The healthcare industry is a prime target for organized cyberattacks, as it has demonstrated on an almost daily basis for over a decade. The urgency of contingency planning has finally been made clear, from the boardroom to the situation room to exam rooms and back office.
Healthcare chief information security officers are at the forefront of one of the health sector’s greatest challenges – ensuring patient care in the face of regular network intrusion attempts and complete system shutdowns.
Like the CIO role, the CISO job description has been constantly evolving in recent years – and has changed dramatically as hackers have added the ability to monetize business disruptions caused by ransomware attacks.
“It started with ‘data security’ or ‘information security,’ with a focus on ensuring the confidentiality, accuracy, integrity and availability of data,” explains Erik Decker, CISO at Intermountain Health.
While “data has always been at the center of the conversation,” today bad actors have created marketplaces where data, access and privileges are bought and sold, drawing organized crime into the digital ecosystem, forcing CISOs to adopt an adversarial approach.
In the era of ransomware, negotiating with hackers is like fighting.
Decker will moderate a panel on personal responsibility, budget pressures and a challenging business climate in the coming week HIMSS 2024 Healthcare Cybersecurity Forumscheduled for October 31-November 1 in Washington, DC
The panel will discuss how the CISO role is evolving as organizations expect to be disrupted by cyberattacks, but must find ways to maintain patient safety and care despite the disruption.
Reconsidering the response to intrusions
Smash-and-grab exploits will likely continue to plague healthcare systems for more than 18 years, according to Darren Lacey, CISO at Johns Hopkins University and John Hopkins Medicine.
“It’s not hard to steal a spreadsheet, and a spreadsheet could have 100,000 names on it,” he noted.
Lacey, who will join Decker, Kate Pierce, senior virtual CISO and executive director of government affairs at Fortified Health Security, and Dee Newborn, CISO at UNC Healthcare, for the discussion, said the bigger challenge is system-stopping attacks – such as the Change Attack healthcare ransomware in February, which has impacted healthcare operations across the country for months.
The scale of the attack has caught the attention of many lawmakers this year, who want greater efforts to be made to prevent a devastating disruption to a critical sector.
“Governments and industry will continue to increase efforts to thwart these attacks, which will hopefully include a stimulus to help need-based organizations as well as imposing minimum cybersecurity standards in healthcare,” Decker said.
Lacey said he believes the way health care systems respond could exacerbate the problem in some cases.
“I think we need to start rethinking how we trust systems,” he said.
The typical reaction to a system being hacked is to assume “all chaos,” Lacey explained. “Assuming a breach, we plan as if the breach was a tornado.”
However, in this situation, “we don’t actually assume a breach,” said an industry veteran.
Health IT teams assume that a computer or account has been compromised somewhere on the network, and therefore any systems on the network cannot be trusted and must be disabled.
“So the blast radius, even though the attack may be quite small, is huge,” Lacey said.
“That’s understandable, because what we’ve done over the last 20 years is consolidate administrative credentials into much smaller numbers, which makes them more secure.”
“But we need to find a way to make the blast radius we impose much less damaging and more resilient than the current model.”
When health IT teams think about cybersecurity events, incidents and breaches, “we think of them as these extraordinary events – we got hit by a comet, a tornado,” he said. “But tornadoes passing through a data center are much more common than people realize.”
Reducing further damage
Lacey suggested that organizations start working from the top down, “assuming a breach has occurred” to reduce “damage further down the supply chain.”
“Maybe this is how we set up administrative accounts,” he said. “It could be the way we do recording; it could be a recalibration of our risk analysis and things like that where we don’t have a simple trusted binary system – an untrusted system.”
He believes that changing the way trusts are managed can maintain resilience and provide better continuity of care, according to this line of thinking.
“We would have developed different strategies if our primary goal was to remain resilient,” he said.
“How many systems at Change Healthcare were actually compromised?” – Lacey asked rhetorically.
He explained that in this attack, which had a devastating impact on healthcare operations across the country, the number of systems affected was not excessive – it was a complicated web of dependencies on administrative accounts.
“It became very difficult to unpack everything and solve it,” Lacey said.
If you can’t have any idea how an adversary is behaving at the time of a data transaction, then shutting down systems in principle probably makes sense, Lacey acknowledged, but understanding the integrity of data at the time of an attack could lend a hand make healthcare more resilient.
In the event of an attack, what is unclear is the likelihood that data integrity will be altered — not that data is lost.
Relying on data that may have been stolen doesn’t necessarily put a patient at risk for needy medical outcomes at the time of encounter, although it could put the patient at risk for some type of identity theft in the future, Lacey said.
“If you understood better what [incident response] behavior can then be appropriate?”
“It’s really about data integrity – and it’s not hard to imagine how you can trace the integrity of data in such a way that you can be 99.99% sure that it hasn’t been compromised,” he said.
The role of artificial intelligence in cyberwar in healthcare
Artificial intelligence is a cyber weapon that can now be used by anyone – cyber criminal or cyber defender.
“Artificial intelligence will be used both offensively and defensively; it is not yet known which side will have the advantage,” Decker said.
Lacey determined which group would have the advantage.
Healthcare cybersecurity teams will be in a better position than attackers at what he called the “first level,” where there is restricted understanding of cybersecurity.
“It gives us more tools than them because our data will be able to determine more complex relationships between data than they otherwise would,” he said.
However, artificial intelligence technology means that “we will become mired in misinformation,” he said, forcing CISOs to address disinformation prevention. The ability to deal with these threats given the current state of cybersecurity, “we are in no way prepared for,” he said.
The panel session, titled “Panel: Personal Responsibility, Budget Pressures, and a Challenging Business Climate: A Day in the Life of a Healthcare CISO,” is scheduled for 2:45 p.m., Thursday, October 31 at HIMSS Healthcare Cybersecurity Forum in Washington