From left: Accenture Global Managing Director Salwa Rafee, Health-ISAC Chief Security Officer Errol Weiss, Health Sector Coordinating Council Cybersecurity Working Group Executive Director Greg Garcia, and Armis CTO and Co-Founder Nadir Izrael discuss how cyberthreats are evolving.
Medical devices also leave healthcare organizations vulnerable to attacks. Izrael explained that many of these devices are old or run on old software because they can have a long shelf life and healthcare organizations don’t have a reason to replenish them constantly. However, Izrael pointed out that these devices are already old when they are new and off the shelf because of the time it takes for the Food and Drug Administration to certify a device.
“Healthcare is a target-rich environment of old, vulnerable things. It’s a lucrative target for those who want to make money,” Izrael said. “Security organizations have been woefully underfunded. Some of that has changed, and some is still changing, but there’s a significant risk and attack surface in healthcare.”
He recommends that health IT and security teams go back to the basics to protect their organizations from cyberthreats. While it may not be feasible to identify and solve for every vulnerability, Izrael said triaging can help.
“Patch what you can. Shore up your defenses where you can. You need the very basics of security and to get the hygiene right,” he said. “Doing that will lower your risk of attack dramatically. It’s not about fancy things but the basic elements.”
LEARN MORE: How health systems can build up their security teams.
Collaborating to Mitigate Cyberthreats to Healthcare Organizations
Healthcare is critical infrastructure, and Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, said that industry and government need to work together to identify and mitigate systemic threats.
His group is working with Congress on how to collaborate. He explained that regulation and market forces won’t take care of the problems on their own. The conversations with Congress have discussed providing incentives to smaller healthcare providers to invest in cybersecurity, Garcia said.
He also noted that the Cybersecurity and Infrastructure Security Agency conducts penetration testing and security assessments with organizations and discusses ways healthcare organizations can shore up their defenses.
The Health-ISAC Medical Device Security Information Sharing Council includes device manufacturers and stakeholders of the medical device security community. It’s working with security researchers to come up with a balanced set of recommendations on medical device security.
Garcia said the healthcare industry cannot afford to point fingers because patients are the ultimate beneficiary of the work.
“Patient safety requires cyber safety. We need to coalesce around an objective and find ways to bridge differences,” he said.
DIVE DEEPER: How to protect patient information using data encryption and zero trust.
Protecting Patient Data in a Complex Environment
“Caring for your patients means caring for their data,” said Marti Arvin, chief compliance and privacy officer for Erlanger Health System, in the session “Health Data Security: No Longer an Easy Target.”
The amount of patient data that healthcare organizations are collecting is growing rapidly. Healthcare organizations are putting more focus on how to better manage and extract insights from this data. However, it’s important that patient privacy and security aren’t treated as afterthoughts.
Arvin said that if a healthcare organization knows where 95 percent of its data is, then it’s doing a good job. She explained that her organization is trying to get as much data in one location as possible to be a source for clinicians and staff to access. Doing so will make it easier to establish a process for accessing data, rather than a clinician asking the reporting person in IT for data directly because they’re friends.
“We don’t want to hold data back if someone needs it for a legitimate purpose, but there needs to be a process for where it’s stored and how it’s accessed,” Arvin said.
Many healthcare organizations are storing data with vendors that are also cyberattack targets because they store data for multiple healthcare organizations. However, a new type of threat is emerging. Some of those vendors are sharing data with fourth-party vendors, creating another avenue for malicious actors to get access to valuable patient data.
Jesse Fasolo, information security officer and head of technology infrastructure and cybersecurity at St. Joseph’s Health, said his organization built a robust system for assessing third-party risk.
“Third parties are outsourcing their functions and data access to fourth parties, and it could even go beyond that. Someone else has access to our data but doesn’t inform me,” he said. “We need to understand where the data is and where it’s going.”
While organizations must contend with new threats to patient data, they must also share electronic patient records. Physicians who interfere with the access, exchange or use of electronic health information are considered information blockers and are subject to penalties. However, the Office of the National Coordinator for Health Information Technology’s 2020 Cures Act Final Rule established eight information blocking exceptions.
EXPLORE: How modernizing data storage leads to better data access in healthcare.
Medigram CEO Sherri Douville said there is a lack of clarity and alignment around the exceptions and that more learning needs to happen. Arvin agreed, adding that many organizations are still struggling with information blocking.
“Organizations need to provide good education and make sure there’s a subject matter expert in the organization who people can reach out to,” Arvin said. “Ninety percent of people do not understand the exception around preventing harm. We need to make sure clinicians understand and aren’t blocking data unnecessarily.”
To keep up with the increasing demands around data while protecting patient data, healthcare organizations need privacy and security experts. Bill O’Connell, head of product security and privacy operations at Roche Information Solutions, said one way that organizations can hire experts amid an IT staffing shortage is to pull people from other highly regulated industries such as banking, since they would know what it’s like to operate in that type of environment. Another is through remote work and expanding the applicant pool.
Fasolo pointed out that recruiting from other industries is difficult when those industries can pay significantly more. He said some people are coming to healthcare with less experience and exposure because that’s what available, which can lead to data security issues. He recommends nurturing from within.
Organizations also need to conduct regular security and privacy training programs to foster a culture of security.
“Security, privacy and compliance are everyone’s responsibility in a healthcare system,” Fasolo said. “Everyone needs to learn and seek knowledge.”
Keep this page bookmarked for our coverage of ViVE 2023, taking place March 26-29 in Nashville, Tenn. Follow us on Twitter at @HealthTechMag and join the conversation at #ViVE2023.
