As part of the Health Care Industry Cybersecurity Task Force convened by the U.S. Health and Human Services Department, Catholic Health Initiatives’ Ram Ramadoss shared his threat protection insights with other experts throughout the industry. Here, HealthTech talks to CHI’s vice president of privacy and information security and EHR compliance oversight about improving cyberhygiene throughout the industry.
HEALTHTECH: What are the biggest cybersecurity threats facing your organization and the industry?
RAMADOSS: On the task force, we discussed whether it was possible to bring down a healthcare system in a particular town.
The threats are real, and their sophistication worries us. Healthcare is a prime target because it has a lot of vulnerabilities. Our industry has gone through a lot of digitization in the past five years, and it’s not yet fully mature.
From an industry perspective, one of the biggest risks I see is the need for business continuity and disaster recovery. If you look at telecommunications, banking and other industries, they have mastered this. This is an area of big risk for healthcare.
HEALTHTECH: What is your strategy for staying prepared in the face of constantly changing threats?
RAMADOSS: As an industry, we need to go back to basics. I think we have to look internally and do basic cyberhygiene in terms of patching, having the right security controls, and making sure your employees and partners are educated on security and being vigilant in terms of addressing all your vulnerabilities. That’s where our focus lies.
When you look at healthcare companies with hundreds and thousands of vendors, you can’t focus on every partner and medical device vendor. You have to focus on the high-risk vendors and high-risk assets like databases and data warehouses, and try to increase our controls and provide more monitoring for those systems. That’s definitely something we and our industry are focusing on as well.
HEALTHTECH: What are your major cybersecurity projects and priorities for the next year?
RAMADOSS: We are actively looking into foundational controls and improving efficiency. For instance, there are manual steps involved in conducting risk assessments, incident response and forensic review. How do we use more automated tools?
The industry is looking at artificial intelligence and machine learning. It will take a couple of years for these technologies to mature, but we are definitely looking into them.
HEALTHTECH: The healthcare industry is an early adopter of Internet of Things technology. How are you securing medical devices?
RAMADOSS: The lifecycle of these medical devices is 10 to 12 years. Go to any healthcare company or hospital: CT scanners cost $100,000. They are not going to change it like it’s a $400 workstation. When it comes to IoT, we are collaborating with vendors to address foundational controls. They should start with security in the development lifecycle. The FDA is actively involved in this.
HEALTHTECH: Let’s talk about the HHS task force. What are your key takeaways?
RAMADOSS: The biggest thing for us is that we are not the same as other industries. If you look at banking, they don’t share data with other banks. In healthcare, a hospital may share patient data with a physician practice or a cardiologist. The data gets distributed everywhere. Technology provides a lot of benefits to healthcare, but digitization has made the security problem worse.
The problem is, this industry is not mature when it comes to technology. My colleagues may not appreciate this comment, but I want to be realistic. If you look at nonprofit healthcare companies, the profit margins are extremely poor. If you look at small and medium-sized practices or hospitals, they do not even have proper IT resources. They may use a part-time consultant.
The industry is complex. Some of the same data is stored in 10 to 20 different systems, and that makes the industry more vulnerable. Data consolidation must occur sooner rather than later. Organizations should start thinking about having data in fewer systems and apply controls to fewer sets of systems.
Ultimately, you will see a lot of managed service providers. A lot of healthcare providers are thinking about cloud-based data centers because they can’t afford to do it all themselves.
HEALTHTECH: Throughout the final HHS report, special attention was paid to small and medium-sized organizations. You recommend that the industry customize cybersecurity best practices for smaller organizations. How urgent are such steps?
RAMADOSS: We have a recommendation on how large and medium-sized organizations with strong security teams can start collaborating and providing services with small practices. There are some regulations that prevent us from doing that today. The collaboration needs to happen.
We have to do something. Managed service providers have to make it affordable and start supporting these small and medium-sized organizations, or else this industry will not see much adoption.
Today, no one is paying attention to the small and medium-sized organizations because the cost model is not there. The industry should consider some kind of tax incentive to help small and medium-sized companies that are investing in security problems, so they can make progress.
HEALTHTECH: How do you strike that balance with security best practices between smaller and larger organizations?
RAMADOSS: From a security hardening perspective, you can’t say, if you are a large company, do these things, and when it comes to a smaller company, you can be lax. For example, if you have a laptop, there are foundational controls that are no longer best practices. They are considered basic requirements, like encryption and administrative privileges.
It’s a challenge. You can talk all day about basic controls to physicians but if they don’t have a tech background, they will not get it. They won’t know how to address it. They need expertise. We need to address the expertise gap.
The top security talent doesn’t like to work in healthcare organizations because these companies are not investing in the newest technologies and don’t pay very well. It’s a convoluted problem, so the small and medium-sized organizations must start addressing basic controls and make sure they engage a security consultant maybe every one or two years to conduct a basic risk assessment. They have to come to that reality.
HEALTHTECH: What has been the report’s impact on the industry?
RAMADOSS: I am part of the Healthcare Information and Management Systems Society’s national privacy and cybersecurity workgroup, and I definitely think HIMSS is planning to address this among their members.
My main concern is the industry is not acting on security on a daily basis. When an incident happens, everyone focuses on it and moves on. But security is no longer a once-a-year or checklist type thing. You have to do it because, from a risk perspective, it’s the right thing to do. Unless that mentality takes over across all organizations, we will not see real change.
This Q&A is part of the IT Guardians at the Virtual Gate series of interviews with top experts in healthcare cybersecurity.