The Health Care Industry Cybersecurity Task Force released its long-awaited improvement report June 5, detailing more than 100 recommendations and action items to enhance poor security practices in the industry.
The 21-member task force — which HHS established in response to the Cybersecurity Act of 2015 — held public meetings and consulted with experts about the state of cybersecurity in the healthcare industry. One of the members, David Ting, co-founder and chief technology officer of healthcare IT security company Imprivata, spoke with Becker's Hospital Review about the report and its key takeaways.
Editor's note: This interview has been edited for length and clarity.
Question: What is the core takeaway you hope hospitals draw from this report?
David Ting: The best takeaway, for me, was that cybersecurity is about patient safety. If your system fails, then you are potentially compromising patient safety. To me, that's the start and that's the way that hospitals should look at cybersecurity.
This cybersecurity framework focuses on how a hospital builds an infrastructure. It really focuses on cyber-resiliency. Not how do you make it safe from being attacked, but how do you detect when something bad has happened so you can respond and recover from it. If you look at an attack like WannaCry, it was an attempt to shut down your hospital's ability to function. So, what you really want to focus on at that point is, "OK, an attack took place. How quickly can we get back to a normal state where every system is trusted? To a degree that allows the hospital to continue to function?"
Q: What would you say is the biggest cyberthreat hospitals should look out for today?
DT: The landscape of cybersecurity keeps changing. Best practices used to include detection, perimeter security, a firewall to isolate you from the network, end-point anti-virus — but those are known to fail. Why? Because there are people involved.
We know the threats keep morphing. To think that there is one magic bullet, that is a concern.
The best [approach would be to] make sure our staff in the hospital are educated around security, that we have the right approach segmenting and that if the system were to be attacked we could limit its damage. The kinds of threats we have seen are not only the theft of private patient health information … but also the kinds of threats that will take away the hospital's ability to function. The more malicious ones will be the alteration of patient data or the alteration of the way clinicians are providing care. Nothing is off the table these days.
Q: From your perspective as CTO of a health IT security company, how do you suggest hospitals lay the foundation for effective information security?
DT: The things we recommend really go back to the cybersecurity framework, and ... building a cyber-resilient system. There are really five main categories within that.
One, identify all those assets that are vulnerable. It could be data it, it could be systems, it could infrastructure — it could be all of those.
Two, create a strategy for how you would protect it. Protective control comes into that. How do you manage the control of the access of those systems? Do you have strong policy around password changes?
Three, detection, which is to understand when your system is operating normally and understand when … things are not running correctly.
Four, the ability to respond and contain an attack.
The final part of the strategy is: How do you recover? How do you get back to when everything is really trustworthy? You want everything in your system to be trusted.
Q: A core piece of technology in hospitals is the EHR. What is the No. 1 vulnerability EHRs face in today's cyber environment?
DT: To me, the most important thing about an EHR: data integrity. The EHR is your core data and patient financial information system, it is the basis by which clinicians make decisions about patient care, and it is the record of all their medical history — maintaining the integrity of that system is the most important thing when it comes to creating a safe environment for treating patients.
So, like any other application with a large associated database, what you really want to worry about is who has access, how did they get access, how do you back up the data, how do you ensure the security of the data. If [the data is] comprised [or] if it's been altered, you should have a means to detect that it's been altered and be able to recover from it.
Q: Any closing thoughts on the Health Care Industry Cybersecurity Task Force?
DT: If you look at how fast healthcare has evolved, [primarily] within the last five to seven years, we've gone from paper to electronics. In that time, we've accelerated the pace with which we can move information, but we've also made it easier for that data to be stolen.
Healthcare is extremely difficult to mature. It has a hyper-connected environment of multiple medical devices. It has multiple external applications as well as internal applications. It has legacy applications which are still running on [Windows] XP. It has the need to interconnect to other researchers, other hospitals. It has created a lot of challenges, simply because the need to take care of patients has expanded beyond the borders of your hospital. It's a challenging space and hopefully we're doing our piece by controlling access to and the policies of the systems.
More articles on health IT:
28% of patients store medical reports in shoeboxes, drawers: 6 survey insights
Digitization of healthcare contributing to data security risks