Closer to a crisis

Fred_TrotterHow close to we need to get to cybersecurity crisis in healthcare before we, as an industry take deliberative action?
Should we approach cybersecurity in healthcare differently? What approaches will work best? What commonly repeated advice about cybersecurity is actually wrong in healthcare settings? What ideas that would be effective in healthcare cybersecurity are being ignored? What is being missed from discussions about healthcare cybersecurity? What are we too concerned about? What threats do not get enough attention?

These might sound like rhetorical questions, designed to engage the reader before the author knowingly reveals the “answer”. Sadly, these questions are no rhetorical device. No one has definitive answers, and we all desperately need them.

I sit on the Health Care Industry Cybersecurity Task Force and we are currently taking comments on these issues on this blog post. I cannot to presume speak for the Task Force as a whole, and the comments below represent only my personal perspective on the issues involved. Right now the only thing that the Task Force as a whole is comfortable saying is “we are asking for advice”, which is the purpose of the blog post. If you have a reaction to the personal opinions here, please comment on the blog post so that the whole Task Force can hear what you have to say.  

Generally, there are two types of issues that we would like advice on:

“What are the best practices and correct strategies to defend healthcare technology from cybersecurity attacks?” and “What is the best way for US government agencies to coordinate with the healthcare industry to respond quickly and effectively to cybersecurity threats?”

As you form your response to these questions consider your audience. All of the people on the Task Force have deep experience with cybersecurity inside the healthcare industry. Unless you feel strongly otherwise, we probably do not need any lectures on the basics of cybersecurity, or on how critically important these issues are. Believe us, we are all aware of how important getting “cybersecurity in healthcare” right is.

We are also reasonably well-informed about current events. We are watching with great concern as security researchers openly use an aggressive stock shorting strategy, rather than collaborating with the St Jude Medical Device company. We have seen the increasing number of ransomware attacks on hospital systems. We are also aware of the larger dramas at play in the cybersecurity world, as apparently even the NSA is not immune to compromise. Even as we do our best to plan, things appear to be getting worse.

I believe that the Task Force specifically, and the healthcare cybersecurity industry generally need contrarian advice. We need people who are not inside healthcare to talk about methods, ideas and approaches that we have not thought of. We know that all of us are much smarter than some of us. Rhetoric is not terrible useful here. Instead we need clear thinking, even if it is unpopular and counter-intuitive. How can any group attempting to allocate or plan cybersecurity responses at any level ensure that we are not blindsided by something that we should have thought of, but that none of us were clever enough to consider. Very frequently, critical insights like that do not come from the type of people who are typically appointed to government task forces or hospital planning committees. There are certain groups who might have a difficult time getting attention for their issues and ideas, which is why asking for comments on common social media platforms make so much sense.

What is the perspective on cybersecurity threats from healthcare providers who are under-resourced? Even well-funded and expertly staffed healthcare organizations are struggling to keep up with the gamut of cybersecurity threats. But what about those which cannot afford a CIO, much less a CISO with adequate staff?

What are the cybersecurity threats to the healthcare safety net? Some healthcare organizations who must choose between devoting resources to cybersecurity or patient care. How could a consortium of industry and government best help people making these kinds of difficult decisions? These are all impossible choices between patient care today, and patient safety tomorrow. We need to ensure that everyone can avoid that gordian knot, but how to do that with the limited resources brought to bear on this?

Congress has given special attention to cybersecurity in healthcare, precisely because they know that breaches, hacks and other cybersecurity incidents do not just impact healthcare service and product providers. If a drug company has its IP stolen, that could mean that a patient may never get a medication that might have made her feel better. If a hospital EHR is held hostage by ransomware that might mean that a patient’s allergy to penicillin is forgotten at the worst time. If a medical device manufacture gets DDOSed, that could mean that an implanted device might not function properly for someone whose life depends on it working all the time.

How can we best understand the implications or priorities of the individuals who will suffer the worst as the downstream result of cybersecurity threats to the healthcare ecosystem? If you or a loved one have special insights or specific concerns as a result of a cybersecurity issue, please let us know. If you do not want to use your real name for this, a Reddit or Twitter throw-away account is a great way to get in touch with us while still protecting your identity somewhat (You’ll be “somewhat“ protected at least… reddit/Twitter could be hacked too, but it’s the best anyone can do given the impromptu nature of this request).

I have very intentionally touched on multiple complex topics without even attempting to coherently discuss any of them. You will find that the comments on this blog post are turned off. That is not an accident, it is an attempt to shepherd discussion to a single point, which is found at this blog post, we are also hosting an AMA on Reddit/r/medicine, and we will be listening to tweets tagged with the hashtag of #healthcybersecurity. I expect we will also do something on Linked In. We are trying to engage the healthcare cybersecurity fully but also quickly, so please let us know what you think about these issues as quickly as possible.

Thank You,

Fred Trotter


Categories: Uncategorized

4 replies »

  1. Hackers will continue to go after networks, and applications that have been misconfigured or are not maintained properly. Good cyber hygiene will become a common phrase to describe how organizations should approach managing the integrity of the enterprise. Healthcare industry need to concentrate more to prevent cyberattacks.I would like to suggest Opsfolio.com,an online community which is a right guide for me to get healthcare cybersecurity informations.

  2. As I said before:
    1. Be VERY wary of mandating massive movements of protected information at the breakneck speed that is policy of CMS/ONC/MACRA/MU. Strangely CMS/ONC/OIG are all working against the providers in this. They want all of use to move tons of information around, and if one kilobyte gets stolen or lost, then they want to fine the hell out of us. Unless CMS.ONC wants to pay for high level security experts for every hospital and provider in the US, be very cautious about mandating TOC, SOC, CCDA, HIE, interop. portals, etc.
    2. We use EHR in our office but we block all external access except one way. And we monitor the hell out of it. Its only for us to get in to see information if we need it remotely. We do NOT allow web access, portals, appt making, patient access to data as its just too darn dangerous in that jungle. If patients want info/appts etc, they can call us. Its just better that way. Sorry but we decided that hurdle is necessary to protect their information from breach or abuse.
    3. Be wary of mandating more complex security measures on top of the already burdening complex regulations placed on providers. We will go back to paper if more regulatory burdens come out of what you are proposing.
    4. Remember ONC/CMS forced providers into this jungle. All this data, interop, movement,sharing, exposure has been mandated. Do NOT judge, punish nor further pile on the poor providers trying to keep up. As CMS/ONC has found out, we are not good at data entry, nor clicking, nor counting, nor attesting, nor IT security. We are actually busy taking care of patients, which you kind of expect that we should do. If you are expecting us to be certified penetration testers, you have the wrong crew. You do not ask pilots to be sure that the ticketing, website, and plane’s computer systems are secure, they just fly the plane. If they ticketing system gets hacked you do not fine the pilots. The EHR systems that are out there now, are beta systems at best, if not alpha. They stink, yet we are asked to use them and fend for ourselves an hope we don’t kill anyone. No other industry would put up with it.

  3. I’m a cranky middle aged physician and I don’t write code. If software engineers cannot come up with security and safety in the health insurance/pharmacy/EHR realm, my solution is simple (and prepare your xanax dosage).

    Go back to paper charts. Unhackable, unransomable. Yes, fire or flooding can destroy, as well as viruses today with EHR’s that cost an arm and a leg. Physicians just don’t have the money to keep throwing at a faulty product that was flung at us, and never beta tested. We aren’t even the consumer of cyber health products. Hospitals and government backed systems are. If security isn’t embedded as policy and as code, we’re done.

  4. A fast immersion into the complexity of this problem can be gleaned by reading the investigation into the 2003-2004 T.J.Maxx, Marshall’s, Home Goods debit card data theft at http://ic3.mit.edu/ResearchSamples/2014-07.pdf. It is from a MIT Master’s thesis presented by a student, Hamid Salim. It is a very deep analysis into this case.

    His number one recommendation is that there needs to be a dedicated executive role in firms that want to responsibly look at cyber-security.

    To become acceptable–I would estimate after reading this story–hospitals and health care facilities are going to have to spend a lot more money on this problem.