Health system CISOs offer tips for building cybersecurity ‘muscle memory’

By focusing on broader incident response training efforts – which involve medical, operational and other teams – as part of overall emergency preparedness programs, healthcare providers will be better positioned to maintain and deliver patient care when systems are breached and potentially disabled following a cyberattack.

Cyberattacks risk patient care

A recent study by the Ponemon Institute involving more than 640 healthcare IT and security leader participants found that, while most of the provider organizations experienced nearly one attack per week last year, 57% also say these attacks are resulting in adverse impacts on patient care.

Half of respondents cited an increase of complications from medical procedures – and 20% reported an increase in mortality rates.

“This report aligns with the reality that healthcare organizations are facing in terms of the effects to patient safety,” said Anahi Santiago, chief information security officer at Delaware-based ChristianaCare.

She and other healthcare cybersecurity leaders spoke with Healthcare IT News about the connection between cyber hygiene and patient safety, and how to prepare for healthcare cyberattacks. 

“When cyberattacks take place in healthcare, and organizations are forced to either divert services from emergency rooms or have to cancel services because of the unavailability of systems. It does put patients at risk,” she said.

There is always going to be an adversary out there trying to break in, said Erik Decker, CISO for Salt Lake City-based Intermountain Healthcare. 

“The length of time of these outages, you know most people think ‘Well, it’ll just be a day or two,’ but no, these things can last weeks and months,” said Decker.

“You must also put an equal amount of vigilance into response,” said Decker.

“I don’t think organizations do enough to prepare for how to care for patients when systems are not available,” said Santiago, who is also a member of the board of directors for the Health Information Sharing and Analysis Center, or H-ISAC. “Where are your downtime procedures? How do you work across different departments?”

Industry size makes all players a target

Many healthcare organizations have various types of specialized hospital information systems along with thousands of hospital infrastructure and connected medical devices, including smart elevators, smart heating, smart infusion pumps and remote patient monitoring devices.

While larger provider systems may be more complex than small medical groups, “they still have the same kind of risk, as we have [all] leveraged technology to deliver care,” said Decker.

Not only a complex one, healthcare is also a very large industry, said Darren Lacey, vice president and CISO for Johns Hopkins University and Johns Hopkins Medicine.

“We’re 15% of the U.S. economy, maybe 18% of the U.S. economy. We’re a significant portion of the employees. I mean in much of America, the largest organization in that town or that county is the local hospital. It employs everybody,” said Lacey.

“We get hit a lot, but that’s because we are so big.” 

Data breach was the focus of healthcare cybersecurity 10 years ago, so traditionally the concern has been on protecting data. But the rise in prevalence of ransomware is driving rapid change in approaches to cyber preparedness.

“Tabletops went from being kind of marginal to what we do, to being central to what we do, in the space of a very short period of time.”

Darren Lacey, Johns Hopkins Medicine

The sophistication of threat actors has evolved. They have the ability to shut down systems and key critical processes and functions, said Decker, who is also chair of the Healthcare and Public Health Sector Coordinating Council Cyber Security Working Group.

What happened is a shift “from not only the exfiltration and theft of data and monetization of that data, but the monetization of your operational ability and your ability to recognize revenue,” he said. 

“When you disrupt the pipeline of that technology, you disrupt the pipeline of volume and the ability to care in the way that our providers are expecting normal operations to look like,” he said. 

Limit data access with architecture

Because healthcare data assets are high-risk, data management requires a risk-based approach where data managers in the healthcare space must act as “mindful custodians,” said Lacey.

To improve the cybersecurity posture of healthcare, the Department of Health and Human Services recommends enterprise-wide risk analyses and a series of best practices, including maintaining encrypted data backups, vulnerability scans of all systems and devices, regular patching and updating of operating systems and training employees to reduce vulnerability to phishing and other common cyberattacks. 

“Minimum necessary and role-based access are core components of an identity and access management program,” Santiago said.

“So before we even get to the point where we’re training people, it’s important for us to design an architecture that doesn’t allow for access beyond what is necessary for people within an organization to get to information.”

“It’s one of the few environments and industries where the majority of the workforce actually needs access to the private information that is restricted,” added Decker.

Healthcare providers could have hundreds or thousands of ancillary systems, making ecosystems complex. 

And “complexity is the enemy of security,” Lacey added.

Detect malicious activity and vulnerabilities  

Resources from the HHS 405(d) Program, a collaborative effort between industry and the federal government that was launched in 2015 by Congressional mandate, and from other agencies can help increase healthcare cybersecurity, resiliency and cyber hygiene with a number of tools and resources for both small and large providers. 

Regardless of provider organization size, they face the same five cyber threats:

  1. Email phishing attacks.

  2. Ransomware attacks.

  3. Loss or theft of equipment or data.

  4. Internal, accidental or intentional data loss. 

  5. Attacks against connected medical devices.

Most healthcare organizations have service level agreements that offer an implied promise for patching vulnerabilities. But vulnerability management has been the most important part of cybersecurity for the past 20 years, said Lacey.

We chase down vulnerabilities and, in fact, if you had to say what was the biggest change in cybersecurity over the last 10 years along with the ransomware spike would be the number of publicized vulnerabilities,” he said, noting that the number being disclosed is about 10 times what it was five years ago.

The program also identified the following 10 most effective practices to mitigate the most common cyber threats to healthcare: 

  1. Email protection systems.

  2. Endpoint protection systems.

  3. Access management. 

  4. Data protection and loss prevention.

  5. Asset management.

  6. Network management.

  7. Vulnerability management.

  8. Incident response.

  9. Medical device security.

  10. Cybersecurity policies.

Application penetration testing may also pay off over time, according to Coalfire. Systems running programs for three years reduced high-risk findings in web application tests by an average of 25%, according to the company’s fourth annual Penetration Risk Report.

I think it’s important to think of pen tests as not just a glorified vulnerability assessment. You really should use it to test your ability to detect malicious activity,” Lacey said. 

“Having a program that periodically tests your applications is recommended versus doing this only on an ad-hoc basis,” said Decker. 

“The environments change over time, and many elements of a cyber program need to be related to regular processes and periodic review. The more you can formalize it, the better you will be at aligning resources and managing priorities and expectations.”

Explore what the outages can look like 

Santiago said she stresses going beyond efforts to create resilient IT teams by making organizational resiliency a practice.

“Organizational resiliency is ensuring that we’re communicating effectively and that people know how to work when they don’t have systems available,” she said.

Decker advises starting with the structure and contours of planning if you don’t have an incident response plan for your organization: “When an event comes in, how do you escalate it? And if and when it becomes a larger event, who are the first people that you call? What are the things that you’re going to be telling them?”

The potential of impact will lead to further discussion about operational impacts. 

“Then it turns into, who are the operational leaders that need to be involved in the discussion, and how does this work with your emergency management departments and the activation of command?” said Decker.  

All of these stakeholders need to be on board, including clinical leadership and service line leadership, he said.

“People do not actualize how damaging these kinds of attacks can be,” he said. 

When you start explaining what these outages look like, “the appreciation for the problem starts to materialize.” 

The structure of cyber incident response command, how it is activated, who the players are, and what their roles and responsibilities are should be connected to what the organization already knows through its emergency-management channels.

“One of the biggest mistakes is that when people do tabletop exercises, they focus just on the IT area – how to respond to a cyber incident – and less on the resiliency of an organization to be able to conduct patient care in the face of adversity,” said Santiago.

On the medical side, that involves emergency room teams and surgical groups, she said. 

“I think that that’s where organizations should really focus so that when systems are not available, patient care is least affected. So, continuous regular training of their ability to perform their work is integral to our ability to protect organizations.”

Bring everyone to the tabletop 

Conducting tabletop exercises are now an important part of building an effective incident response team and plan, the experts said.

“Tabletops went from being kind of marginal to what we do to being central to what we do in the space of a very short period of time,” said Lacey.

Santiago and Decker both say focusing on disaster recovery exercises is about “muscle memory.” 

Though unpredictable things can happen in an actual ransomware event, incident response security exercises can identify areas between various operational units that are vulnerable and illustrate how things can play out, helping to strengthen the information security triad – confidentiality, availability and integrity.

“If you’re addressing an issue for the very first time, you won’t be able to do it effectively, and so exercising regularly to be able to respond to incidents I think is really important in order to be able to face one when it actually does happen,” stressed Santiago. 

Training brings together emergency management and incident command teams, key leadership, compliance and privacy groups and others. 

Like any good sports team, “any good organization should practice and practice and practice so that it is not a surprise if and when something unfortunately happens,” said Decker.

“And instead, you are dealing with the contexts and circumstances of the issue versus dealing with the mechanics of how you stand up a response, and make sure everyone is involved.” 

“When an event comes in, how do you escalate it? And if and when it becomes a larger event, who are the first people that you call? What are the things that you’re going to be telling them?”

Erik Decker, Intermountain

These exercises focus on ensuring that the security-operations center can detect and stop the spread of malware and that the larger organization can coordinate crisis response across all lines of business.

“Tabletops have not really been a big thing in our field, in what I would say civilian-side or commercial-sector cyberspace, up until about 10 years ago, and they didn’t really become a big deal till the big ransomware spike three years ago,” said Lacey. 

“And that’s when everybody realized, ‘Well, we need to do a lot of tabletopping,’ because ransomware is so disruptive to the business.”

“Our workforce members are our most important assets, so continuous regular training of their ability to perform their work is integral to our ability to protect organizations,” said Santiago. 

“We, for example, do them multiple times a year,” she said, adding that her organization schedules monthly tabletops: twice per year with the executive, legal, vendor, compliance and privacy teams and once per year with operations.

Decker noted that while conducting tabletop exercises annually is a good idea, there is no minimum regulatory requirement.

There are no efficacy studies revealing insights into the frequency of conducting tabletop exercises, Lacey added, but emphasis should be on the actions that result from a session. 

“If it’s a good tabletop, you’re going to give yourself a list of to-do items that’s going to take you several months to work your way through,” he said.

Approach tabletop exercises based on provider needs and resources

In 2007, the Centers for Disease Control used tabletop exercises to drill response to the H5N1 virus, according to the University of Minnesota Center for Infectious Disease Research and Policy. 

CIDRAP shared a 10-step process for “one of the most talked-about ways to challenge and examine pandemic plans.” 

Although no tabletop exercise can convey a realistic picture of an incident, they said, the drills can help executives and planners find gaps, adding that the exercises can “sharpen group problem-solving under pressure and elevate preparedness, provided that they are properly designed, carefully conducted, fully evaluated and actually use results to implement response process improvements.” 

Tabletops are valuable because they spin up gaps, and it’s a cyber hygiene tactic that “probably hits above its weight” said Lacey. 

But in terms of time, organizations should and will spend more time on incident and vulnerability protection, he said. 

“One of the biggest mistakes is that when people do tabletop exercises, they focus just on the IT area – how to respond to a cyber incident – and less on the resiliency of an organization to be able to conduct patient care in the face of adversity.”

Anahi Santiago, ChristianaCare

The recent Coalfire report echoed this need, indicating that, of the more than 3,000 penetration tests conducted across multiple sectors, security misconfigurations were a top vulnerability.  

Santiago noted that larger healthcare systems with mature programs and the capabilities do tabletop exercises on a regular basis and have been doing them for a long time. 

And while many larger provider organizations hire outside consultants to prepare and deliver these incident response drills, several agencies offer guidance and risk assessment tools to support health systems with more limited resources, including the Cybersecurity and Infrastructure Security Agency, which has tabletop exercises specifically designed for healthcare systems and medical groups.

Resources like the Health Sector Council’s Operational Continuity-Cyber Incident (OCCI) checklist, released in May 2022, can also help organizations get started, said Decker. 

For the smaller community hospitals and provider offices that just don’t have the resources, Santiago also suggested leveraging H-ISAC’s resources

“A lot of healthcare organizations don’t have that much money. So having some guidance like [CISA’s] makes a lot of sense,” Lacey added.

Improve IT skillsets

The good news for healthcare cybersecurity is that the skills gap in the field is narrowing. 

“The ceiling isn’t going up that much. But the floor is going up a lot, which is really good for healthcare because we’ve always sat along with municipal governments on the floor in terms of the security maturity of our field,” said Lacey.

“Sometimes as you peel back that onion you find more and more things at the center of the onion that you didn’t think about the first time around,” said Decker. 

“It’s okay for this to be boring,” he added, because if you get to that place, “one would hope you are so exercised in it, you know what to do.”

The goal is to make these things “nonevents,” he said.

Looking at government’s role

Government is called on to intervene in an industry when problems begin to have overwhelming or alarming effects on people and assets. 

But what is the government’s role – whether federal, state, tribal or local – in protecting healthcare systems from cybersecurity attacks?

Lacey said CISA’s suggestions on how to close off technical vulnerability boundaries in healthcare cybersecurity are things providers should be paying “persistent attention” to.

He also said the government is doing a good job of shepherding information by drawing intelligence from multiple sectors and providing guidance and resources.

“I don’t have any complaints on the way the Federal government is going about this,” said Lacey. “I don’t know what more they could do.”

Decker sees the government agencies involved as partners assisting in the protection of critical infrastructure. 

“There are laws that define this relationship, specifically the National Defense Authorization Act. This codifies the critical infrastructure relationship between the Federal government, through a Sector Risk Management Agency and the [critical infrastructure].

“For healthcare, the SRMA is HHS, and the industry is represented by providers, payors/plans, biotech, labs, pharma, mass fatality and others. There is collaboration happening at all levels (all hazards) and cyber-specific collaboration to ensure we are protecting our infrastructure,” Decker shared by email as a follow-up.

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS publication.