On the frontline of health care cybersecurity

Anne Paxton

May 2021—In the best of times, the health care industry has been the one most targeted by cyberattacks in the past decade. The pandemic has made health care an even more inviting mark, increasing the urgency of adopting effective cybersecurity measures. But on that score, informatics experts say, health care has a lot of catching up to do. It is a field that, pre-pandemic, tended to spend three to four percent of its information technology budget on security, according to a 2017 survey by KLAS Research and the College of Healthcare Information Management Executives. Banking, by contrast, devotes about 30 percent of its IT budget to security.

Health care institutions typically have less successful security programs, says Stoddard Manikin, chief information security officer, Children’s Healthcare of Atlanta. “We generally have less sophisticated technology users so people are more likely to click on phishing messages. We have smaller IT budgets, fewer security staff, and a wider variety of types of systems and applications to protect, so it’s harder to do so. We’ve got hundreds of clinical applications that differ by area. And it’s kind of hard for us to standardize because the software the laboratory uses is not going to be the same as the software the pharmacy needs to use.”

Hacking, in the meantime, has become a full-blown, sophisticated industry, Manikin says. “There are organized crime groups that have software and processes. You can rent ransomware as a service where you pay a subscription fee based on how many times it successfully gets deployed. In some cases, you pay a percentage of the ransom you collect back to the writer of the ransomware. And it’s to the point where these ransomware creators even have English-speaking help desks to help you pay your ransom.”

From a cybersecurity perspective, health care “needs to do something we call ‘shifting left,’” Manikin says. “What that means is instead of being all reactive and dealing with incidents after they happen, you try to prevent more incidents.” As with health care itself, “the more things you can prevent, the fewer things you have to treat after the fact from symptoms.”

Cybersecurity should ensure three goals are met, he says: keeping systems in operation, protecting the integrity of the data within those systems, and maintaining the confidentiality of the data. At Children’s, the focus on prevention includes measures to secure protected health information through a number of different technical controls such as encryption and restricted access. But the hospital uses an additional resource: an organization called the Health Information Sharing and Analysis Center, or H-ISAC. “We share data between health care organizations. If we see a particular phishing attack, we report it to them and they distribute it to all the members. We can learn from the first people to get hit with a particular attack so we can minimize the damage they cause when it comes to our doorstep.”

This kind of “threat intelligence” is particularly valuable, says Children’s cybersecurity manager Robert Covington. “If others in the industry saw, for example, they had an intrusion that involves some vulnerability in a particular laboratory device, that would be extraordinarily helpful information. We could immediately take action on that information, and we do this very frequently here at Children’s.”

Another form of protection, Manikin says, stems from the fact that “most of our health care software is what we call ‘on premise,’ meaning it’s hosted here at the Children’s data center, not on the internet. But we still have some applications that are hosted on the internet so we have let our people have access to it.” Their emails are allowed through the firewall, he says, even though accessing email through the internet is what leads to the vast majority of attempts to compromise the hospital’s systems.

The laboratory has unique vulnerabilities, says Alexis Carter, MD, physician informaticist, pathology and laboratory medicine, Children’s Healthcare of Atlanta. “We have the most medical devices of any clinical area in the organization, just because of the numbers of instruments we have and the computers to manage those instruments.” There can also be threats from within the institution’s four walls if a device is picked up and left with information on it. “So, for example, our laboratory is behind key-coded, locked doors because we have so many devices and we only want authorized personnel to have access to them.”

Children’s has also adopted “a very bleeding-edge security process that we have to go through before new software or systems can be installed,” she says. “That includes a rigorous network segmentation process, monitoring, and maintenance that goes into our processes.” If vulnerabilities exist, “we work with the vendor to mitigate those before we purchase any of those devices or systems or software from them. They have to have a process for making updates, for routinely checking their own systems, and for notifying us and giving us a patch if they discover something. And that has been extremely helpful. In some cases we have decided not to move forward with certain vendors that did not meet certain specifications,” says Dr. Carter, vice chair of the CAP Informatics Committee.

Another step the cybersecurity group has taken is sending out emails to staff that resemble phishing messages, to prompt them to identify and report such incidents.

To protect their institutions from data breaches or cyberattacks, Dr. Carter’s advice to pathologists and others running laboratories is to get to know their organizations’ IT teams and particularly the staff handling cybersecurity. “It’s very important for there to be physicians, especially pathologists because of how many devices we have, who are supportive of the cybersecurity practices the organization is trying to implement.”

Covington has found reminding cybersecurity staff to stay vigilant is important as well. “I remind my team constantly that in our business we’re never done. We’ve never arrived across the finish line. If you’re ever feeling good about yourself and you feel like you’ve finally hit the pinnacle, look again, because you’ve got more threats coming.”

[dropcap]L[/dropcap]ike legions of others, James Alexander Mays, MD, pathologist and fellow in clinical informatics at Massachusetts General Hospital, has been working almost entirely remotely in the past year because of the pandemic. And the surge in remote working, he says, carries some of the blame for the surge in cyberattacks. “There’s been an incredible expansion of people needing to connect with their home devices and security practices not necessarily keeping up with the activities people are doing. When you have to build your systems to allow external connections with people using their home computers, if you don’t do it right, you’ve massively increased your likelihood of an external threat more easily being able to get in.”

Ransomware specialists, of course, are some of the major threat perpetrators. “The ransomware groups have this ‘big game hunting’ attitude of ‘Well, if we can get into a hospital, we can demand a lot of money.’” And they have, says Dr. Mays, a member of the CAP Informatics Committee. “There’s absolutely no reason to think this won’t continue being a problem. However, if you do best practices and you have a good backup of your data and systems, then when they infiltrate and disable access to your files and demand ransom for a decryption key, you can say no, we have everything backed up.”

Unfortunately, these threat actors may still be a step ahead. “They also now say, ‘Oh, and if you don’t pay us, we’re going to release your protected health information into the wild, and then you are going to be susceptible to all sorts of HIPAA fines and bad public press.’ So now, just having a good backup strategy is no longer enough. It’s increasingly risky to not have a good solution for this, and it’s going to be a constant issue going forward.”

There is a way to lessen this vulnerability, Dr. Mays says. “If you have sensitive things that you really don’t want to get out, basic hygiene in cybersecurity is making sure people have access only to things they need to have access to.” Second, “you want to make sure there aren’t obvious gaps in your network and that you’re patching known vulnerabilities in software. Once you do those things, you could keep a backup of your data and systems in a computer that is not tied to the at-risk network. And then it would require a much more severe level of compromise to actually affect that backup.”

As a fellow, Dr. Mays admits he may be somewhat apart from the cybersecurity fray. His research focus in pathology informatics tends to be issues of data standards in digital pathology—for example, DICOM standards for digital imaging—and analysis of laboratory data. But cybersecurity is an important focus during CAP Informatics Committee conversations, which can center on potential regulatory demands relating to security practices, what is tenable or problematic for CAP members, and what is worthy of advocacy. “And then we play a role in educating members on what things are important for us collectively as a specialty to do,” he says.

“I think the biggest issues around cybersecurity tend to be more local, in the sense that it has more to do with your particular hospital, your particular group, treating something as a priority where there is not a huge financial return to treating it as a priority,” Dr. Mays says. “It can be hard to sell increased investment in an area that will never really pay for itself except by avoiding downstream risk of a bad thing happening.”

But there are actions that an operation of any size can take, he adds. “Anybody who is responsible for a computer system can take steps to make sure that users are onboarded and offboarded correctly. Do you turn on two-factor authentication for people? If you’re using a given software product, are you patching the software when the vendor or the manufacturer says, ‘Please update; there is this major security flaw’? These are bread-and-butter types of things.”

A good cybersecurity plan starts with an assessment of the risk from different actors, Dr. Mays says. “Who do you think is going to try to do harm? Some of the most common threat actors are essentially cybercriminals. And then there are people who work at your organization who are either disgruntled or leave in a bad situation but then maintain access to your organization in some way and abuse that access. More common would be people in your organization who just mistakenly do something to expose information. A strategy that focuses on the most likely threats is going to solve more of the problems.”

Interestingly, he notes, in the context of COVID-19 and vaccine development, some academic labs performing cutting-edge research have also been the targets of cyberattacks from other nation states. “They want to know how a lab might be developing a vaccine. If you’re in an academic context, you may need to worry about that kind of attack. But clinical laboratories and hospitals do not, for the most part.”

The total surface area of possible cyberattack, however, is only going to expand in the future, in his view. “As hospitals and health systems put more and more networked devices out into the world—or point-of-care devices in the case of laboratories—that’s where the security ramifications are going to be pretty big, I think.”

[dropcap]U[/dropcap]ntil Dave Summitt came on board six years ago, H. Lee Moffitt Cancer Center & Research Institute in Tampa, Fla., never had a chief information security officer. “There were basically two people running security,” Summitt says. “But many of the senior leaders understood the importance of having a very mature cyber program and gave me free rein to create one. Now there are 15 people on the cyber team.” His job is to assess the threats and risks to the organization and then articulate them to senior leaders for decision-making. “Ransomware is very high on our list of risks,” Summitt says. “What’s made the difference now is the ease with which these attacks can occur.”

“Traditionally, health care systems are here to take care of people. Security has not been their focus.” Laboratories, for example, “are going every single minute of every day in a hospital system and therefore the emphasis is on getting providers the information they need as fast as they can so they can make the right decisions. So there’s not a lot of attention to what happens when those systems can be potentially interrupted or harmed.” When attention was paid, the emphasis tended to be on loss of data, the protected health information extractions, or breaches that could occur. “Now, the threat actors are no longer placing the main emphasis on stealing data to resell data. They’re more into: ‘What can we do to an organization that they’re going to pay us to stop doing to them?’”

That pattern is starting to flip, Summitt says. “But it requires people in my position and quite frankly all of IT to become responsible for security.” Avoiding downtime and interruption in workflow is key but it’s a hard sell too. “Some of the stuff we do doesn’t jibe with existing workflows, but education is needed to show [hospital staff] that if we don’t do it this way, your workflow is going to be really interrupted.” Although estimating the monetary impact of avoiding downtime or disruption that can bring a hospital system to its knees can be subjective, he says, by industry standards the average cost is $3.8 million per event, right out of the gate.

At research-heavy institutions like Moffitt, a massive additional security risk is present when laboratory data are exposed. Says Mandy Flannery O’Leary, MD, MPH, a pathology informaticist at Moffitt and a member of the CAP Informatics Committee: “All the data we collect on the lab side—molecular, anatomic, clinical—ends up going all the way through to the research side to be able to develop new technologies, and other governments and agencies want to get their hands on it as well. So if something like a ransomware attack happens, they’re shutting down not just the clinical side but the research output. And God forbid they corrupt that data set somehow, because then the research data would be forever corrupted or lose data integrity.”

“Our main priority right now,” Summitt says, “is not just to protect the data from being stolen; the emphasis is to protect the systems from being compromised so you can’t use them.” Traditional firewalls can make a start at averting such risks. “Firewalls are probably one of the oldest forms of security out there,” Summitt says. “They look at all data coming in and out of an institution’s network. A firewall is a critical component of security even today.”

Staggering numbers reveal the essential role of firewalls. “Our firewalls processed 47.5 billion events just in the last three months, and we’re considered a medium-sized organization. Every single one of those events has to be looked at to determine if it is legitimate information or potentially malicious information. That’s why we have all these different solutions to help us. Some of our security tools will take care of things automatically, while others are picked up by security teams. They process maybe four, five, or six major events each week.”

When it comes to cybersecurity, he says, there is an order of priority. “Our EHR is our crown jewel. Then our lab systems, and then our radiology systems. Those are the ones we try to put the most controls around.” But, he adds, Moffitt cannot expect providers, nurses, and technicians to be cybersecurity experts; the cybersecurity team has to focus on education. “What we try to do is make them aware of things they might be doing that cause an inherent risk and how to reduce that risk,” Summitt notes.

Pathology and radiology residencies and all other clinical residencies, and even the laboratory medical technology program, are starting to include lab information systems or pathology informatics training, Dr. O’Leary says. “Many of us on the CAP Informatics Committee are boarded or versed in clinical informatics. But most people who go into pathology don’t have the knowledge behind them to understand some of these major vulnerabilities.”

“If I’m going to bring in a new chemistry system, which we just did at Moffitt, it has to talk to the vendor’s outside systems and AI processes in order to do some of the data gathering for QA and maintenance. In the past, we didn’t have a great process for new equipment coming in,” Dr. O’Leary says. “The lab would go buy it and then say, ‘Hey, IT! By the way, we bought this new platform.’ But until you’ve been in the trenches doing what cybersecurity does in conjunction with what the lab has to do to provide patient care, you don’t know all these parts and pieces.”

“As far behind as health care has been in security,” Summitt says, “health care vendors are still lagging even behind that. One of the biggest problems we have with vendor solutions is the remote access back into the system. A lot of the vendors will create their own way to log in to their systems from their facilities. And in our world, you’re going to start hearing more terms like ‘zero trust.’”

“Zero trust architecture” is a hot topic and it refers to not trusting anything coming into an institution’s network from the outside world until a verification check has been done, he explains. Without that, “I will have a new window to my building that’s going to allow a bad actor to come in and exploit that.” All health care organizations need to start creating their own standards of connectivity into their systems, he says. “If they don’t, they’ll have vendor A coming in one way and vendor B coming in another way. And every one of those has to be seen as a potential avenue for a threat actor to get in.”

Fending off ransomware attacks has become easier, depending on how mature the organization is, Summitt says. “An overwhelming majority of ransomware occurs from an email. So if you have a critical system like the labs, that computer should be dedicated to doing only what it’s supposed to do. I don’t want someone else jumping on that computer to get email because that’s my avenue to getting ransomware. That’s where most of the problems are going to come from in health care—from that inside person who did something they didn’t know they shouldn’t have done.”

“In fact, there is a whole paradigm shift in health care starting to occur with the understanding that if you have a machine doing direct patient care, it should not be used for anything else at all. That’s the single biggest protection you could have against having a malware or ransomware come in.”

More difficult to detect is a malicious threat actor who has already infiltrated your network and can go from computer to computer. “That’s hard to see, and inside threats are a bigger threat whether or not the people are doing something intentional,” Summitt says. “It’s something we have to combat daily. It’s just phenomenal.”

Artificial intelligence is increasingly playing a role in preventing incursions at Moffitt. “We did our first ever IT innovation partnership with a startup named ThreatWarrior that uses artificial intelligence to help evaluate threats.” ThreatWarrior employs Network and Supply Chain Threat Detection to identify known threat signatures and anomalies in an enterprise’s software supply chain, Summitt says, including in the enterprise’s other security tools. “We’ve gone through a couple of iterations. AI is the way forward for a lot of these security controls. It’s going to be a game changer in a lot of ways.”

The inevitable downside is that AI is so easy and readily available that “the good guys are not the only ones getting hold of it now. The threat actors are starting to use AI and it could make it easier for them to do their malicious stuff too.”

[dropcap]T[/dropcap]he attack in 2020 at the University of Vermont (CAP TODAY, April 2021) could have been one of two things, in Summitt’s view. “They could have been looking at trying to steal data to be used elsewhere. But the other type of attack is they could potentially use your network and your assets to carry out attacks. One desktop computer sitting in a threat actor’s office is only going to be able to do so much. If I could distribute my capability by taking over other people’s computers, that’s another thing that could occur.”

Backup systems have been a standard tool for preventing damage to an institution from a cyberattack. But backing up can open vulnerabilities too, unless precautions are taken. At Moffitt, “Pretty much on a daily basis our data is backed up to what we call an ‘air gap system’—which means that the only time you have a connection between our network and the backup is when it’s doing the backup, and then all that data is secured away from us. So if we have an attack, our backups are not impacted. The only problem you could have is if an attack is occurring at the same time that you do your backup. And we have other controls, backups of backups, in place for that.”

“It’s not about data loss,” Summitt says. “It’s about the integrity of your systems. One malicious event can take the integrity of your system down.”

In testimony before Congress last year, Summitt warned of a newer form of cyberattack using robocalls. At Moffitt, a couple of years ago, tens of thousands of robocalls came in suddenly, tying up the phone lines and disrupting communications. As ransomware has evolved, this form of denial of service has occurred at other institutions, followed by a call from a threat actor offering to stop the chaos in exchange for payment.

Another type of attack that is concerning to him is deep fake video and deep fake audio. People may be familiar with the scam in which an email arrives from a sender making a barely plausible demand that a certain amount of money be wired immediately. “What happens when the person who writes checks for the organization gets a phone call from the CFO and the voice is exactly the voice of the CFO saying, ‘I need this done’?” Or a video version could occur with ubiquitous Zoom conferences, he notes. “I could be sitting here talking to you and it may not really be me. But you’ve met me once, you’ve heard my voice. And that’s the deep fake video, and capability to do that exists now. That’s the threat that scares me the most.”

For that reason, Summitt is wary of saying an institution shouldn’t spend too much money on security. “I don’t care what size the organization is, there are basic things every organization can do whether it’s a 50-person clinic or a 50,000-employee hospital. That’s what I try to push out in the cyber-awareness education side of the house. If I can get my users to understand the threats and what to recognize, I’ve got half my battle already done.”

“The threat actors are going to go after you if you have something to offer. But they want something fast and quick. We try to make our security posture as strong as we possibly can and make it difficult for the threat actors to carry out quick attacks. And our security is much better than it was 10 years ago. But the threats are starting to increase, which means we have to put even more emphasis on it daily.”

Anne Paxton is a writer and attorney in Seattle.