- Malicious actors are not going to disappear anytime soon, meaning that healthcare organizations must remain vigilant in improving their data security measures.
Collaboration and information sharing will play critical roles in strengthening healthcare cybersecurity, according to Kaleida Health CIO Cletis Earle.
Based in western New York, Kaleida Health is a multi-hospital system with a collection of different facilities throughout the area, Earle explained. It is also one of the largest hospital systems in the western New York area and the northwest Pennsylvania region.
In addition to being Kaleida CIO, Earle is the chair-elect for CHIME, meaning next year he takes on the CHIME chairmanship role.
CHIME and Association for Executives in Healthcare Information Security (AEHIS) members convened in Washington, D.C. earlier this month to discuss the current state of healthcare cybersecurity. Healthcare Industry Cybersecurity Task Force action items were also discussed, and members reviewed policies on numerous topics, such as medical device cybersecurity, Earle explained.
“Some of the areas of concern have to do with safe harbor, as well as tort reform and the possibility of any time our business entities that, or our vendor partners, may unintentionally expose the hospital industry to a breach,” he stated. “Then there is also the possibility of organizations being held liable for each incident. We support congress to pursue legislation that harmonizes other privacy, security and information risk management requirements to eliminate the complex patchwork of regulations across industries and state lines.”
There are various facets of health security and numerous components that must be considered.
Earle discussed the importance of collaboration at the meeting, and the organization experience with a breach.
A Think Tank was implemented in the western New York area, Earle continued. This allowed all of Kaleida’s partners to come together and understand how to collaborate more intimately when it comes to potential breaches occurring.
“Whether it's ours, or affiliated partners that had a breach, we thought it was important to share the lessons learned and some of the challenges as far as resources,” he said. “One of the things that we are taking into consideration, rather than waiting around for our next breach to occur, we're putting collaboration plans to ensure that we mitigate those risks as much as possible.”
“All of the hospitals' CIOs and CISOs, as well as other sector IT professionals came in and got involved,” he continued. “It also included academic institutions, such as the University of Buffalo. There were other partners participating, such as banks, payers, and the city of Buffalo. We had all of our security people getting together and trying to figure out, ‘How do we collaborate more effectively?’”
The Think Tank allowed a plan for best practices to be created, Earle said. In these cases it is also critical for best practices to be applicable across numerous verticals.
“We do understand that once something occurs it doesn't necessarily matter if it's a healthcare vertical,” he pointed out. “It may impact municipal or education or even the financial institutions the same way.”
This is also why participating with information sharing organizations, such as NH-ISAC, can be essential for a true partnership. Entities need to be able to work together for successful potential collaboration opportunities, he said.
“More importantly, we need to pool our resources together and see how we can have a resource incident response team, regardless of your particular vertical, working together to have some type of response pool,” Earle stressed. “The pool should consist of people in the event if something occurs, we will all be able to collectively tap into it.”
The discussion also included industry stakeholder feedback, and there were several questions on what it takes to get to that higher level of collaboration, he explained. There were also questions on the feasibility around the legality of collaboration and sharing of information.
“It was very clear that this is still a work in progress,” Earle stated. “In essence we've had the difficult discussions of getting together now or moving forward.”
How the Task Force report is impacting the industry
The meeting also discussed the Health Care Cybersecurity Task Force, which had underlined the importance of information sharing and collaboration – especially between existing federal agencies.
The Task Force report was a good example of the federal government getting involved with OCR, Earle posited. The report discussed healthcare challenges in great detail and provided examples of what must be overcome in terms of cybersecurity issues.
“Our top priority is for Congress and the Department of Health and Human Services (HHS) to encourage investment in good cyber hygiene through positive incentives for providers.”
There must be a more dynamic discussion with HHS and FDA as well, especially as medical device cybersecurity is an increasingly pressing healthcare issue.
“There needs to be a clearer path towards sharing information or giving the hospitals or provider organizations the ability to protect themselves when it comes to medical devices,” he said.
NotPetya and WannaCry ransomware were perfect examples of how those types of attacks can impact organizations, healthcare provider organizations in particular. Healthcare cannot wait for a similar incident because it could adversely impact patient care, Earle stressed.
“We should get a more assertive approach from the federal government to ask for greater accountability, particularly to help us support legacy devices,” he said.
The future of healthcare cybersecurity greatly depends on the federal government helping healthcare identify challenges, Earle reiterated. Similar to the Think Tank established in Buffalo, there must be more collaboration without the fear of punishment for having shared that information.
“There are the challenges associated with sharing information without actually being punished,” he said. “OCR is an agency that encourages sharing, but in essence if you share, you may now be held accountable for the sharing of that data. Essentially, it discourages it.”
“I hope to see that the federal government continues to look at legislation, and how the rules apply to us healthcare security” Earle continued. “We should be able to express our concerns and challenges without fear of reprisal.”
Task Force Chair Theresa Meadows explained in a separate interview with HealthITSecurity.com that organizations being able to understand their own security posture is critical. Entities must create awareness and education throughout their organization, from the board level down to staff members who are directly involved with patient care.
Everyone needs to be a security expert, she explained. “Expert” is a bit of a loose term, but every employee needs to have some knowledge of security and how that impacts his or her daily activities, Meadows stressed.
“The best place to start is through a risk assessment and an awareness campaign,” said Meadows, who is also Cook Children's Health Care System CIO and senior vice president. “Until you do those things and until you understand where you are, it’s really hard to make improvement. That was one of the imperatives that we really pushed forward [in the report].”
The report also called for a cybersecurity leader within HHS, Meadows added. That role would help drive standardization and create a healthcare-specific cybersecurity framework.
“That individual would really do work harmonizing all the existing laws and regulations around privacy and security because there are a lot of things right now that are still contradictory,” she explained. “As a healthcare organization, I’m expected to live in both worlds.”
For example, there might be certain medical devices that fall under FDA regulation. HIPAA regulations still exist though. Those two things do not equate to the same level of regulation or guidance, Meadows noted.
“If there was someone dedicated to that process, that could move forward faster, hopefully, versus just trying to coordinate between all the different agencies within HHS,” she said.
Overcoming the healthcare information sharing fear
Healthcare information sharing is especially tricky, Meadows pointed out. Organizations that have experienced security breaches, whether a ransomware attack or different issue, do not want to talk about them.
It might be for fear that it would generate a fresh OCR audit, she posited. Or, it might be for concerns over further reputational damage. Customers or patients might not trust an entity if there are known security issues.
“We’ve been promoting that the only way to improve cybersecurity is that we have to start sharing these issues and we have to start sharing them in a way that won’t be punitive to us as an organization and as an industry as a whole,” Meadows explained.
One Task Force recommendation was creating and fully leveraging existing information sharing organizations because many organizations do not participate – even though they exist.
“The reason they don't is because the information is too technically difficult to understand,” she said. “You would have to be a security expert in some instances to really understand what the impact of a particular security issue. We need to find a way to translate the difficult security problem into language that people will understand and what they need to do mitigate it.”
It’s also important to develop materials and education that can be provided to people in real-time. That way they know what to do if that issue occurs at their organization.
Overall, healthcare organizations have to be prepared for the potential that some type of data security incident will happen.
“Just when you think you're safe, a new thing happens,” she said. “We just have to be on a constant state of awareness, have our mitigation plans and recovery plans in place, and know what to do if or when something happens.”