Times have changed when it comes to cybersecurity. Speaking on an all-star panel of experts at the 2019 Collaborative Care HIT Summit earlier this week, John DiMaggio, CEO of BlueOrange Compliance, noted, “I spoke at this conference in this hotel back in 2012 about HIPAA security, and I got a lot of blank stares [from the audience].” This time around, he had a standing-room-only crowd eager to learn more about protecting both data and devices from cyberattacks. DiMaggio urged the group, “Always be vigilant. Cybersecurity is a journey, not a destination.”
Recognition Is Growing, But More Action is Needed
DiMaggio said that he’s often asked to speak to organizations’ boards, and their first question almost always is, “How do I compare to others?” Instead of making comparisons, he suggested taking an honest and thorough assessment of your own organization. “You need to understand where you are and where your IT is. And you need to help your board understand this.” Organizations need to know their “on-ramps,” he said, and what cyberthreats they face. It’s important to keep policies and procedures updated as new threats and trends emerge (companies such as BlueOrange can help with this). Ultimately, he said, “You need a balance of preparedness and prevention.”
On the technology preparedness side, DiMaggio suggested, companies need to manage and audit logs. Without good log management, he said, organizations lack proof or documentation of what’s happening or what they are doing to address cybersecurity issues and vulnerabilities.
Devices and Bad Dreams
Some of the panel members discussed concerns about cybersecurity regarding medical devices such as pacemakers and Smart devices. Panelist Jeff Bontsas, Chief Information Security Officer at Ascension Technologies, said that this issue “keeps me up at night.” For smart devices, DiMaggio stressed the need to look at how and where these devices are being used, and by who, to identify and address risks. Bontsas noted that some device vendors have insisted that “it’s patient safety first, security second.” However, this is changing, he observed, as vendors and others increasingly recognize that safety and security go hand-in-hand. Seth Carmody, PhD, Cybersecurity Program Manager for the Center for Devices & Radiological Health, agreed. He observed that cybersecurity was never considered in the design of most devices but that his group is working to change this mind-set. He added, “The FDA is working to point this ship in the right direction,” with an ultimate goal of devices being secure “right out of the box.” DiMaggio added, “Eventually, these devices will be secure, but you have to protect them now. You can’t wait.”
All panelists agreed with DiMaggio that the threats and the need for action are urgent. While Bontsas stressed his concerns about devices, he noted, “There are many other things to focus on. If you don’t know where to start, ask for help. A war is going on, and we are the good guys.” He added, “We block 21 million threats every month. Cybersecurity is one of the top risks for most organizations. You have to be focused on this, no matter what your role is.”
It Takes Two: Public-Private Partnerships
Julie Chua, Risk Management Branch Chief, U.S. Department of Health and Human Services (HHS), offered some background on the government’s role in healthcare cybersecurity and efforts to promote public-private partnerships to find solutions. Specifically, after passage of the Cybersecurity Act of 2015, HHS partnered with the Health Sector Coordinating Council (HSCC) and released a publication called “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” This four-volume publication seeks to raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals and nursing homes. It identifies and addresses five key threats: email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety. The publication marks the culmination of a two-year effort involving more than 150 cybersecurity and healthcare experts from industry and government. A key part of all of this, Chua stressed, is public-private partnerships with providers, practitioners, and others.
Elsewhere, in 2018, HHS opened the Health Sector Cybersecurity Coordination Center (HC3) to increase health sector cybersecurity sharing. HC3 is designed to strengthen coordination and information sharing within the healthcare and public health sector and cultivate cybersecurity resilience by providing timely and actionable cybersecurity intelligence to health organizations.
Chua stressed the importance of widespread involvement on the part of healthcare industry stakeholders in cybersecurity issues. For instance, she said, “Physicians and other practitioners don’t have to be experts, but they do have to pay attention and know the risks.”
There are many resources available to support healthcare organizations in their cybersecurity efforts, the panel noted. For instance, BlueOrange has a free ebook that addresses the impact of cyberattacks in the healthcare arena, hacker tools and tactics, and cybersecurity best practices. Additionally, LeadingAge offers a Cybersecurity White Paper. Cybersecurity is everyone’s problem, DiMaggio and other panelist observed; however, there are many sources of information and support to keep healthcare organizations, practitioners, and others informed, up-to-date, and empowered to do their part to successfully address cybersecurity.