Voices of HHS
Cyber Safety Is Patient Safety: The importance of Healthcare Cybersecurity
October is National Cyber Security Awareness Month! As we celebrate this 16th annual event, the Health Sector has come together in a variety of important ways to observe and act on the importance of maintaining robust cybersecurity hygiene and controls throughout the healthcare sphere. The Healthcare Sector Coordinating Council includes representatives from direct patient care; medical device security; workforce development; medical device and supply chain security; as well as information sharing and protection of innovation capital from theft. The Health Sector Coordinating Council is partnering with HHS, FDA and other government agencies to develop best practices, recommendations and guidance for all healthcare stakeholder to strengthen cyber defenses against hackers.
In this podcast, your hosts are two leaders in health care cybersecurity: Terry Rice, who is Merck’s Vice President of IT Risk Management and Security and Chief Information Security Officer; and Greg Singleton, who is Director of the HHS Health Sector Cybersecurity Coordination Center (HC3). Listen in as they discuss evolving threats and collaborative mitigations for healthcare cybersecurity. You’ll also hear from a number of healthcare stakeholders interviewed during a recent HHS-hosted meeting on cybersecurity best practices, as they talk about the importance of healthcare cybersecurity and the public-private partnership that is working vigorously to drive improvements in the security and resiliency of the healthcare system and ultimately, patient safety.
Greg Singleton: Hello, and welcome to our podcast, Cyber Safety Is Patient Safety: the importance of healthcare cybersecurity. I'm Greg Singleton from the Health Sector Cybersecurity Coordination Center here at the U.S. Department of Health and Human Services. I'm joined today by Terry Rice with the Healthcare and Public Health Sector Coordinating Council. Welcome, Terry.
Terry Rice: It's great to be with you today. We got Greg in honor of National Cybersecurity Awareness Month.
GS: Well, and happy National Cybersecurity Awareness Month to everyone. National Cybersecurity Awareness Month is a great backdrop for our program today. We're going to be talking about a few things: the importance of cybersecurity within the healthcare sector, and how ultimately cyber safety is patient safety. National Cybersecurity Awareness Month, also known as NCSAM, is a great time of year because it highlights the partnerships that government and industry have together, in terms of improving cybersecurity across the healthcare sector for the benefit of the nation.
TR: I couldn't have said it better, Greg. This podcast and the collaboration between the healthcare and Public Health Sector Coordinating Council and HHS is a great example of the public-private partnership, and how we have come together to advance cybersecurity for the public health sector. So, Greg, let's jump right in and talk about why we're here.
GS: Sure, sure. On our program today, we thought it'd be helpful to hear from a number of experts on the challenges, opportunities, and really, cybersecurity approaches they are using within the health sector. So, we went and recorded some of their thoughts at a recent 405(d) Joint Industry-Government Cybersecurity Task Group session here in Washington, D.C. So, they're going to share their thoughts on a few issues. Some being, you know, really who has responsibilities to take care of cybersecurity. The importance of planning and preparation. Why are the bad guys targeting the health sector? And really, how the industry has grown, and where folks can get started with things.
TR: So, let's get the discussion started with the problem statements that NCSAM is trying to address from the health and public health sector perspective. First up is Julie Chua, who is the Branch Chief for Risk Management at HHS and the federal lead of the 405(d) program.
Julie Chua (audio clip): So, we are trying to address the ever-evolving threats that are attacking the health sector. And what we mean by that is cybersecurity threats on our devices, equipment, and our information technology that we use for providing care to our patients. And Cybersecurity Awareness Month is just what it says. It's raising the awareness that cybersecurity is a patient safety issue. It's not an I.T. issue solely. But it is certainly an enterprise issue where it impacts business, mission, and ultimately, patient safety and care delivery.
TR: Greg, Julie hit on something important when she stressed how cybersecurity is not just an I.T. concern. When most people think about cyber, they often assume that they don't play a role. But on our sector, that's not the case. Everyone has a responsibility.
GS: Well, absolutely. Every part of a healthcare organization is part of the team caring for the patient, right?
GS: Well, the same team approach matters for cybersecurity, too. So, let's hear from Greg Garcia, the Executive Director for Cybersecurity healthcare sector Coordinating Council who explains how Cybersecurity Awareness Month is just as important for practitioners as it is for the I.T. professionals.
Greg Garcia (audio clip): Cybersecurity Awareness Months emphasizes is that this is a shared challenge, and therefore, it's a shared responsibility. We all have responsibility to take care of our own data. Our own systems. Our desktop. It's often a fallacy that people think that cybersecurity is just the I.T. guys' problem. Whether you're in enterprise or in a hospital, that isn't the case. Sometimes, the lowest common denominator is the frontline health practitioner or clinician who is touching all kinds of data and medical devices and terminals -- and patients.
And that each one of them, each one of us is responsible for ensuring that we protect our data -- using strong passwords, that we don't click on email attachments that we don't recognize, all the way to up to a systems administrator and a chief information security officer who are responsible for some of the more complex network security issues.
TR: So, we acknowledge that cybersecurity is everyone's responsibility, and that NCSAM aims to inform and teach everyone within a healthcare organization of their cyber responsibilities. But let's address the question as to why they should pay attention. Just how serious is the threat of cybersecurity attacks in the healthcare sector, Greg?
GG: Well, it is a significant threat. As an example, a very recent report highlighted that there have been at least 491 ransomware attacks on healthcare organizations within the first nine months of this year. That's why it's important for everyone to play their role in securing their organization, and why it's important for our sector to consistently be aware of cybersecurity threats, and implement the best practices to mitigate those threats.
TR: That's pretty scary, and definitely a cause for alarm and why we should be focused on this topic -- not just during October, but also throughout the 11 months of the -- other 11 months of the year.
GS: Definitely. So, let's hear from Erik Decker, Chief Security and Privacy Officer for the University of Chicago Medicine on the reality of cyber-attacks and what they look like on the front lines.
Erik Decker: (audio clip) Most people think that, you know, a cyberattack or being a victim of a cyberattack is not going to happen to them because, you know, there's a whole lot of people out there. The reality is that cyber-attacks hit everybody. It's a guarantee that someone will be a victim of a cyber-attack -- or an organization will be a victim of a cyber-attack.
And so, we have to just -- just like fire safety is something that we have to understand, just like having your own personal home emergency plan in the case of a power outage or some sort of natural disasters, these are things that we all just have to really think about, from a cyber perspective, given the fact that we are an incredibly interconnected digital community these days.
TR: So, given the reality of cyberattacks becoming more and more prevalent in our sector, Greg, what are your thoughts as to why this sector is becoming more of a target?
GS: You know, that's a great question. Terry, do you remember who really Willy Sutton was, and what he's famous for?
TR: Of course, but go ahead and explain for our audience who might not know.
GS: Sure, everyone remembers. So, Willy Sutton was a famous bank robber in the 1900s, and he's famous for being asked by a reporter, well, you know, Willy, why do you rob banks? And his simple response to that reporter was, "Because that's where the money is."
And so, the short answer to why the sector is being targeted is because there's money to be made from cyber-crime. Cybersecurity attacks are lucrative for bad actors. A recent FBI report noted that roughly $2 billion was lost to business email compromise every year. And we know that in 2016, the health sector faced $6.2 billion in losses from cyber-crime.
We here at HHS see the impacts of these costs every day, but we'll hear from Erik again on why he feels like cyber criminals are targeting the sector.
ED: Well, there's a number of different factors into why health in particular. The traditional one is related to confidentiality and the information that we have on people -- the Personally Identifiable Information, and then, of course, the protected health information associated to the patients.
First and foremost, you know, we collect pretty much any amount of information necessary to conduct some sort of identity theft or fraud on an individual. So, we have your -- we'll have your name, your social security number, your insurance information, your home address, your maiden name. You know, all of this information, which is needed, you know, to commit certain types of fraud, like IRS fraud for your yearly taxes, you know, that's a very common one to be done.
But you know, so that's the traditional way of thinking about it. That's not new. That's been in place for about 15, 20 years to date. What's really changed on the healthcare side is, you know, related to patient safety. And the issues -- as well as extortion attacks, like ransomware attacks, where criminals are finding new ways of monetizing crime and, you know, that can come in the form of locking up a medical institution and their digital systems so that they can't conduct business.
And since everything is digital these days and everything runs on I.T., if you shut down all the I.T. infrastructure and you don't have the ability to pull in the volumes that your organization is normally used to, that is a very severe revenue impact on the institutions. And it's enough of an impact that it will warrant the conversation around should you pay somebody a ransom for releasing your I.T. infrastructure -- your digital infrastructure back to them. Or do you continue to stay down? And how harmful could that be to the institution?
So, that's a very real and prevalent case. I think WannaCry in 2017 really demonstrated how prevailing of an issue that can be. And then, many other institutions have been hit with it. And in some cases, small practices have actually shut their doors as -- having been the result of a cyber-extortion attack -- like a ransomware attack.
TR: It's very clear how cybersecurity threats are real, and the likelihood and impact of these attacks is increasing -- increasing substantially.
GS: Gosh, do you remember WannaCry?
TR: It's hard not to. And there were so many lessons that came out of that event for the healthcare sector. I think lots of lessons that we've incorporated as a sector into plans and procedures through this public-private partnership. So, let's shift the discussion and look at what the response has been to events like that, and what steps have we taken? And again, let's go back to Erik Decker for some thoughts.
ED: I would say that we're definitely -- we've definitely woken up. Several years ago, maybe about five, seven years ago -- five, 10 years ago, the -- a lot of the healthcare industry was thinking, well, it's going to happen to somebody. It's going to happen to the big guys. You know, they've -- they're really the targets of all of this, and they've got their acts together, and so -- you know, I don't have to worry about it.
Given the fact that the threat actors and the level of sophistication has increased so dramatically over the last several years, it's become such a pervasive attack -- I'm very confident to say that a lot of the health industry has recognized that this is a big problem, to the point where we now have a robust healthcare sector Coordinating Council in place, which has representation of many different sectors of the health industry -- of the health sector.
And it's got a lot of task groups that are working underneath the sector Coordinating Council and partnership with the government Coordinating Council -- so, this is where industry and government come together. I believe we have upwards -- more than 15 different task groups that are focusing on different elements associated to how to answer aspects of the cyber problem that we have.
GS: Yeah, so, Erik touched on a number of good points. I mean, first of all, just that evolution in the mindset from, you know, I just hope it doesn't happen to me to now recognizing okay, we all need to be prepared and ready to take care of this. But also, how the last several years' worth of collaboration between government and industry has improved and helped make the sector more resilient to cyber-attacks.
TR: Absolutely. Absolutely think that that relationship is key to addressing this problem.
GS: So, let's hear from Kendra Siler, president and CEO of Community Health I.T. on why collaboration is important, and why we as a sector can't combat these threats alone.
Kendra Siler (audio clip): Working alone actually increases an organization's cyber vulnerability. And participating in the health sector coordinating council allows flexible security partnerships and also a voice with the government to ensure that the organization's input manifests itself into future national strategies and policies. And here -- I think probably Benjamin Franklin said it best: "We must indeed all hang together, or most assuredly, we shall all hang separately."
GS: Terry, what do you think on that? In terms of, you know, I love that observation that working alone can actually increase an organization's vulnerability. Also, she managed to work Ben Franklin, a Founding Father, in there into a discussion of cybersecurity.
TR: I think she did a great job in bringing out the relevant points -- that partnership actually -- that partnership throughout the ecosystem working together definitely enhances the security of the entire ecosystem, and I'd say, even beyond.
GS: Absolutely. And you know, continuing on that thread, we wanted to talk to Mari Savickis as well. She's the V.P. of federal affairs at the College of Healthcare Information Management Executives, and had really poignant things to say on this one.
Mari Savickis (audio clip): It's imperative. It's -- that's really the reason that we've come so far. We are able to hold hands with the federal government, and they are our partners in this effort. And they recognize the importance of this as much as the industry does, and I think that's really -- that's a big testimony to how we've come in the past few years. So, it's been really critical.
TR: I really appreciate Mari's viewpoint. She actually leads one of the task groups that was mentioned, and has really worked hard to pull together that public-private partnership. It's really about individuals standing up and working collaboratively on both sides -- both on the public sector and the private sector to really build this collaboration.
GS: Completely agree.
TR: So, these have been a couple of good points that have been made by our experts, and it's great to hear that members of our sector feel the same way that we do, and are on the same page when it comes to collaborating and working together to combat cyber threats, making sure that everyone understands that cybersecurity is everyone's responsibility.
GS: Sure. So, Terry, before we wrap up today's discussions, let's talk about two last topics. First one is, you know, what resources are available for folks to help improve their cybersecurity? And then, the second is just -- is there a right approach? What's the best way to go about this?
TR: Yeah, I think those are definitely the right questions that we need to ask. Resources are definitely something that the public-private partnership has helped pull together. And why don't we start? Hearing again from Erik Decker about resources available as a result of some of the work that the Sector Coordinating Council did, and one of the task groups that he and Julia led on this collaborative partnership between industry and government.
ED: So, there's several products already out for the providers and clinicians that are out there. We have the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. This is a resource that we provided 10 -- well, ultimately, it's five threats that we feel the whole health industry faces, and 10 practices that they can implement to mitigate those threats. And all of that's stratified by if you're a small, medium, or large organization. Because based on the size of your organization and the amount of resources that you have, you're going to approach the how on implementing cyber differently.
So, that's one. We call that HICP -- H-I-C-P. There's the joint security plan that was produced under one of the task groups. And this is a -- specifically the medical devices and medical device manufacturers and the healthcare delivery organizations coming together. And you know, you look at that guide as sort of a framework by which the manufacturers can build good security in their products so that when it comes to the health delivery organizations, we can implement it, you know, according to the right practices.
So, both of those documents -- the JSP and HICP, they actually complement one another. If it hasn't happened yet, or it very well -- it will happen very soon. There is an information sharing guide that's coming out -- also from the Sector Coordinating Council. And I'm sure I've missed something that's already also happened. But just to summate it, you know, the Sector Coordinating Council is very active, and these task groups are working on bringing forth a lot of -- a lot of resources.
TR: I think Erik did a good job summarizing the many resources that have already been produced, and there's many more coming down the pipeline; it's a very active community pulling together best practice guidance. But I also like the fact that he mentions the HICP because it's very practical and pragmatic guidance. It's not lofty, unachievable goals that are in there; it's pretty simple and straightforward.
And then, in the JSP, I think it's an example of also good collaboration -- not just between FDA, HHS, and the private sector, but even within the private sector, having health delivery organizations work closely with medical devices that -- collaborating to ensure patient safety.
GS: So, I want to hone in on that part of you said that practical and pragmatic, really. Because to me, that's what's great within these documents in terms of -- they are calibrated in size to different types of organizations -- different sized organizations. So, if you're a small provider, there's a section of the document that works for you. If you're a large provider, there are components that are relevant for you. And you know, there's something in there for everyone to really help them improve their cybersecurity.
TR: Absolutely. And by having those 10 practices, what we can do is have small groups working on, hey, this is how I'm implementing practice one or practice four. How is somebody else implementing the same practice? And build a community of practice around that, with documentation, best practices guidelines that further elaborate on these areas. So, I think really good opportunity.
GS: So, learning from each other rather than doing it all yourself.
GS: Cool. Well, then building off that, then there's the question of what's the right approach to cybersecurity? And at the end of the day, cybersecurity is an enterprise risk issue, and it should be -- you know, part of an overall risk management plan. So, you know, as part of that, we see there's no one solution that works for everyone. We do not expect any of these practices to become the one requirement set for everyone organization.
You know, cybersecurity is a dynamic, fast-evolving sector. So, you know, we just don't think that sort of approach would work. But we asked Jeff Bontsas from Ascension Information Services, you know, when do you know if you get it right?
Jeff Bontsas (audio clip): I'm not sure if you ever know you get it right. You really try to create a program or environment where there are multiple layers of protections -- defense and depth where, you know, you have good visibility across your network and you're able to quickly react or you know, isolate an issue once you see something that just isn't right in your environment. I think once you have your process and procedures and technology in place that can do that, you're ahead of the game at this point.
TR: I think Jeff's spot on. Defense and depth is the required mechanism because we just can't anticipate every threat that will manifest in our environments. I also think it aligns very nicely with the NIST cybersecurity framework to which we're all accustomed where that highlights the need to first identify your critical assets, then to protect them or prevent bad things from happening. Then, to detect if something goes wrong, quickly responds, and if all else fails, to be able to recover. So, that approach of defense and depth is definitely, I think, the way that most organizations are moving to address the cybersecurity threat.
TR: So, this has been a really good conversation, Greg, and we've covered a lot of ground in a very short period of time. I think we can say at this point that cybersecurity is going to take a collaborative approach, and our efforts to work together have already resulted in progress for the sector.
GS: I agree, Terry. Definitely a lot of progress in the sector. And it's no secret. This is urgent business. But the progress can't be made soon enough, and that's why we're glad to see everyone paying great attention to this issue. So, I think we can close with the point from one of our interviewees. So, we're going to turn to Greg Garcia, with the Health Sector Coordinating Council on ways for folks to get involved, and ways to help support overall sector cybersecurity.
GG: I urge all healthcare providers and health companies to get involved. To lend your expertise, your thought leadership, and ultimately, to take back what the Sector Coordinating Council is developing, in terms of best practices and recommendations so that you can actually implement and operationalize what we are recommending.
Because if we are not actually taking direct action to improve our security and resiliency and really moving the needle on our risk management posture, then everything just becomes shelfware. So, to prevent that, you need to come to the table. You need to add your expertise and thought leadership and your resources and take it back and operationalize it. Go to healthsectorcouncil.org.
TR: The Sector Coordinating Council and the Government Coordinating Council, as Greg points out, have really accomplished a lot so far, given the tremendous dedication of the many volunteers from both organizations. But there's also a lot of work still to be done. And if you're listening to this podcast and you're not involved, I'd encourage you to step up and join the collaboration and participate so we can improve the health sector together.
GS: Absolutely. And you know, with that, we've covered a lot of ground here in this discussion. And I do hope it's been really interesting for folks to hear views from folks out in the sector on how they're dealing with cybersecurity, and what they're doing to address these challenges.
I want to thank Terry Rice from the Healthcare and Public Health Sector Coordinating Council for joining me today on our program, Cybersecurity Is Patient Safety: The importance of healthcare cybersecurity.
TR: And I want to thank you for having me, Greg. It's been a pleasure, and I really am honored to be part of this public-private partnership.
GS: Thank you, Terry. It's -- great discussion today. And we also want to thank all the members of the Health Sector Cybersecurity Council. And those from the 405(d) Initiative for their continued support, and sharing their thoughts with us. We hope that the audience finds this information helpful. For more information and for other updates on our progress, go to: healthsectorcouncil.org or www.phe.gov/405d. And be sure to share the link for this program with your colleagues or anyone you know who could benefit. So, thanks for listening.