Q&A: Matt Klein on the Increase and Sophistication of Healthcare Cyberattacks

For Matt Klein, CISO at the Medical University of South Carolina, in Charleston, S.C., successful security requires a strong, yet simple, foundation. Here, HealthTech talks with Klein about the elements necessary for such a setup.

HEALTHTECH: What are the biggest cybersecurity threats facing your organization and the industry?

KLEIN: The amazing increase and sophistication of attacks is alarming. Cybercriminals are extremely organized, technical, well trained, and they cover their tracks very well. It’s a disturbing trend and speaks to several concerns that I have. Is our industry keeping up with the pace in terms of information security talent? Do we have enough trained people? Are we introducing children to security concepts at a young enough age so that when they go to college and start their careers, they have some idea of threats and how it might impact them in terms of privacy and productivity?

To get more specific about concerns, obviously, ransomware is a concern. The WannaCry incident was a reminder that basic IT maintenance, such as patch management, is critical. The destructive malware NotPetya destroyed data, and that’s incredibly concerning because we are an academic medical center. MUSC has a hospital system, the university, and we do a lot of research — all three areas generate a significant amount of sensitive data. If, for example, a research project with three years’ worth of data had all of its data deleted and had no recovery plan, what is the impact on the institution and, in some cases, to healthcare progress?

HEALTHTECH: What is your strategy for staying prepared in the face of constantly changing threats?

KLEIN: We are starting to develop cybersecurity incident response exercises. The industry calls them tabletop exercises.

For example, 6,000 workstations at your institution have been infected with ransomware. What do you do? It’s a technology problem, but also a patient care problem. So, you run through the scenarios. This will allow us to be more prepared. Folks will know their roles when an incident occurs.

Another area is refocusing on the basics of IT. Sometimes we forget that WannaCry could have been thwarted by patch management.

HEALTHTECH: What are your major cybersecurity projects and priorities for the next year?

KLEIN: One of our top priorities is evaluating our security monitoring program. Increasing our network and system visibility to ensure we are detecting threats as broadly as we can is incredibly important to our incident response and recovery activities.

HEALTHTECH: How are you securing Internet of Things devices?

KLEIN: This is one of the more challenging topics in healthcare today because of the needed balance between strict clinical controls and securing the device from malicious actors. We segment our network and attempt to place reasonably appropriate security controls around the medical devices to protect them. One area of concern overall that I think the industry shares is that manufacturers must place more focus on using supported operating system platforms and embracing security as a key component of product development.

HEALTHTECH: What are your key takeaways from the HHS taskforce?

KLEIN: There are several mainstream frameworks that information security can use today. You have NIST 800-53 controls, ISO 27000 and HITRUST. The industry for some time has needed something more simplified, and NIST developed the Cybersecurity Framework in that light.

We debated what we should be doing here at MUSC, and decided to gravitate toward the NIST Cybersecurity Framework as our guide. The top reason for framework adoption is for organizations to measure themselves against an industry-recognized standard.

Furthermore, organizations can determine if they have gaps in their program, where they need to make improvement and show their executive team that they are guiding their organizations to a more secure use of technology to support business objectives.

There also need to be more stringent requirements for medical device manufacturers. Minimum baseline requirements are necessary for each device category or classification. I think a cross section of people in government, private industry and higher education — all those great minds — can come together and determine what those minimum baseline security standards need to be. And if you can’t meet those baseline standards, then what are the security controls you can put in place to help secure those devices and prevent patient care issues? I’m fully behind doing something like that.

HEALTHTECH: You recommend that the industry customize cybersecurity best practices for smaller organizations. How urgent are such steps?

KLEIN: That is a problem not just in healthcare, but in most industries where someone starts a business and it’s highly specialized, but they do not have an IT background and have no idea what security is needed. I struggle with what model could be cost-effective. I’m glad the issue is a topic of discussion because smaller organizations simply do not stand a chance against the threats today. Perhaps a cross section of government, private industry and higher education can come up with some effective options.

This Q&A is part of the IT Guardians at the Virtual Gate series of interviews with top experts in healthcare cybersecurity.