inventory in a spreadsheet, you would need to start with a minimum of three columns for each asset in order to document the asset, each potential threat to the asset, and the vulnerabilities associated with each threat. Clearwater’s IRM|AnalysisTM speeds up this process by using a proprietary algorithm to suggest vulnerability and threat scenarios associated with each type of information asset. This takes the guesswork out of the process and ensures a more comprehensive assessment of risk.

Task 2: Rating Risk

Once you have exhaustively inventoried every aspect of risk – including every asset, and each of the threats and vulnerabilities associated with each asset – the HIPAA Security Rule and subsequent OCR guidance specifies that you must also estimate the likelihood (probability) and impact (magnitude of loss) of potential harm from each asset/threat/vulnerability combination. This is the risk rating.

NIST provides guidance for these tasks. NIST SP 800-30, Appendix G, includes several examples of assessment scales related to threat event likelihood. Appendix H, in the same publication, offers examples of scales for measuring impacts.

Clearwater’s IRM|AnalysisTM includes a risk register based on best practices and on specifications in HIPAA regulations, OCR guidance and NIST resources. The solution’s built-in risk register simplifies the process of assigning a risk rating to each asset/threat/vulnerability scenario and facilitates consistency in rating risk across the enterprise.

Task 3: Prioritizing Risk

After all information assets have been identified; after all potential threats and vulnerabilities have been documented; and after the likelihood and impact of each asset/threat/vulnerability combo has been calculated, each asset/threat/vulnerability combination will have an assigned risk rating. As illustrated in the table above, Clearwater’s IRM|AnalysisTM uses a 25-point scale to rate risk. The higher the rating, the higher the risk.

As part of the cyber risk assessment/analysis process, every healthcare organization should establish a risk threshold. Establishing a risk threshold is part of the information security governance process. The risk threshold will be unique to the organization and will take into account the organization’s unique risks and resources. For example, using the 25-point scale from the figure above, one organization might establish 15 as their threshold, meaning that any risk with a rating of 15 or below falls into the acceptable risk category, and will not be a priority with respect to mitigation.

A comprehensive information security risk analysis, combined with the organization’s established risk threshold, enables a healthcare organization to make informed, strategic decisions about which cyber security risks require urgent mitigation versus those that can be put on the “back burner” until more resources are available.

The Bottom Line

Conducting a comprehensive risk assessment is necessary for both HIPAA compliance and for establishing the foundation for a healthcare organization’s enterprise cyber risk management system (ECRMS). It is challenging, but not impossible, for a healthcare organization to conduct this analysis using only internal resources and guidance that is available on the internet.

Alternatively, healthcare organizations can use the specialized solutions and professional expertise offered by Clearwater Compliance to quickly and efficiently conduct a comprehensive cyber risk analysis. Because ultimately, completion of the analysis is only the first step.

The sooner a comprehensive security risk analysis is completed, the sooner a healthcare organization can begin addressing vulnerabilities and mitigating high priority risks. That is why it can make sense for a healthcare organization to leverage the solutions and services offered by Clearwater Compliance to assess risk, prior to establishing an enterprise cyber risk management program.

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Read more in this series:

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link.

Medical Device Security and CIO Insomnia

During a conversation over drinks with a number of CIOs at a recent healthcare conference, I discovered that the number one concern that keeps most healthcare executives up at night is the security of their medical devices. That was somewhat unexpected, especially following press-grabbing headlines last year about ‘WannaCry’ and other ransomware attacks rendering a large part of the British NHS and other health systems useless for several weeks or months.

Reason 1: Management

Part of their concern is that medical devices are not typically managed by hospital IT (overseen in most cases by the CIO) but by clinical / biomedical engineering staff who power on and attach devices to hospital networks but have little understanding of the cybersecurity risks that are created by connecting an unprotected medical device to the hospital business clinical network. Connected medical devices can by-and-large be compromised easily, used as a foothold on hospital networks, or re-programed to execute patients or hold them to ransom.

This is not fiction! It has been demonstrated numerous times at security conferences most recently by McAfee at BlackHat and Defcon in Las Vegas last month. New Zealand ethical hacker Barnaby Jack started the trend of exposing medical devices vulnerabilities, when in 2011 at the MacAfee Focus Conference he demonstrated a hack of a wireless insulin pump causing the pump to deliver its entire reservoir of insulin into a mock patient. In 2012 he followed this performance up with a hack of a Pacemaker causing the device to administer an 815volt shock directly to the heart of the mock patient. Both demonstrations would have been fatal to a real patient and that might explain why in 2007 Vice President Dick Cheney had the wireless interface disabled to his own pacemaker at the insistence of Doctors and the US Secret Service. Jack demonstrated the ease at which a patient could be harmed or executed once their Implantable Medical Device or IMD had been hacked. Others followed at subsequent security conferences with hacks of network-attached infusion pumps, reprogramming the device to give a continuous maximum dose of Morphine till the reservoir was empty and the patient likely dead.

Reason 2: Lack of Security

The CIOs second concern is that medical devices have almost no built-in security found on a typical workstation or laptop and cannot readily be patched or upgraded. Nor can security tools and supplicants like anti-malware or a host firewall be installed as the limited capacity of devices will not support the additional memory or processing requirements needed.

To compound these issues, medical device manufacturers are notoriously reluctant and slow to release patches for their devices even when known security vulnerabilities have been discovered. This has resulted in some high profile shaming of manufactures as in the case of Muddy Waters Capital, an Options Trader, against St Jude Medical and the first ever FDA recall of a medical device as a result of the public disclosure. Would the Food and Drug Administration (FDA) have acted if it weren’t for the very public disclosure? It’s hard to tell. Would St Jude Medical have spent any time fixing known security vulnerabilities in some of its pumps? Based upon past performance, it’s highly unlikely. In fact, that was the reason for Muddy Waters penetration test in the first place, thus driving down the share price of St Jude Medical stock, allowing Muddy Waters to profit from its options trades.

The fact of the matter is that most medical devices unless afforded extra layers of protection and defense-in-depth security, are extremely vulnerable to cyberattack. Especially if connected to the main hospital network, let alone allowed to talk to the Internet.

Why are Medical Devices so Vulnerable to Attack and Compromise?

Medical devices take 5 to 6 years to go through testing and clinical trials before they receive FDA approval. The same is true in most other countries. That means that brand new devices arriving in hospitals today were designed at least 5 or 6 years ago using technology that was available at the time. Anyone connecting their 2012 era Windows computer to the Internet tomorrow without any security software or updates would more than likely be compromised inside 10 minutes, yet that’s what we do with medical devices. Only with medical devices, we use them not to surf the web or check email, but to monitor and treat patients - and in some cases keep them alive. That’s where unmitigated risks surface that results in CIO insomnia.

The HIPAA Security Rule (45 CFR (§164.308(a)(1)(ii)(A)&(B) requires a Risk Analysis and ongoing Risk Management be conducted of any and all devices that create, maintain, transmit, or receive ePHI or other sensitive data. Yet most hospitals don’t even have an accurate inventory of their medical device assets so how can they possibly assess their risks? The identification and profiling of medical devices has not been easy for hospitals, most of which have had to rely upon labor-intensive ad-hoc manual discovery processes. New tools and services from CyberMDX and others in the space that can identify and profile medical devices is beginning to change this however. A full asset inventory and medical device profile can now be exported from CyberMDX and entered into an enterprise risk analysis tool such as Clearwater’s IRM|Analysis platform to perform compressive risk analysis to meet the very strict requirements of OCR and HIPAA.

The concern however is a lot deeper than mere HIPAA Compliance and the protection of PHI. Patient safety has become a major worry for healthcare providers where changes to the integrity and programming of medical devices can have far reaching effects. Hackers have already demonstrated the removal of safety limits and have over-written calibration data and dosages and changed drug libraries. Not only is the integrity of medical devices a growing concern but also their resiliency. Most devices will crash or blue screen when a simple virus or multi-cast traffic appears on the subnet. In particular, device availability for patient telemetry systems is critical to alert care staff to patient Codes or other conditions where speedy action on their behalf is required to save a life. Integrity and availability attacks are far more concerning than confidentiality attacks against PHI, and is where the real damage can be done. To date, the OCR has only issued written guidance on the risk analysis of medical devices containing PHI, although audits show that they are beginning to take a broader look at all medical devices regardless of whether they create, receive, store or transmit PHI. The FDA continues to issue guidance, NCCoE and NIST have written a guide to secure medical infusion pumps resulting in NIST Special Publication 1800-8, and the Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) recently joined forced to publish a revised Medical Device Deployment Guide. The fact remains however, that numerous medical devices are extremely vulnerable and are not being adequately managed from a risk perspective.

The average cost of a data breach according to Ponemon is $3.8 million. The damage and impact to a hospital’s reputation following a medical device attack resulting in patient death is pretty much unlimited. This may sound a little far-fetched but a recent study by the University of California Cyber Team found that several hospitals had self-reported adverse events from compromised healthcare infrastructure cybersecurity events, like ransomware, malware, or compromised EHRs. The study found that adverse events impacted between 100 and 1,000 patients. Furthermore, the 80 percent of survey respondents that reported risks in medical devices is way higher than what the FDA reports.

Risk Management

Once identified, risks to critical systems should be addressed immediately. When remediation or retirement of a medical device is not possible, effective compensating security controls should be implemented to isolate and protect the device from attack and compromise. Many of the larger hospital systems are turning to micro-segmentation of their medical device network assets using Cisco TrustSec or other tools to essentially white-list network communications to and from each medical device and drop all other traffic. GE Health and Unisys do this by routing all medical device traffic through proxy servers. Others have segmented their medical device VLANs by use of internal firewalls. These solutions all increase the complexity of networks and leave many smaller hospital systems with tight budgets and limited capabilities out in the cold.

What’s being done to harden medical devices and prevent them from being hacked?

Guidance (and its only guidance to date) has been published by the FDA, NIST, NCCoE, CSA/OWASP and others to improve the deployment and security of medical devices. The onus however is squarely being placed upon healthcare providers to secure the medical devices they procure and utilize. At the same time manufacturers are being pressured to improve the security design of their devices and now have to perform a risk analysis of medical devices before FDA approval. But with a 5 to 6-year development cycle, the results of ‘improved security by design’ may take many years to reach hospitals and patients. With a 15 to 20-year lifespan for many medical devices, the security problem is not about to go away any time soon. That means hospitals need to implement compensating security controls immediately and keep them there for the foreseeable future.

Somewhat alarmingly however, a recent Ponemon Report on Medical Device Security showed that despite known vulnerabilities “roughly one third of device makers and healthcare delivery organizations (HDOs) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.”

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Medical device security keeping you up at night?

Clearwater offers healthcare delivery organizations the most comprehensive solution available for improving the security of biomedical devices connected to their networks.Much more than just a traditional vulnerability assessment, Clearwater strengthens its end-to-end, enterprise approach to reducing risks, by automatically identifying, assessing, and managing risk of all wired as well as wireless medical devices.

Discover how our Comprehensive Medical Device Cybersecurity and Risk Management Program can support the unique needs of your organization.

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link.

Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 2

Healthcare CIOs, CISOs, and other information risk management leaders face daunting challenges when it comes to deciding where to apply their limited resources to make the biggest difference in their organization’s cyber risk posture. As I mentioned in my previous post, healthcare security leaders can be tempted by shiny new objects – i.e., new security tools – that promise to be the panacea to their most pressing security problems.

Cyber security leaders can also be distracted by Executive Board members and other stakeholders who prioritize the cyber threat of the day. They may respond to cyber attack headlines by button-holing the CISO and asking, “What are we doing about THIS???”

The solution to a scattershot, reactive approach to cyber security is to develop an enterprise cyber risk management system (ECRMS). And the first step in developing an ECRMS, is conducting a HIPAA-compliant risk assessment and analysis.

HIPAA Compliance and Risk Assessment

HIPAA’s Security, Privacy and Breach Notification Rules are designed to ensure the confidentiality, integrity and availability (CIA) of protected health information (PHI). HIPAA’s Security and Privacy Rules apply to any entity that “creates, receives, maintains or transmits protected health information” per 45 C.F.R. § 160.103. This means that whether you are a healthcare provider, a health plan, a healthcare clearinghouse or a business associate of any of this entities, HIPAA applies to you.

The HIPAA Security Rule actually defines three different types of assessments that organizations must conduct in order to be compliant. Those three types of assessments include:
  • HIPAA Security Non-Technical Evaluation, a.k.a. Compliance Gap Assessment
  • HIPAA Security Technical Evaluation, a.k.a. Technical Testing
  • HIPAA Security Risk Assessment/Analysis
The difference between these three types of assessments is a topic for another blog post. What’s important to understand for our purposes is that organizations must conduct all three types of security assessments in order to be HIPAA compliant. One type of assessment (for example, Technical Testing or Compliance Gap Assessment) cannot be substituted for another type of assessment (Risk Assessment/Risk Analysis).

The first step – the foundational step – in developing an enterprise cyber risk management system, is to conduct a security risk assessment and analysis as defined within the HIPAA Security Rule. Two other information sources help to provide a comprehensive and detailed definition of what a HIPAA-compliant risk assessment looks like: first, OCR guidance – including the results of OCR enforcement actions and audits – gives a clear picture of what a comprehensive risk analysis includes. Second, NIST standards around information security provide a model for how to properly conduct a risk assessment – and how to start developing a strategic framework once you have the assessment results.

What an OCR-Quality Risk Analysis Entails

At its most basic level, risk analysis includes three primary tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
Identifying risk starts with identifying and documenting every information asset in your organization. Information assets include all electronic equipment, data systems, programs and applications that are controlled, administered, owned or shared by an organization and which contain, transmit or store ePHI. This includes traditional forms of assets, such as IT systems and applications (e.g., EHR systems, clinical information applications, lab applications, medical billing and claims processing applications, email applications, etc.).

Information assets also include biomedical assets, such as patient monitoring devices, implantable devices, and remote chronic disease management applications. Internet of Things (IoT) assets must also be included in your asset inventory. (Incidentally, a key challenge for hospitals and health systems in conducting a comprehensive information asset inventory has been their capability to identify and document electronic medical devices. New technology from companies such as CyberMDX, CloudPost, Zingbox and others identifies medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device.)

Risk analysis does not stop with a simple inventory of information assets, however. Risk has three components: an asset, a threat, and a vulnerability. Adequately identifying risk means addressing each of these components for each information asset. For example, an information asset might be a tablet computer used by staff or clinicians. One threat to that tablet could be theft. Vulnerabilities that create risk when that table is stolen include a lack of encryption, weak passwords, and a lack of data backup. In other words, each information asset can be compromised by many different types of threats. In turn, those threats become real due to the vulnerabilities associated with them.

A comprehensive, HIPAA-compliant risk assessment requires documentation of a considerable amount of detail. It’s easy to see how healthcare organizations who attempt to conduct an inventory of information assets, with their associated threats and vulnerabilities, are quickly overwhelmed with pages and pages of spreadsheets.

Rating and Prioritizing Risk

And yet there is more.

Because a bona fide, OCR-compliant risk analysis includes not only identifying information assets, threats and vulnerabilities, but also rating risk. This involves estimating the likelihood (probability) and impact (degree of harm or loss) on the organization of each possible asset/threat/vulnerability combination.

Which makes our spreadsheet even more complex:

After all information assets have been inventoried, all asset/threat/vulnerability combinations have been documented, and the likelihood and impact of each potential risk calculated, the result is a “risk rating” for each potential threat.

The beauty of the risk rating is that it allows each healthcare organization to identify, rate and prioritize the particular risks associated with that organization’s unique information asset inventory, threat/vulnerability combinations, and calculated risks.

Each organization is able to establish their own risk threshold. For example, an organization might specify a risk rating of “20” as their threshold. That means that information risk management strategic priorities would center on mitigating risks for those items that rated 20 or higher. In the example above, security leadership would be able to use this information to make a persuasive case for security tools that enabled encryption of ePHI contained on tablet computers, as the “25” risk rating indicates this risk is a high priority for this organization.

The Value of a Comprehensive Risk Analysis

Conducting an OCR-quality, security risk assessment and analysis has value for healthcare organizations beyond assuring compliance with HIPAA guidelines. As the example above illustrates, a comprehensive risk analysis helps security leaders not only identify, but also rate and prioritize enterprise-wide cyber security threats.

The information uncovered by the risk analysis can help security leaders develop relevant and meaningful cyber risk management systems by providing a framework for making decisions. With an accurate and updated security risk assessment in place, security leaders no longer have to make purchasing decisions based on the strength of a vendor’s demo, or in reaction to cyber threat headlines. With a security risk assessment and analysis in place, healthcare security leaders are empowered to make proactive and strategic decisions about the tools and strategies that will mitigate their highest priority risks.

It’s probably also become clear that conducting an OCR-quality, security risk assessment is not a simple undertaking. Fortunately, it is not necessary to “reinvent the wheel” in order to conduct a comprehensive security risk assessment.

In addition to the language of the HIPAA Privacy, Security and Breach Notification Rules, OCR Guidance, and NIST resources, Clearwater Compliance has developed resources, solutions and services that help healthcare organizations quickly conduct an OCR-quality security assessment.

In the third part of this 3-part series, Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment, I will explore some of the resources, solutions and services that can not only help security leaders efficiently conduct a security risk analysis, but also help healthcare security leaders leverage the completed security risk analysis to develop an enterprise cyber risk management system.

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Check out the first blog in this series here: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment–Part 1

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Patient Safety and Cyber Risk

Healthcare CEOs know all about patient safety – at least that’s what they’ll tell you. Joint Commission and others have been all over the subject for years. Ask them what patient safety really means and most will probably start talking about how healthcare organizations protect their patients from errors, injuries, accidents, and infections. It’s a big issue. As many as 440,000 people die every year from preventable errors in hospitals alone. However, only a few healthcare CEOs will include cybersecurity in their list of top risks, but that is slowly beginning to change.

Today’s US healthcare payers, providers and pharmaceuticals are under attack – from state sponsored theft of healthcare IP, clinical formulations, procedures and treatment regimens, to the PII of patients including 78.8 million customers of Anthem Health, to the commercial theft and sale of PHI and PII by cyber-criminal gangs intent on the monetization of stolen data.

What many don’t realize is that cyber risk in a healthcare setting is not just about attacks against the confidentiality of information but also the availability and integrity of health IT systems and data. Healthcare is a prime target for extortion and has been disproportionately impacted by bouts of ransomware impacting the availability of health IT systems to render care to patients.

Just look at the UK NHS when it succumbed to the global WannaCry ransomware attack last year. Nearly two thirds of NHS Hospital Trusts were impacted and had to cancel appointments and divert all but the most critical of emergency patients elsewhere. Had the NHS understood the true magnitude of its cybersecurity risks and acted accordingly to patch and replace out of date systems, then the negative impact to the lives of many of its patients could have been avoided.

I’m sorry, the Doctor can’t see you at the moment – our IT systems are down!

So what happens to patient care when critical Health IT systems aren’t available to diagnose or treat patients? Their surgeries get cancelled, or they get put in an ambulance to an unaffected hospital 40 or 50 miles away. That’s where the patient safety question comes into play.

  • What is the impact to a sick patient when he or she has to be transported an hour or so to a functional hospital?
  • What if that patient happens to be many hours’ drive or flight away from the nearest un-impacted and available facility and expires en-route?
  • What is the level of culpability for healthcare providers when they fail to properly evaluate and protect against availability risks to their IT systems?
  • There is a fairly obvious duty of care for patient safety so shouldn’t that extend to the availability of health IT systems needed to treat patients?
  • Should hospitals be held accountable in the same way that we hold retailers accountable when they fail to protect their credit card payment systems?

Modern healthcare is highly dependent upon the clinical IT systems we use to diagnose and treat patients. What happens when a medication cabinet won’t open to dispense critical medications? What happens when a pharmaceutical robot dispenses the wrong medications for a patient and the mistake is not noticed by overworked staff? Our reliance today upon IT and IoT systems is perhaps more than most physicians would willingly admit.

Primum non nocere. (First do no harm)

Making cyber-risk a critical part of enterprise risk across the healthcare industry should be a must, given the potential risks to patient safety, just as evaluating and assessing all assets on the clinical-business should be too. The rising number of non-IT devices plugged in, or connected wirelessly, to hospital networks far overshadows the number of PCs, laptops and workstations in most facilities. What is more, most of these IoT devices have no security protections and cannot easily be patched. Medical devices are growing at 20% per annum and are often owned and managed outside of hospital IT and Security teams. No wonder then, that hospital CEOs are becoming concerned at the patient safety ramifications of one of these devices being compromised by a malicious hacker.

Widespread automation and cost cutting across hospitals is leading to a rising trend of the outsourcing of hospital building management systems (BMS). This includes everything from electrical and water distribution to elevators and HVAC. Most of these outsource agreements are with companies from many miles away – often out of State, or out of Country, who manage systems remotely via a virtual private network (VPN). Usually governed by weak or incomplete third-party contracts which are rarely audited, these agreements extend the hospital attack surface into the outsource company complete with all of their security vulnerabilities. Scholars of prior cybersecurity attacks will be quick to point out the parallels here between Target Stores and its HVAC services provider Fazio Mechanical, which resulted in one of the largest cyber-thefts of credit card numbers as well as most of Target’s customer information. The breach cost Target millions in compensation, restitution and credit monitoring, as well as the jobs of everyone in leadership.

The repercussions of third-party vendor breach in healthcare could however, be far more nefarious and impactful given what is connected to the typical hospital network. That is, unless networks are properly and securely segmented to isolate BMS, medical devices and business IT systems. However very few hospitals have so far even started to securely segment their large flat networks.

The need therefore to evaluate third party risk is critical, yet most hospitals currently don’t do this well if at all. With thousands of suppliers, vendors, contractors and consultants in each hospital, manual assessment is simply too much to handle with the current number of security and compliance staff.

As healthcare leaders continue to monitor and evaluate what is meant by patient safety in their operations, it’s clear that today, patient safety means so much more than just avoiding medical errors or someone slipping on a freshly mopped hospital floor.

The author addresses these and other subjects at the South Dakota HIMSS annual Conference today 
in Sioux Falls, SD.