The series of attacks on our healthcare infrastructure, particularly hospitals where ransomware attacks are on the rise, is a worrying trend that puts lives in jeopardy. A ransomware attack could mean the difference between life and death. It means people who are prompted to visit a hospital for an emergency may be forced to drive another 30 minutes away because the provider’s health IT system is paralyzed. In 2021, cybersecurity attacks on healthcare providers reached an all-time high with more than 45 million people affected – a 32 percent increase over 2020, according to a 2022 report by Critical Insight.
David Finn, CHIME Association Executive Healthcare and Information Sector, lead of the cybersecurity pavilion initiatives at ViVE 2023, does not mince words. With ransomware attacks surging to an all time high this month, Finn said in an interview that security is no longer a defensive posture; we are engaged in a war.
“For 36 years I have been talking about healthcare and cybersecurity. In the past 2 years I have been talking about cybersecurity as a war.”
David Finn
Finn describes himself as a recovering Chief Information Officer and Chief Information Security Officer. Prior to CHIME, he served as executive vice president, external affairs, information systems and security at CynergisTek, a firm that specializes in cybersecurity, privacy, and compliance in healthcare.
From Finn’s perspective, this is not a problem that developed overnight. Our health system is playing catch up to a problem whose origin can be traced back to the health tech provisions that set meaningful use standards. It forced hospitals to rapidly expand and scale health tech capabilities without a clear security component.
All this provides an even more compelling backdrop for the cybersecurity conversation at ViVE 2023, powered by HLTH and CHIME, taking place in Nashville, March 26-29.
Finn highlighted some of the themes of the cybersecurity pavilion at the ViVE conference.
The pavilion will be powered by the Association for Executives in Healthcare Information Security (AEHIS). Among the topics of discussion will be:
- Backup and Recovery in the Age of Ransomware
- Where Security Starts: Asset Management
- Risk Management: It’s Not Your Father’s Risk Assessment
Finn said he’s looking forward to hosting a robust cybersecurity dialog at ViVE, as the war on ransomware continues to expand.
“What really drove my mission for the Cybersecurity Pavilion at ViVE this year is there are lots of ways to address cybersecurity,” Finn added. “You have to look not only at the continuum of care but also the continuum of data.”
Finn also drew some connections between balancing digital transformation and ensuring it is adequately supported with security. Too often, health tech security has been an afterthought when it comes to innovation, but they need to be hand in glove.
“We wrote an interoperability law that has no security requirements underpinned to it. It was part of a grand vision of enabling providers, with patients’ permission, to share electronic medical records for when they are on vacation in another state or region, and have an accident or get sick enough to go to a hospital and to access their own data on demand. Their EMRs could be easily transmitted from one hospital or practice to another.”
Although we lag in automation that would improve and speed up healthcare, the problem is that because we have all this protected information, we need to resolve security and privacy issues first.
Another part of the security challenges healthcare faces is, like many industry sectors, innovation has progressed far faster than the security protocols and laws can be written and legislated. Take HIPAA. Its purpose was to help protect patients’ privacy where their medical records are concerned. It was not written for a time in which almost everyone would carry around smartphones which are as powerful as computers with apps containing highly sensitive data.
Finn talked about two sets of data that pose security risks. One set is the data transmitted by fitness apps such as Fitbit. Another is the type that’s of particular interest to hackers and nation states.
What makes wearable app data concerning is that the apps are connected to the operating system. The operating system sends data to dozens of places. On its own, that data doesn’t necessarily amount to much. But collectively it can be weaponized because these wearable fitness tracking devices are so pervasive and they encourage users to transmit that data everywhere they go. Some fitness devices are now banned in the Pentagon because two military bases were exposed through Fitbit wearables. Even so, when Fitbit owners who work at the Pentagon left them in their cars, the data points lit up and formed an outline of the Pentagon.
This is connected to another worrying trend about EMR data such as vaccine data, which contains information that nation states can use to find out where military families are being re-located to. EMRs contain the most sensitive data about ourselves: our addresses, driver’s licenses, sexually transmitted diseases, mental health data. Imagine if that data were to fall into the wrong hands – how could that information be weaponized?
“We have connected ourselves to everything out there. We need to take action ourselves as individuals,” Finn emphasized. “We can’t lead with IT and security but we need to understand the value of our data.”
Another component of the security conversation is software updates. The PATCH Act (Protecting and Transforming Cyber Health Care) legislation was introduced by U.S. Rep Michael Burgess of Texas (R-26) in March last year but did not make it to a floor vote. Instead, a watered down version of it was included in the Omnibus spending bill passed at the end of 2022. The statute includes a mechanism to ensure that medical device manufacturers flag and address postmarket software vulnerabilities of their products. It is set to go into effect later this year. Device companies must also share with regulators the software components used in their devices.
Carter Groome is the founder and CEO of First Health Advisory, which provides risk assurance and managed security solutions for hospitals, digital health entities, government agencies, and other organizations that deliver health and care. It also works extensively in securing medical and operational devices across the healthcare ecosystem.
Groome admitted he has been disappointed by the lack of cybersecurity legislation in healthcare so far, considering the urgency amidst constant ransomware attacks on our nation’s hospitals, most recently at Tallahassee Memorial Healthcare in Florida and the websites of hospitals in nearly every U.S. state, cutting off access to patient portals and other vital information. He noted there is some cause for optimism, including policy under consideration from U.S. Senator Mark Warner (D-VA), chairman of the Senate Select Committee on Intelligence and co-chair of the cybersecurity caucus. Warner published a report in November 2022, Cybersecurity is Patient Safety, on cybersecurity policy options in healthcare. In addition, Sen. Warner has suggested a cybersecurity leadership role within the Department of Health and Human Services, functioning as a national coordinator for healthcare cybersecurity. Sen. Warner is also exploring baseline security requirements for hospitals to improve cyber hygiene at their institutions.
Groome also speculated that the White House is telegraphing an updated National Cyber Strategy that would have an impact on the healthcare sectors mostly voluntary standards, possibly taking form in an executive order. It’s also possible that the federal government will move to an official proactive, offensive approach to thwart bad actors earlier and more aggressively than the more common defensive approaches employed today.
No hospital has figured out how to fully inoculate against ransomware attacks, which infuriatingly, and still begin with simple email compromises where the unsuspecting user clicks on a malicious link that may ultimately lead to a ransom or extortion event.
“The digitization of healthcare is so prolific. Hospitals are in essence digital companies that provide care. They have become so dependent on technology that they just can’t operate without it.”
Groome also expressed frustration that hospitals have less resources to protect their data the way that payers have in the last couple years, creating further urgency to find incentives and motivation for hospitals invest in good cyber hygiene and the cyber health workforce as a whole.
“Hospitals are still just rolling the dice [with ransomware attacks] and deciding, ‘Well, I don’t have the resources to put towards it. And by law, I’m not mandated to do anything about it. As a result, I’m going to just accept the risk.’”
Photo: Traitov, Getty Images
