The healthcare industry has long been a prime target of cybercriminals looking to mine patients’ personal information or disrupt facilities’ operations in ransomware attacks. The Covid-19 pandemic has made matters much worse, as the adoption of new technologies to enhance remote care and increased remote work has created a multitude of new potential targets for hackers.
Wall Street Journal news editor Sara Castellanos spoke with Kathy Hughes, chief information security officer at Northwell Health, and Joey Johnson, chief information security officer at Premise Health, at the WSJ Pro Cybersecurity Executive Forum, about the cybersecurity threat and how the industry can protect itself. Edited excerpts of the conversation follow.
WSJ: Kathy, how have cyber threats changed in the healthcare industry over the past 12 months?
MS. HUGHES: There has been a lot of change, and every day there’s more change. Threat actors have gotten increasingly sophisticated in their techniques, and the attacks have become more frequent. So this has really prompted us to, on a continuous basis, take a close look at how we’re protecting our environment and make sure that we have enough adaptability and flexibility to make sure that our systems are protected as best as they can.
WSJ: Joey, since the pandemic began, in what specific ways have cyber threats changed?
MR. JOHNSON: As we went into Covid, one of the things that happened in healthcare, especially in the provider sector, was adoption of new technology—telehealth technology, wearable devices for patient treatment. A lot of new technology came in.
And that leaves a finite team of security professionals to have to be accountable for securing that technology, getting up to speed with what that technology is. And maybe your teams aren’t as up to speed on those new technology frameworks as you’d like.
WSJ: Kathy, how big of a problem is the Internet of Things in telemedicine, the actual security threat?
MS. HUGHES: It’s a challenge because healthcare organizations have really embraced IOT-type technology because of the flexibility it gives, and the fact that you don’t need to be connecting wires everywhere to monitor patients’ vitals. Those devices though, from a cybersecurity point of view, become additional potential threats or entry points onto the network, and give, potentially, threat actors the ability to access medical information about that patient and to get onto the network and into our various systems.
We have been applying similar techniques as we do to traditional IT devices to these new IOT devices to make sure that they’re protected just like any other device on our network would be.
WSJ: Can you talk just a bit about those techniques?
MS. HUGHES: It’s a matter of making sure that the devices are on current supported operating systems, that they have firmware updates that are regularly applied, that there’s patching that’s applied—all those traditional type of controls you would have. And anti-malware protection where you can; a lot of these devices don’t support them. We also try to segment them so that if something does happen, they can’t potentially affect other devices.
WSJ: Kathy, you’ve developed a robust cybersecurity program over the past few years. Tell us what that program looks like.
MS. HUGHES: We based our program on the National Institute of Standards and Technology cybersecurity framework, which means that you need to identify everything that you’re protecting, you need to protect those devices, you need to be able to detect if something occurs on the network that might indicate some type of malicious activity and to respond to those alerts. And lastly you need to move apart from them should any of your devices or systems be affected. One team focuses on IT security tools and technologies. A second group focuses on risk management, because we really need to understand always what the current risks are.
We need to do active threat hunting. We need to be able to scan devices for vulnerabilities and such. I also have a group that focuses on policies as well as governance that oversees my awareness-in-training program. And that’s a key component of any security program.
And then the other team I have is the disaster-recovery team. So when all else fails, if we need to recover systems, whether it’s from an operational event or some kind of cyber event, we need to have the ability to be able to do that quickly.
WSJ: How has that program had to change during the pandemic?
MS. HUGHES: The program itself didn’t change. I think it was really a matter of just being able to adapt to the onslaught of attacks that were coming in. The number of phishing emails, for example, and different types of attacks that we saw really kept us on our toes. There were a couple of technologies that we had to deploy rather quickly in response to current activities, and costs and adjustments that had to be made.
WSJ:Can you briefly explain a couple of technologies that you had to deploy?
MS. HUGHES: The most significant one was, because we had seen such an uptick in phishing emails, we deployed a technology that actually does a live scan of a URL when it’s clicked within an email. The technology that we had before, if a URL had been accessed that was previously determined and rated to be malicious, it would be blocked. But this enabled us to do that in real time.
WSJ: Joey, in general are you combating cyber threats by using more technology? Or do you have a different strategy?
MR. JOHNSON: We implement new technology where we feel like it’s appropriate. But not all solutions to technical cyber problems are solved with technology.
One success story we had was where we didn’t have to spend any money and implement anything new. It was simply, years back, as we started launching our vendor-risk management program, we began to identify redundancies in vendors and in partners, and went back to some of the key stakeholders across clinical operations, procurement, legal, and said, “Hey, we can run risk assessments across all these entities. It’s going to take time. Is that what we want to do? Is that where the business wants to be? Or do we want to have a smaller pool of vendors in specific areas that we can have better purchasing leverage with, build better partnerships with, and establish trust relationships so they can be transparent with us about their risk posture?” And we reduced that pool significantly. And that reduced our threat landscape significantly, because so many breaches do happen, you know, with third parties that you’re affiliated with.
WSJ: In what ways specifically are you educating different departments about cybersecurity threats?
MR. JOHNSON: We have our mandatory, regulatory, required training. But the truth is that most people aren’t really anxious to absorb that.
What people are anxious to absorb is, when we shifted home from the pandemic, they said, “What do we need to worry about?” And so our team did a lot of lunch-and-learns. “Here’s how you set up your social-media networking appropriately. Here are the privacy controls available to you. Here are things you have to be careful about if you’re practicing from home.”
People kind of eat that up, and it helps them to develop instincts around security. So we do a lot of lunch-and-learns that are voluntary. It’s amazing how many people show up.
The other thing we do is I’ll send out a weekly newsletter. It goes to the executives and all the vice presidents, and it just says, “Here’s what happened this week. Here’s how nation-state acting has escalated. Here’s what ransomware really means and what’s happening in that world.” And that rapidly got forwarded to lots of people.
So there’s an appetite for people to want to see the cybersecurity issue kind of demystified. And that really goes a long, long way with very, very little spend, or resource, or anything to kind of get it up and off the ground.
WSJ: What is the biggest cybersecurity challenge that you have?
MR. JOHNSON: In a perfect, ideal world, there would be a direct correlation between how rapidly an organization can shift and change its in-depth architecture in relation to how fast the threat landscape is changing. Most organizations aren’t there. I think when you compound that by saying, “Hey, on top of that, we’re going to continue to drive business initiatives that are technology-reliant, that are data-reliant, and we’re going to need to introduce new technology,” it’s challenging to grow by adding people to that.
Even if my CFO said, “Here’s $50 million. Go hire all the people you want,” it’s very challenging to get those qualified people. So you kind of have a really difficult, perfect-storm situation where existing resources are more stressed out, the threat level is increasing, and it’s hard to resource the problem away.
MS. HUGHES: I would just add that it’s got to be done through a collaboration among all the business units. Collaboration and communication at the highest levels is really, really important because of the extensive innovation and transformation that’s taking place within healthcare. And it’s also a matter of setting priorities, because you can’t do everything at once. And things change every day, so being adaptable and flexible is also extremely important.
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8