Interviewer:
|
Welcome. I'm
here with Richard Staynings, Security Principal and global leader of
cybersecurity for the Healthcare Industry at Cisco. Richard is a respected
thought-leader in healthcare security and is here at HIMSS with us today.
|
|
Richard, I know that you're on a journey talking with healthcare
executives and their boards about cybersecurity risks, threats and security
best practices, but how receptive, and how aware is the industry to your
message? What level of awareness and understanding are you finding when
meeting with healthcare leaders?
|
Richard:
|
I think healthcare executive and Board understanding of
cybersecurity has evolved quite radically from where it was,
say as little a five years ago. Most of this evolution has occurred quite
recently in fact.
I think there's been a late awakening amongst Boards of
Directors of healthcare providers, payers, and pharmaceutical organizations;
a realization of the cyber security threat, and the way that that impacts not
only their current business, but also their future business. If we talk about
intellectual property loss within the pharmaceutical industry for example, it's
a huge concern. The next generation of genomics-based medications is
already assumed to have been stolen, largely by foreign nation states, in order to
bolster their own pharma sector. All this, largely because of ineffective
security across the industry to protect its intellectual property.
|
|
At the same time, we're seeing a large amount of media attention
generated with regard to cyber breaches of our healthcare systems - patient
health information being stolen and exposed, or patient information being encrypted and
held to ransom, as has been the case at several hospital systems over the
past month. Or malware infestations on hospital networks that have resulted
in the hospital having to revert to paper, or even
worse, to unplug their network core so that they could deal with the outbreak.
Boards are now aware of some of these issues, many of
them have a good understanding of the enterprise risk and potential impact to their business of cyber
security, which I think is something that historically wasn't the case. Security
and the Board to a large degree speak different languages and its taken a new breed of security leadership to bridge
that gap and to translate. By and large, that language barrier caused some
historic rifts, and didn't go far in engendering trust towards what security
leaders were telling their Boards and executive leaders.
|
|
I think there's been a growing realization that in order
to communicate to boards, you need to use appropriate language. You need to
talk in terms that board members will understand: profit and loss, balance sheets,
the cost of action versus the cost of inaction, for
example. I think there's a greater risk in healthcare however, because it's
not just a question of fines, penalties, restitution costs, or even loss of
reputation, it's the fact that there could be physical damage caused to
patients, where cyber attacks could compromise patient safety. Protecting
patient safety has been the holy grail of healthcare risk management for as
long as I have been working in the industry, and now we are seeing a
convergence of cyber risks and patient safety concerns.
Cyber attacks can now be leveled against the actual
delivery of care to patients in hospitals. Many medical devices are easily
compromised to the extent that it's not inconceivable that patients could
soon be assassinated in our hospitals. Its relatively easy to compromise the medical
devices that patients are attached to, and which maybe keeping them alive, or
surgical devices being used in an operating theater. This is something I think boards of
directors are beginning to recognize, though from what I've seen, most have
yet to fully comprehend the magnitude of the threat.
|
Interviewer:
|
Do you think that once they understand the risks, that leaders
have the ability to react quickly? Is it something that they have to go back
to their foundation to fix, or is it something that they could put a task
force on it and get remediation fairly rapidly?
|
Richard:
|
The healthcare industry is a juggernaut. It's quite conservative. It takes
a lot of effort to stop, and doesn't change direction quickly. Security has
largely been an afterthought in the healthcare space. The focus has always
been on patient care. Security across the healthcare industry has been massively
underfunded and understaffed compared to other industries. Healthcare is probably
10 years behind financial services in most areas of security, and even more so in
the formation of high caliber security teams for example. Healthcare is not seen
as a glamorous destination for many security professionals. Most transfers into
the industry recognize that they will be fighting an uphill battle just to
play catch-up to where they were in their previous organizations.
With the right Board and executive sponsorship,
reinforced by effective governance and security leadership, and of course funding,
the security gap could be narrowed quickly, through more effective adoption
of expert managed security services. This would allow the small number of
experienced professionals that work in security to focus on higher value tasks.
More importantly, I think there are some more
fundamental and structural problems in the way that security is viewed within
most healthcare organizations today. Security needs to be elevated in terms
of priority at the executive and board level. Security leaders need a seat at
the table in Board meetings, so that Boards can effectively discuss, and be
made aware of cyber risks and issues that may accompany new service
offerings, new business ventures, mergers and acquisitions, etc. The Board
needs to be fully informed to make the right decisions and that's not going
to happen if the security message is being relayed through the CIO, or
someone else with direct access to the Board.
|
|
|
Interviewer:
|
Given Board understanding of the risks, and the desire
and funding to secure their organizations, what should security leaders focus
on first?
|
Richard:
|
Healthcare security leaders would love an unlimited
budget to go out and secure their environments. They have years of
under-investment to catch up on, but we need to recognize that Rome wasn't built
in a day, and healthcare doesn't have unlimited funds. If anything funds are
getting tighter, which means dollars allocated to security need to come from
elsewhere, IT, charitable patient care, etc.
Realistically, and to answer your question, I think that
comes down to fully understanding the risks that are being born by the
organization, and the potential impact to the organization's ability to
function. That means understanding how the organization works, where there
are opportunities to make significant improvements to the risk/reward
balance, and to target scarce resources most effectively.
One of the most effective ways of understanding risk is
to conduct a risk assessment but then to prioritize the remediation of risks and
control gaps based upon the reduction in enterprise risk. What level of risk
can I reduce with the least amount of money? Can I tackle remediation of
these really big risks over the course of many years? (Because hospitals have
very limited budgets and that situation is not getting any better.) There's
an increasing squeeze on healthcare provider budgets especially, because of
reduced reimbursement rates from insurance companies and government, and that
is really compounding the difficulty for CISOs to block gaps in their
overall infrastructure, through the implementation of new more effective security
controls.
|
|
I think there's also been a historic problem with what I
call the "shiny object effect."
"There's a new tool out there that looks to be a panacea
to many of the security problems that I have. It's very expensive; the cost
to implement is not really fully understood; the time to implement is not
really fully understood, and it may be many years before the new tool is able
to effectively reduce risk from the time its purchased."
There's been a temptation by CISOs to go after that
shiny object, rather than to look at what is the most effective use of the
scarce resources at their disposal. There are many opportunities for CISOs to
reduce risks very quickly without the outlay of large sums of money, however
these opportunities are often missed because security leaders fail to look at
security through the conceptual lens of enterprise risk management and risk
reduction.
|
|
One particular concern in healthcare has to do with the
growing security resource shortage. The whole of security is suffering from a
massive shortage of qualified, experienced, security professionals and this
was reflected in the 2015 Cisco Mid-Year Security Report which found that
there's a 12x demand over supply for security professionals. Healthcare
doesn't pay as well as financial services and many other industries, and
therefore, it's lower down the stack, in terms of its ability to attract and
retain top cyber security talent; skilled resources needed to help defend
against the attacks that are being leveled at the industry.
I think there's a growing recognition across the
healthcare industry, of the need to look at optimizing the scarce security
resources that it's able to attract and retain, and to focus the attention of
those professionals, at the areas of greatest need in healthcare security. Areas
like security architecture and security awareness training for example.
Healthcare is a very labor-intensive industry, and users have largely disparate
levels of computer literacy and security awareness. I think
we do that by looking at what can we accomplish more effectively; by procuring
services from service providers, that can provide expert services that we
could never justify staffing ourselves; and to do that cheaper, better,
faster, than if we were to build those capabilities internally.
|
Interviewer:
|
You've dealt with high-level executives and boards, can
you compare and contrast the ones that 'get it' versus the ones that don't
get it? What's contributing to that?
|
Richard:
|
I think there's been a change in the makeup of
healthcare boards over the past few years.
I've been presenting to boards of directors for probably 15 years or more. I
think historically, healthcare boards were made up almost exclusively of
clinicians or those sponsoring health services, - nuns for example in the
Catholic Health System, retired and active physicians, line of business
owners, as well as the CEO and his team of direct reports.
More recently I've seen a diversification of typical board
membership, and the skills and backgrounds of members. This is a big
differentiator to those boards that 'get it' and those that have a hard time
understanding cybersecurity. It's
not universal across all organizations by any means, but there is a growing
trend towards diversification.
I'm seeing expertise brought in from other industries,
from banking and finance, and some retired military. Also, some people from
government and defense backgrounds, that are on the
boards of larger healthcare organizations, and are able to bring experience
of how other industries 'do security', and an understanding of the cyber
risks that they've seen during their active career, or in their full time jobs. They're
able to share those experiences and contribute to a much richer board decision-making
process.
|
|
|
Interviewer:
|
I hear a lot of times that the biggest risk factor for
security is just workforces themselves. How do you believe companies are
dealing with that issue - that the workforce may be the weakest link in
security?
|
Richard:
|
Well, your people are your greatest asset, and also your
biggest risk. This is particularly so in healthcare. You have at one extreme,
some of the brightest, smartest people on the planet -
physicians. Very computer literate, many of these physicians are extremely
capable at working their way around rudimentary security controls that IT may
have put in place over the years. At the other end, you have scrub nurses,
food services, and janitorial staff that may almost be computer illiterate.
It creates an interesting challenge when it comes to the question of, "How
do we take a security message out to our entire workforce?" Whether
they're contractors – (most physicians for example), or whether they're
employees – (nursing, admin and billing staff), or whether they're contract
service providers for janitorial services, maintenance or food services.
|
|
How do we take a message out so that all of our people
are working together towards a common goal of securing the network, securing
the hospital, and protecting patients? I think we have to do that via a quite
elaborate security awareness program, and it can't be a just one-off program
where all users sit down in front of the same computer and answer a few questions at the
end of a video. It also can't be something they do once a year, as part of a staff
or contractor attestation that they will follow security and privacy policy.
It needs to be an ongoing process, and it needs to be
differentiated and targeted to different types of users. Physicians should see
one type of training program, executives see another type; those people who
work in IT and may have elevated permissions see yet a different type of
program, and those people that are on the cutting edge of delivery out at the
nursing stations, should be provided a different type of awareness program
that's more privacy focused, and more targeted towards the types of phishing
attacks and social engineering that they may experience while fulfilling
their jobs. They are in a very different situation to IT, admin or senior executives
who, by and large, work most of their days behind closed doors, or at sites
where they don't see the public at all.
|
|
On that note, where I've seen the most effective
security awareness program is where there's a rich and diverse multimedia
approach. Where there are a variety of web-based delivery systems, classroom based lectures,
and brown-bag seminars / group lunch discussions, and where users are required to
participate. Most importantly, where there are constant reminders to awareness themes
throughout the workplace, so its not forgotten.
One particular health system I do a lot of work with,
has little cartoon characters on their elevators and at doorways. It's to
remind the staff subtlety not to talk about patients in public areas because
they could be overheard. Most patients that walk through the hospital
probably just think it's a cute little animal for the kids, and have no idea
of the value it's also providing to staff privacy and security awareness. The
value that these animals provide is immeasurable in terms of making the staff
aware and making them think, "Hey,
I'm in a public area. I can't discuss patient issues here".
|
Interviewer:
|
Healthcare rightly or wrongly is seen as an increasingly
highly regulated industry. Have you found that these governing organizations are
helping to advance security?
|
Richard:
|
I think compliance in the healthcare space was the
initial spark that really led towards improved security and privacy across
the industry. I don't think it's necessarily as effective as it could be
however.
In the United States, we have the HIPAA regulations.
They were written in 1996 when most of us didn't even have modems attached to
our home computers, and many of us were running Windows 95. We didn't have web 2.0 social media
technologies. We didn't post to Facebook, Instagram, or SnapChat every 10 minutes, as my kids tend
to. We didn't have instant message, or many of the technologies many of us live on
today – especially the younger ones!
Hospitals were largely paper-based
back in 1996 when the HIPAA regulations were created. HIPAA was a political
compromise in order to put something in place to protect the privacy,
initially, and later security of healthcare. It's been enhanced with the
HITECH Act and Omnibus changes, but it's still a high-level advisory type
regulation, and is widely open to interpretation. It's not a prescriptive rule
set in the way that we have in other industries, like PCI DSS that says,
"You shall do this, this way, and this way only, and if you don't do it exactly
as written, you're non-compliant."
|
|
HHS OCR, the Health and Human Services, Office of Civil
Rights, has come in with its audit protocol and looked at HIPAA compliance
from a very different paradigm. OCR looks at it from an audit compliance
perspective, more so than the checkbox mentality that the healthcare industry
itself has tended to follow. OCR assessors look for the effectiveness of controls
in the same way that a financial auditor would, and they look for evidence
that a control has been tested for its effectiveness and that this has been
documented. That's beginning to change things across the industry.
In other jurisdictions, we have new regulations that are
slowly being implemented or enhanced: Singapore Privacy Act, Caldicott, Australian Privacy Act, European Privacy
Directive, etc. These tend to be more privacy focused, but increasingly cover
many aspects of traditional security – cyber attack and breach notification for example, or use of patient
data in research. And we've got other regulations in the process of being
revised or expanded in other countries, as well.
|
|
I think compliance was the initial spark that led to
awareness of the need for security in healthcare, but I think that's now
minor compared to other risks, particularly around cyber attacks and breaches
of PHI, which seem, almost every other week, to be all over the papers and TV
news channels. We're seeing a growth in targeted attacks against healthcare;
ransomware, for example, the encryption of medical records, and then holding
them to ransom for tens of thousands or dollars, or even larger sums of money
in some circumstances. That's just the beginning in my opinion. Where I see
things going, is towards not so much the ransom of information, or the theft
of PHI, but towards open extortion and ransoming of patient lives, where
hackers may have gained control of entire parts of our hospitals and be able to
inflict real life-threatening damage.
|
|
I don't think we are far-off before we're going to see
ransom attempts leveled at hospitals to say, "If you don't pay a thousand
BitCoin, I'm going to start killing babies in NICU"
or, "I'm going to start assassinating people on life support in your ICU,
or undergoing surgery in your operating theaters."
One massive attack vector that very few hospitals have
considered is their ICS or Industrial Controls Systems. Systems that manage HVAC for example, which are critical in healthcare for disease control and
for clean rooms like operating theaters. As a hacker, if I own your HVAC
systems, I can mess with the airflow, temperature and humidity levels, and
render whole parts of the hospital useless – and lock everyone else out
of the system at the same time.
If I've gained control of your elevator systems, I can
prevent you from transporting patients between floors – maybe on their
way to or from the operating theater.
If I own your water management or electrical management
systems, even for a short time, I can wreak havoc. Many of these ICS systems
are totally automated in our hospitals today, and are remotely managed over
the Internet by a service provider.
All of these are very feasible attack vectors against
healthcare, and most of the people running these attacks live tens of thousands
of miles away, in other countries, out of the reach of law enforcement.
There's recent evidence to suggest that many of the perpetrators of some of
the recent ransomware attacks against healthcare, are in fact, employees of state cyber
espionage units, moonlighting after hours.
I think some more forward thinking boards of directors
are slowly becoming aware of the real risks to their organizations and
patients, and are beginning to look at ways that stronger controls can be put
in place, to manage the very broad range of threats that could be leveled
against healthcare.
|
Interviewer:
|
That's amazing stuff. It's almost like a controlled outbreak ...
|
Richard:
|
You imagine a man made Hurricane Katrina. During Hurricane
Katrina, the New Orleans hospitals were rendered useless because the water,
sewer, power, air circulation, all eventually came to an end. Back up
generators ran out of fuel. Fuel trucks couldn't get to those hospitals. Flooding
rendered large parts of the hospitals inaccessible, and very quickly full of
mold, such that patients could no longer stay inside for their own health and
safety. Patients were carried out (where they could be carried out) and placed
on flood debris in many cases, which was on dry ground to get them out of the hospitals
that were filling up with airborne mold spores. Many patients were
too heavy to carry down flights of stairs. Elevators didn't work because
there was no power, so they died in their beds.
|
|
Imagine if I were a rogue nation state or a well-organized
and skilled terrorist group conducting a cyber war against the United States.
I would most likely first go after power generation and distribution systems,
water management and other critical infrastructure to disable the domestic
systems the military and modern Americans have come to rely upon – running water, regular
power, etc.
After critical infrastructure, I would attack hospital
systems, because that's where the weakest and most vulnerable people in American
society would be found – those unable to look after themselves. I could
tie up thousands of National Guard troops forcing them to care for, or
rescue, the most needy in society, divert them from defending against other
attacks, and weaken a speedy counter-attack by the military. These are
all feasible, albeit unpleasant, scenarios and many people have written and
published in this area.
|
Interviewer:
|
Wow!
|
Richard:
|
Oh, it's scary alright!
|
Interviewer:
|
What's the biggest leap forward that you've seen within
the last year with regard to security?
|
Richard:
|
Security is always developing and there are a lot of
cool new capabilities every few months so it seems. However,
given the kinds of attacks we are seeing against healthcare, I would have to say Real Time Threat Analytics. Understanding where threats are coming from, and
recognizing an attack almost immediately; the ability we have now, to
identify anomalous user and system behavior, and to light up our networks so
we can use the network as a sensor and as an enforcer of the security policy
that the board approves, and is enforced by the CISO or security leader.
Recognizing when an attack is underway is incredibly
valuable so we can block it, and thwart the attack before data is stolen or
compromised. Historically, we've looked at things forensically and 'after-the-fact', when damage has already been done. We bring in forensics teams to
investigate the integrity of file systems that may have been compromised; we
bring in forensic investigators to work with law enforcement and to preserve evidence for prosecution. But in
healthcare a breach is a breach and I'm already in a world of hurt!
In most hospitals we're not being active in terms of
saying,
"There's an attack coming in. There's some malware that's just
been added to my network. I've got suspicious behavioral activities, and new communications
out to the Internet, that are out of the ordinary.
They don't fit the usual pattern of activity on my network. I'm under
attack,"
and be able to pull the plug or to block that attack; to put
defensive measures in place to thwart that attack before the damage is done;
before my files are encrypted; before I need to notify patients that their
records were compromised; before I need to contact the OCR and let them know
that there's been a breach, and my reputation is tarnished, because I'm now on
the HSS OCR 'Wall of Shame'.
|
|
|
Interviewer:
|
I like the predicative nature of that. What do you think differentiates
successful attacks on some healthcare providers from those that fail?
|
Richard:
|
Let me start by saying that across healthcare delivery,
the vast majority of attacks go totally unnoticed. Healthcare simply doesn't
have the resources to monitor what's happening on all of its systems, and its
rapidly expanding network of partners, suppliers and HIEs. There's no single
regulatory body to identify a common point of information disclosure for
identity theft, or medical insurance fraud, etc. like there is in the payment
card industry for example. And information stolen from healthcare, by and
large doesn't expire, in the way that a credit card number does after a
certain period of time. I can use or sell that stolen information whenever I
like.
With the exception of the very largest providers, most
organizations lack a security operations center, or have staff viewing event
management systems 24 by 7. Those that have invested in a SIEM have a hard
time getting usable, high-fidelity information from
alerts. 'False-positives' keep security operations staff chasing their tails,
rather than quickly being able to identify real attacks and risks, and to
remediate them. SIEM alerts need to be validated before the truth is known.
This can be very time-intensive, and will ultimately delay response to an
attack.
The critical differentiator between successful attacks
and unsuccessful attacks is the ability of the organization to quickly
recognize when an attack in underway, such that the attack can be blocked
before damage is done. Before PII, PHI or IP can be exfiltrated from the
healthcare network. Speed is key today. Attackers are in and out in a matter
of a few hours in most cases.
Once you're looking at things forensically and
after-the-fact, then the damage has already been done. You've already lost
patient information, your IP is gone, and it's out on the Internet. Once an
attack is underway against a patient, then that patient could have already
been harmed.
|
|
|
Interviewer:
|
Is healthcare under attack more than other industries do you think?
|
Richard:
|
Healthcare by and large provides easy pickings for cyber
criminals. They've been after banks and credit card companies for a number of
years and that water fountain is drying up. What I see is a concerted attacked against healthcare. Big payer breaches, big provider breaches, and pharma networks
are largely owned by foreign states, and their well-funded cyber espionage
units. This is not going to stop anytime soon. We need to put in place
effective security controls wherever possible, wherever feasible, and to do
it quickly before more damage can be done, and we suffer a widespread loss of
confidence from patients. Before hospitals are forced to close, because they can't afford to pay the fines, penalties, identity theft monitoring, and other standard restitution expenses. Before they get hit with a billion dollar class action suit from patients, that is going to force them out of business!
|
|
|
Interviewer:
|
How has the digital era changed the way we're facing
security?
|
|
|
Richard:
|
The digitalization of healthcare has brought around a
large number of changes in healthcare delivery particularly. We now have the
capability to provide all kinds of new services to patients, and most
patients are very eager to consume those services, but they introduce new
risks to our healthcare organizations. I refer particularly to the meaningful
exchange of health information, to and from the proliferation of other
service providers out there.
I'm no longer tied to a single service provider
and can shop around to get the best deal. I no longer need to go to the hospital to get my X-Ray,
and pay $1,000 for that X-Ray. Most of us are now on High Deductible Health
Plans, which means we now pay for service rather than insurance. I can go to
a simple imaging center and pay $300 for the exact same thing, with probably
half the wait.
I can go to a web portal that my provider has put up
that allows me to communicate with my physician or my specialist. I can look
at my images from my X-Ray or my cat scans, and I can read the diagnosis
online, rather than have to book an appointment, drive across town, come into
see a specialist, consume his time and my time, to basically reiterate
something that's already been written down, that I could read myself. In
order to provide these types of services, we need security around them
however.
|
|
I'm seeing a growth in a large number of opportunities
for increased Digitalization, Telehealth,
Telemedicine, all types of new services that are more cost effective in the
delivery of healthcare services to patients, but again, we need security in
order to facilitate that. I need to be able to authenticate legitimate users,
and to communicate with them securely, I need to be able to store information
securely, and I need effective security controls so that I don't introduce
new risks as a result of the new services I am providing to patients.
|
|
I think payers and providers are now recognizing the
fact that Connected Care, and increased Digitalization, will provide
opportunities for huge cost savings and new avenues for revenue generation,
while simplifying and improving patient experience with their care team.
However there's a huge cost to this if its not done right. You need to apply
appropriate security controls, before you can provide these services to
patients.
|
|
|
Interviewer:
|
How is healthcare going to cope with this new
reality? What trends are you
seeing?
|
Richard:
|
I'm seeing a consolidation within the healthcare
delivery industry, particularly in the US where we've had a multitude of
different standalone small hospitals and health systems. Its driven by cost pressures and the need to spread
meaningful use costs, and the need for improved security over a greater
number of beds and patients.
The same is true in the payer space.
Organizations are coming together under one umbrella, and building shared
services organizations to better leverage scarce resources, and this is
saving healthcare money, and at the same time improving technology, security
and other services.
I've seen a recent increase in the adoption of
cloud-based services, and wider use of mobility as payers and providers become
more comfortable with these things. This is all helping to drive growth. I've
seen a syndication of technology services to smaller hospitals. Larger
hospital systems that have the money to invest in new clinical technologies,
in expensive, state of the art systems and applications, are able to recoup
some of that investment by providing IT or application services for example, to smaller hospitals that
can't afford the investment needed for those types of things. Of course
wherever systems are being shared you need to segment and secure, to prevent
a whole host of possible issues down the road. It's a decent revenue
generator for a lot of health systems, and I see that trend continuing.
|
|
|
Interviewer:
|
Thank you very much Richard for your insights. I'm
hoping that some of your predictions don't come true, but recognize that
awareness across the industry may help to avert some of these security risks and
threats.
|
Richard:
|
Let's hope so!
|
|
|
