Q&A: HHS’s Steve Curren on the Importance of Flexibility in Today's Cyber Landscape
Providers continue to prioritize privacy and security in the wake of growing cyberthreats to the healthcare industry. Steve Curren, director of the Division of Resilience at the U.S. Health and Human Services Department, believes government must play a significant role in ensuring industry readiness, as well.
Here, HealthTech sits down with Curren to speak about the evolution of cyberthreats in healthcare and the impact HHS and other government organizations are having on preparation and mitigation.
HEALTHTECH: What is the government’s role in mitigating cyberthreats in the healthcare industry?
CURREN: The government serves as both a regulator and a leader in helping the industry understand the threats that are out there and the best practices needed to mitigate those threats.
Within HHS, one of the programs that I oversee is a public and private sector partnership. We work closely, on the healthcare side, with major trade associations and companies under the National Infrastructure Protection Plan, which sets out the process for how government engages with the private sector on these kinds of security issues.
We help entities to get on the same page, ensuring that they have the information and understanding they need in order to implement best practices so they can keep pace with looming and growing threats.
This is a very important matter for HHS. Across healthcare, there’s a growing realization that we must work together, industry and government, to address this issue.
SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks
HEALTHTECH: How has the evolution of ransomware changed the healthcare cybersecurity landscape?
CURREN: Pretty significantly. We’ve moved from a time when you could say our primary concerns about healthcare cybersecurity were privacy or financially related. Now, with ransomware attacks, there’s the potential for a cyberincident to impact the care and physical safety of patients.
Our understanding of healthcare cyber risks and how best to address them has been informed by the feedback we’ve received from the Health Care Industry Cybersecurity Task Force, which HHS convened as part of the Cybersecurity Act of 2015. The task force, which includes various healthcare experts, met for about a year and published a report in June on the state of the industry and mitigating risk.
HEALTHTECH: In that report, the task force determined the industry to be in “critical condition.” What are the biggest factors leading to that conclusion?
CURREN: There probably is not one factor that’s more important than another, but we have a unique sector in many ways because of the diversity of organizations. Small and rural don’t have enough staff to deploy the types of practices that the large organizations do, for example.
There’s also a really broad landscape to protect within each organization. You’re not talking only about electronic health records; medical devices are also often networked into the healthcare facility. Physical facility systems have a network component, as well. Then there’s the administrative and financial systems to worry about. There’s such a diversity of systems in a healthcare organization; it’s a lot to protect. An array of individuals must work together to coordinate protection for both organizations and the industry as a whole.
We also must make sure that whatever we’re doing now is flexible enough to protect us against any threat down the road.
HEALTHTECH: What strategies are the most effective in helping organizations keep pace with evolving cyberthreats?
CURREN: One overarching strategy that gives organizations the biggest bang for their buck is awareness and education. That’s increased a lot in the past couple of years because of the high-profile attacks in healthcare. But we need strong cyberhygiene in organizations — using best practices, even as simple as not using shared passwords, logging off systems after their use — from staff on up to the CEO and board levels.
Some organizations test their employees to see if they are following cybersecurity practices, sending them fake, malicious emails. Those things require a high level of support in order to get everyone within an organization to be on the same page.
One of the things that the report points out is that, for so many of the attacks suffered recently, at some point there was a basic cyberhygiene issue that could have, if not prevented the attack, at least made it less likely to happen. If you look at the WannaCry ransomware attacks and the NotPetya attack that occurred soon after, a lot of the vulnerabilities exploited in those attacks were known vulnerabilities where a patch was available.
Just those basic hygiene practices — patching systems and education of employees — go a long way toward improving cybersecurity posture.
HEALTHTECH: Providers increasingly are encouraged to share data with one another, but simultaneously must protect it. How can they balance those priorities?
CURREN: That’s a challenge that I believe will be with us for a very long time. We must never lose focus on the need to balance access with security.
Organizations must take a step back and look at their security posture: how they share information, the potential vulnerabilities and what controls are in place to deal with those vulnerabilities. A number of tools can help healthcare organizations do that. The one that’s seen as the standard now is the NIST Cybersecurity Framework, which provides a thought process in addressing the security of an organization’s system.