New Approaches to Health System Cybersecurity
In May 2017, the WannaCry ransomware cryptoworm began attacking computers around the world, encrypting data and demanding ransom payments. In a matter of hours, WannaCry encrypted hundreds of thousands of computers in more than 150 countries, knocking hospitals, government systems, railway networks and private companies offline.
For many cybersecurity professionals, WannaCry marked a turning point. “This event changed our strategy and operations for how to protect our network infrastructure,” said Darren Vianueva, vice president of shared services operations and technology sourcing at Trinity Health. “It erased all the lines drawn between departments and led to a shift in thinking that cybersecurity and protecting the environment was everyone’s responsibility. It changed the way enterprise security, supply chain and clinical engineering work together.”
Like Trinity Health, a number of healthcare organizations are approaching cybersecurity from an enterprise standpoint, but there’s still work to be done. “In the digital age, with so many connected devices across the hospital, an enterprise data security strategy is essential for all healthcare organizations,” says Kent Petty, CHCIO, chief information officer at HealthTrust. “A number of healthcare organizations don’t have an enterprise strategy, and this leads to security issues.”
The Case for an Enterprise Data Security Strategy
The WannaCry ransomware attack proved to professionals across healthcare systems that cybersecurity is crucial. When the attack shut down appointment schedules and health systems worldwide, the affected hospitals had to turn away all patients except emergency cases. It helped frontline workers see firsthand that cybersecurity is important well beyond the IT department.
The possibility of shutting down operations isn’t the only reason that staff across an organization should be aware and alert. There’s also an increasing need to protect employee and patient information. “Healthcare data continues to be very valuable on the black market,” Petty says.
In fact, stealing medical records has become a multibillion-dollar underground business, with such records estimated to be up to 20 times more valuable than a credit card number, according to the InfoSec Institute. Because cybercriminals can sell patient healthcare data at a premium, hospitals remain key targets for cyberattacks. With stolen records, hackers can make phony insurance claims, order prescription drugs or buy equipment to resell on the black market—the options are as endless as they are profitable.
Finally, the concept of the Internet of Things (IoT)—the interconnection of computing devices into physical devices and everyday objects—means there are exponentially more access points for cybercriminals to penetrate a hospital’s network. As healthcare facilities adopt more connected medical devices and equipment, and as more healthcare workers use mobile devices to access the network remotely, the risks increase. For example, some smart watches offer electrocardiogram monitoring, and increasing numbers of handheld devices are being used at the bedside to monitor patients and retrieve patient data. Even Amazon, Google, Apple, Microsoft and other companies are getting in the game with artificially intelligent voice assistants that allow patients to check medication and receive medical advice while at home.
“Think of healthcare as a big circle; in the middle is a core network but outside circle after outside circle represents all the connected devices,” Petty says. “Mobile devices and other connected devices create a lot of exposure, which creates vulnerability. We depend on those devices for health diagnostics, so we need them. But the large amount of data and large number of devices create immense risks.”
Building a Plan That Works
Protecting patient health information, employee data and facility assets from cyber terrorists requires a detailed enterprise cybersecurity plan. Petty recommends three components:
HealthTrust Supplier Initiatives Strengthen Medical Device Security
The sheer number of connected medical devices in use at hospitals adds a significant cybersecurity risk. With so many open entries to hospital networks, blocking cybercriminals “is like trying to keep termites out of your house,” says Kent Petty, CHCIO, chief information officer at HealthTrust. “You plug one hole, and they can easily find another.”
To avoid compromising security, it’s vital to ensure that all
connected devices are protected. For all medical devices under contract with HealthTrust, the GPO provides due diligence to ensure cybersecurity. “Our main goal is to provide valuable information to help members make informed business decisions about the products they purchase,” says Terry Moon, assistant vice president of strategic sourcing, IT and cybersecurity at HealthTrust.
At the point of contracting with a service provider, HealthTrust conducts a formal security risk assessment on medical devices and supplies. “If they’re doing everything right, there are parts of the contract on which we’ll allow more flexibility and freedom,” says Marc Sammons, director of security sourcing at HealthTrust. “If there are some ways they could make their products more secure, we’ll make the contract stricter.”
Each HealthTrust contract includes a robust information security agreement detailing security expectations for every connected medical device. Once a contract is in place, the HealthTrust team keeps track of any vulnerabilities in the devices and notifies members immediately of any potential issues. “Suppliers who find a vulnerability in their products are contractually obligated to notify us before it becomes public,” Sammons says.
HealthTrust’s cybersecurity team partners with suppliers to improve security on contracted devices. For instance, the team recently met with Medtronic representatives to discuss product vulnerabilities and how to mitigate them.
Looking ahead, HealthTrust leaders plan to build a platform that would allow members to automatically collect all available cybersecurity information about every product in the GPO catalog. “We’d like to be able to get information to members without any delays,” Moon says. “Our Security Board is helping us work toward developing an automated platform that could do that more effectively, helping share information quickly so members can make their own determinations for their own business models.”
1. Asset management plan. An asset management plan ensures that facility leaders have governance on all of their technology, including the network, medical devices and electronic health records (EHR). If a problem occurs, they have a complete inventory, including all IV pumps, heart monitors and other devices.
An asset management plan should also include details for patching and upgrading each device, as well as rules for controlling access. For instance, if an employee resigns or is terminated, his access to the network or devices should be removed immediately.
At Trinity Health, four teams— Enterprise Information Systems, Clinical Engineering, Information Systems and Supply Chain Management—created a single approach focused on protecting the system’s digital environment. The collaboration developed a new, comprehensive asset management plan that has helped improve response to adverse events. “At one point, it took us a week to locate and remove an infected device across our multistate health system,” Vianueva says. “Today, we can isolate a device and have it contained and off network in an hour.”
In addition, Trinity Health’s Clinical Engineering team is cross-trained in IT networking skills and has a dedicated sub-team to assess medical device vulnerabilities. These individuals are a part of the event response team and have the ability to deploy patches when a threat to the infrastructure occurs and enact mitigation appliance deployment.
2. Employee training plan. Once an enterprise cybersecurity plan is in place, it’s vital to train employees on a regular basis. Even in an age of sophisticated malware, email remains the area of greatest vulnerability, Petty says. An employee plugging a compromised cell phone into a hospital-issued computer can provide back-door entry for malware into the enterprise network. Employees must be educated consistently and appropriately about using network access and computers as well as how to recognize warning signs and threats.
Trinity Health often offers practical exercises to help employees recognize and respond to potential cybersecurity threats. “Overall, our 137,000 colleagues are much more informed than in the past,” Vianueva reports.
3. Business continuity and disaster recovery plan. Despite the best planning, “sometimes bad things happen,” Petty says. For that reason, every healthcare organization needs a plan for business continuity and disaster recovery.
To ensure those plans are workable, Petty recommends testing them regularly. “Tell employees, ‘Today, payroll is down; what are you going to do?’ ” he says. “Or, ‘The EHR is down; what is your plan?’ Conduct tabletop tests to make sure you could recover in the event of an actual emergency.”
Trinity Health has used the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework to redesign its procurement process, technology and security assessments, supplier evaluations, supplier business reviews, and supplier quality performance team responsibilities. The system uses a five-point maturity scale to measure each of the 23 capabilities within the NIST cybersecurity framework, and a vice president-level employee has ownership and accountability for each sub-category included in the NIST framework.
“As a result of increased malware events and vulnerability identification and notification, we have changed our work processes to ensure these are remediated or mitigated,” Vianueva says. “As suppliers and manufacturers continue to ramp up their efforts and capabilities, this will result in more information to assess and act upon. As the malware environment continues to grow at a rapid rate, those who do not have a strategy supported by people, process and technology will become the more vulnerable targets.”
Understanding Supply Chain’s Role in Cybersecurity
In this environment of increased risk, the entire healthcare organization must take ownership for cybersecurity, but supply chain professionals have a particularly crucial role. At Trinity Health, the system’s supplier and manufacturer base represents one of its biggest cybersecurity challenges, Vianueva says.
“Many of our suppliers originally invested in protecting their systems; however, there was not an approach for keeping their manufactured devices and applications up-to-date through patch deployment, or for upgrading paths for obsolete software in the providers’ environment,” he says.
Supply chain professionals should be aware of the NIST cybersecurity framework standards, Vianueva recommends. In March 2018, NIST upgraded the cybersecurity framework from Version 1.0 to Version 1.1. One of the largest changes with the update was the addition of new supply chain standards (SC-1 through SC-5), which provide guidance on how to perform self-assessments, develop supply chain risk management methods and interact with supply chain stakeholders.
Using these standards, organizations can identify, establish and assess supply chain cybersecurity risk management processes and routinely assess suppliers and third-party partners using tests and audits. The standards also encourage organizations to develop contracts with suppliers and third-party partners to address risk management goals as well as identify untrustworthy partnerships in the supply chain, which may be revealed through poor manufacturing, tampering or malicious code.
“Supply chain plays an important role in cybersecurity, including determining terms and conditions, conducting business reviews, prioritizing suppliers that represent the highest risk, and ensuring good business continuity planning,” Vianueva explains. To perform that role successfully, he recommends engaging with your group purchasing organization and leveraging their contracting capabilities, participating on subcommittees, and sharing best practices and new findings.
For instance, HealthTrust helps members understand the security backgrounds of the products they’re buying, such as connected heart monitors, pacemakers, MRIs and other medical devices, Petty says. “Members rely on HealthTrust and our partners to understand what they’re buying and to make sure it’s secure and doesn’t possess vulnerabilities.”
As interconnectivity increases among medical devices and health information continues to demand high prices on the black market, cybersecurity risks will continue to develop—and supply chain professionals will need to be increasingly vigilant. “There are many bad actors working every day to break down our barriers,” Vianueva says. “The importance of sharing information across the GPO customer base has never been as important as now. Cybersecurity as a supply chain responsibility is our new normal; it’s not going away. Not engaging puts your organization and patients at risk.”Share Email