Cyber incidents are increasingly a matter of national security, and the Biden administration is now making cybersecurity a top priority as it seeks to boost federal research and funding to mitigate future cyber threats.
While hackers continue to target vulnerable health care providers, these bad actors are expanding well beyond just the health care industry. Recent high-profile attacks have brought the topic of cybersecurity back into the headlines: The world's largest meat producer JBS recently paid $11 million to resolve a ransomware attack; Colonial Pipeline, one of the largest pipeline operators in the United States, had to pay $5 million to get gas lines flowing again; and the IT firm Kaseya was hit with a ransomware attack, impacting between 800 and 1,500 businesses worldwide, including supermarkets and schools.
Here at Advisory Board we've built an extensive cybersecurity resource library highlighting best practices in how to respond to increasing cyber-threats, but we also value having a fresh, external perspective. To learn more about how health care organizations can respond to the rise in cyber-threats, we reached out to Bob Chaput for a virtual Q&A.
Bob is the Founder and Executive Chairman of the Board of Clearwater Compliance, a provider of health care compliance and cyber risk management solutions. As a leading authority and expert witness on HIPAA compliance and enterprise cyber risk management, he has assisted hundreds of health care organizations and their business partners, including Fortune 100 organizations, to improve their risk posture. Bob is also the author of the recently published book, "Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management."
Q: Let's start with the most top-of-mind issue of the day: Covid-19. The pandemic brought a variety of challenges to the industry, and we also unfortunately saw a spike in cybersecurity risks. What do you think are some of the biggest pandemic-related lessons learned regarding cybersecurity?
Chaput: The number one lesson is that disruption—in this case, driven by a pandemic—creates opportunities for new threat sources to appear. In this case, disruption set the table for bad actors to exploit a significantly expanded attack surface.
Work-from-home and re-engineered clinical and administrative workflows often used new information assets (for example, home computers, Zoom, remote monitoring devices, etc.). These assets possessed vulnerabilities (for example, unsecured home networks) that old and new threat sources could exploit. Hence, a new set of risks were born. As a reminder, a risk exists when—and only when—an asset, threat, and vulnerability are present.
Most organizations were caught flat-footed. Organizations with a well-developed Enterprise Cyber Risk Management (ECRM) program in place simply pivoted to identify their new information assets and assess their newly identified risks using already solid risk assessment and risk management processes. These organizations were able to respond quickly.
What happens when hackers target your hospital? Sky Lakes Medical Center and Asante are sharing their biggest lessons learned.
The reality is that disruption can originate from many sources, not just a pandemic, including from socio-political, geopolitical, economic, technological, legal, and environmental factors, all posing scenarios for new risks.
Think of a strong ECRM program as having already deployed the "trains and tracks," making handling new risks just a matter of loading new "cargo" into the boxcars.
Q: Let's talk about the evolution of health care cybersecurity. Over the past few decades, we've had the introduction of HIPAA, the HITECH Act, and now the modern digital age fueled by the internet of things, AI, and other emerging technologies. How has our perception of cyber risk management changed over this time period?
Chaput: The short answer is: it has not changed enough. Our collective health care perception of and reality about cyber risk management is still very immature and a work-in-process. For all intents and purposes, the HIPAA Security Rule, which requires a security management process, including both risk analysis and risk management, was not enforced for eight years (2003-2011).
As of this writing, nine out of ten organizations subjected to HHS Office for Civil Rights (OCR) enforcement actions have had adverse risk analysis findings. These organizations failed to meet this foundational risk analysis requirement outlined in the HIPAA Security Rule. Eight out of 10 were unable to meet the risk management requirement.
Organizations that limited their treatment of security as a compliance matter failed. Even organizations that realized cyberattacks were a growing security issue failed to address all their unique risks.
I hope that health care organizations that have otherwise been managing risks related to patient safety and professional liability for a long time will understand that cyber risk management is a patient safety and professional liability issue. Further, I hope the C-suite executives and board members address this matter with more urgency and engagement.
The $33 billion EHR implementation "blitz" precipitated by CMS' EHR Incentive Program (now Promoting Interoperability Programs) caused organizations to accrue a vast "ECRM debt," and now health care organizations need to find funding to address this debt. They must also build cybersecurity into new solutions as they adopt new technologies such as quantum computing, edge computing, blockchain, AI and machine learning, virtual and augmented reality, 5G, etc.
Q: The digital health market has been on fire lately, creating a surge in digital data and boosting investment in various technologies, but industry experts now fear that there is a growing disparity between digital adoption and security maturity. How can health care stakeholders balance the pace of digital transformation with the rising threat of bad actors?
Chaput: Absolutely, unequivocally, there is a growing disparity between digital adoption and security maturity. The health care industry, decades behind most other industries in the adoption of information technology, is even further behind in security maturity.
As far back as 2014, the FBI issued a Private Industry Notice (PIN) warning of increased cyber intrusions against health care systems. The alert cited several reasons for the increase, including the transition from paper records to EHRs, a higher financial payout for medical records on the black market, and "lax cybersecurity standards" in the industry.
The alert stated that "the health care industry is not as resilient to cyber intrusions" as other critical infrastructure sectors (for example, energy, financial services, transportation systems, etc.). Further, the health care industry is "poorly protected and ill-equipped to handle new cyber threats exposing patient medical records."
As I look back over the last seven years, I have seen that the weaknesses and concerns cited in the FBI PIN have borne out in an increasing number of successful attacks on health care organizations. The amount of data (notably, electronic protected health information), systems, and devices deployed in health care is exploding. These data, systems, and devices are more voluminous, visible, valuable, and, sadly, more vulnerable than ever.
All that said, health care stakeholders can balance the pace of digital transformation with the rising threat of bad actors and other threats by starting with the premise that cyber risk management is an enterprise risk management and patient safety issue, not an "IT problem."
As a practical step, simply require a risk-based cybersecurity line item in every new project/program/initiative proposed. Do not even start the project without a commitment to security-by-design. The National Institute of Standards and Technology (NIST) suggests that before a new system can be deployed, there should be an "authorization to operate" or an "authorization to use" contingent on the assessment of security and privacy risks.
Q: For most organizations, members of the C-suite and Board will not be security experts. That said, what are some core principles that every leader needs to understand when it comes to cybersecurity?
Chaput: A great resource to help establish core principles and governance is the NACD Director's Handbook on Cyber-Risk Oversight.
In Chapter 11 of my book, I provide over 20 fundamental principles in three categories that I believe every leader needs to understand regarding cybersecurity and cyber risk management.
In a category called "Context," among other points, I emphasize that we must treat these cyber risk issues as matters of patient safety, professional liability, and potentially, personal liability. The latter could result if a patient filed a derivative lawsuit against C-suite executives or board members.
Under "Your Role," I again emphasize that C-suite executives or board members need not become cybersecurity experts. They need to become enablers by adopting and communicating strong governance principles and making ECRM a "team sport" by insisting on cross-functional engagement and accountability.
Finally, I discuss essential "Best Practices" such as insisting on a risk-based approach to ECRM versus a controls-checklist-based approach, requiring an industry-standard methodology (such as NIST), adopting the NIST Cybersecurity Framework, and ensuring that your ECRM program covers every information asset, in every line-of-business, in every facility, in every location.
Q: There is wide variability across health care organizations in terms of resources, staffing, scale, funding, etc. If we assume that many smaller organizations do not have the means to invest heavily in cyber risk management, what are at least some fundamentals they need to address? Are there creative ways for resource-strapped organizations to combat cyber risk?
Chaput: No matter how large or small an organization may be, I recommend that the C-suite, board, and staff agree on three basic "design principles" as they work on some fundamentals:
- We need a short game and a long game no matter how resource-strapped the organization may be. The short game will likely include implementing basic controls or safeguards like intrusion detection, mobile device management, encryption, etc. The long game needs to be about establishing, implementing, and maturing a transformational ECRM program.
- We need to take a risk-based and NOT a controls-checklist-based approach to cyber risk management. While we may source and adopt some basic controls from resources like Center for Internet Security (CIS) Controls, we will not fall for a "one-size-fits-all" controls-checklist approach as a permanent solution to cybersecurity.
- We will not allow the effort to devolve into an "IT project." No matter where we are in the health care supply chain, the quality of our cyber risk management work may become a life-or-death matter.
Many organizations will benefit by considering outsourcing their cyber risk management work. Cyber Risk Management-as-a-Service (CRMaaS) has proven to be an efficient and cost-effective solution for resource-strapped organizations.
Part 2 of this series will be published early next month.