From left: Baker & Hostetler Partner Lynn Sessions, St. Joseph’s Health Information Security Officer Jesse Fasolo, Erlanger Health System Chief Compliance and Privacy Officer Marti Arvin, Roche Information Solutions Head of Product Security and Privacy Operations Bill O’Connell, and Medigram CEO Sherri Douville discuss how to protect patient data in an increasingly complex environment.

Mar 29 2023

ViVE 2023: Maintaining Security and Privacy as Patient Data Grows

Cyberthreats are becoming more sophisticated and more patient data is being collected daily, leaving healthcare organizations with an increased responsibility to protect data.

The healthcare industry is dealing with an onslaught of cyberattacks as bad actors target vulnerable and valuable patient data. The theft of this data through ransomware or phishing attacks can cause major financial losses, erode patient trust or, crucially, affect patient care.

While patients want more access to their data, they also want data privacy. Healthcare organizations must balance both in an increasingly complex and sophisticated threat landscape. Health IT experts discussed the current challenges for healthcare organizations regarding cyberthreats and data privacy at ViVE 2023 in Nashville, Tenn. They explained how the threat landscape is changing, and how collaboration can help.

Click the banner to receive content beyond our ViVE 2023 coverage by becoming an Insider.

Mapping the Threat Landscape in Healthcare

In the session “From Hacked to Hero: Cyber State of the Union,” Errol Weiss, chief security officer for Health-ISAC, pointed out that determined nation-states are targeting U.S. health providers for both money and intellectual capital.

“Nation-states have very deep resources,” he explained, with countries such as North Korea conducting concerted ransomware attacks to raise cash due to economic sanctions.

Complicating the cybersecurity landscape for healthcare organizations is the proliferation of nation-state–grade weapons that aren’t difficult to use, according to Nadir Izrael, CTO and co-founder of Armis.

Weiss shared that, according to a Health-ISAC survey of 300 security experts, ransomware is the No. 1 threat to healthcare. Next is phishing attacks, as people still fall for them. He warned that free artificial intelligence tools such as ChatGPT and Google Bard can help cybercriminals write well-crafted phishing emails, which could impact healthcare organizations.

Another major concern is social engineering. Bad actors are taking advantage of people’s fatigue regarding multifactor authentication.

“Attackers are good at being innovative and creative. They’ll use creative ways to get people to give up their MFA,” Weiss said. Once cybercriminals have access to someone’s username and password, they can send multiple MFA requests in a row, hoping that the person will accept one of them to get it to stop.

ViVE Pannel

From left: Accenture Global Managing Director Salwa Rafee, Health-ISAC Chief Security Officer Errol Weiss, Health Sector Coordinating Council Cybersecurity Working Group Executive Director Greg Garcia, and Armis CTO and Co-Founder Nadir Izrael discuss how cyberthreats are evolving.

Medical devices also leave healthcare organizations vulnerable to attacks. Izrael explained that many of these devices are old or run on old software because they can have a long shelf life and healthcare organizations don’t have a reason to replenish them constantly. However, Izrael pointed out that these devices are already old when they are new and off the shelf because of the time it takes for the Food and Drug Administration to certify a device.

“Healthcare is a target-rich environment of old, vulnerable things. It’s a lucrative target for those who want to make money,” Izrael said. “Security organizations have been woefully underfunded. Some of that has changed, and some is still changing, but there’s a significant risk and attack surface in healthcare.”

He recommends that health IT and security teams go back to the basics to protect their organizations from cyberthreats. While it may not be feasible to identify and solve for every vulnerability, Izrael said triaging can help.

“Patch what you can. Shore up your defenses where you can. You need the very basics of security and to get the hygiene right,” he said. “Doing that will lower your risk of attack dramatically. It’s not about fancy things but the basic elements.”

LEARN MORE: How health systems can build up their security teams.

Collaborating to Mitigate Cyberthreats to Healthcare Organizations

Healthcare is critical infrastructure, and Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, said that industry and government need to work together to identify and mitigate systemic threats.

His group is working with Congress on how to collaborate. He explained that regulation and market forces won’t take care of the problems on their own. The conversations with Congress have discussed providing incentives to smaller healthcare providers to invest in cybersecurity, Garcia said.

He also noted that the Cybersecurity and Infrastructure Security Agency conducts penetration testing and security assessments with organizations and discusses ways healthcare organizations can shore up their defenses.

The Health-ISAC Medical Device Security Information Sharing Council includes device manufacturers and stakeholders of the medical device security community. It’s working with security researchers to come up with a balanced set of recommendations on medical device security.

Garcia said the healthcare industry cannot afford to point fingers because patients are the ultimate beneficiary of the work.

“Patient safety requires cyber safety. We need to coalesce around an objective and find ways to bridge differences,” he said.

DIVE DEEPER: How to protect patient information using data encryption and zero trust.

Protecting Patient Data in a Complex Environment

“Caring for your patients means caring for their data,” said Marti Arvin, chief compliance and privacy officer for Erlanger Health System, in the session “Health Data Security: No Longer an Easy Target.”

The amount of patient data that healthcare organizations are collecting is growing rapidly. Healthcare organizations are putting more focus on how to better manage and extract insights from this data. However, it’s important that patient privacy and security aren’t treated as afterthoughts.

Arvin said that if a healthcare organization knows where 95 percent of its data is, then it’s doing a good job. She explained that her organization is trying to get as much data in one location as possible to be a source for clinicians and staff to access. Doing so will make it easier to establish a process for accessing data, rather than a clinician asking the reporting person in IT for data directly because they’re friends.

“We don’t want to hold data back if someone needs it for a legitimate purpose, but there needs to be a process for where it’s stored and how it’s accessed,” Arvin said.

Many healthcare organizations are storing data with vendors that are also cyberattack targets because they store data for multiple healthcare organizations. However, a new type of threat is emerging. Some of those vendors are sharing data with fourth-party vendors, creating another avenue for malicious actors to get access to valuable patient data.

Jesse Fasolo, information security officer and head of technology infrastructure and cybersecurity at St. Joseph’s Health, said his organization built a robust system for assessing third-party risk.

“Third parties are outsourcing their functions and data access to fourth parties, and it could even go beyond that. Someone else has access to our data but doesn’t inform me,” he said. “We need to understand where the data is and where it’s going.”

While organizations must contend with new threats to patient data, they must also share electronic patient records. Physicians who interfere with the access, exchange or use of electronic health information are considered information blockers and are subject to penalties. However, the Office of the National Coordinator for Health Information Technology’s 2020 Cures Act Final Rule established eight information blocking exceptions.

EXPLORE: How modernizing data storage leads to better data access in healthcare.

Medigram CEO Sherri Douville said there is a lack of clarity and alignment around the exceptions and that more learning needs to happen. Arvin agreed, adding that many organizations are still struggling with information blocking.

“Organizations need to provide good education and make sure there’s a subject matter expert in the organization who people can reach out to,” Arvin said. “Ninety percent of people do not understand the exception around preventing harm. We need to make sure clinicians understand and aren’t blocking data unnecessarily.”

To keep up with the increasing demands around data while protecting patient data, healthcare organizations need privacy and security experts. Bill O’Connell, head of product security and privacy operations at Roche Information Solutions, said one way that organizations can hire experts amid an IT staffing shortage is to pull people from other highly regulated industries such as banking, since they would know what it’s like to operate in that type of environment. Another is through remote work and expanding the applicant pool.

Fasolo pointed out that recruiting from other industries is difficult when those industries can pay significantly more. He said some people are coming to healthcare with less experience and exposure because that’s what available, which can lead to data security issues. He recommends nurturing from within.

Organizations also need to conduct regular security and privacy training programs to foster a culture of security.

“Security, privacy and compliance are everyone’s responsibility in a healthcare system,” Fasolo said. “Everyone needs to learn and seek knowledge.”

Keep this page bookmarked for our coverage of ViVE 2023, taking place March 26-29 in Nashville, Tenn. Follow us on Twitter at @HealthTechMag and join the conversation at #ViVE2023.

Photography by Jordan Scott

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.