Cybersecurity Roundtable Transcript Fall 2016
- Art Layne, executive vice president at Cognetyx
- Feisal Nanji, executive director at Techumen
- David Finn, health IT officer at Symantec
- Santosh Varughese, president at Cognetyx
- Warren Brennan, co-founder of New Health Analytics
- Jeff Byers, associate editor, Healthcare Dive (moderator)
This transcript have been lightly edited for clarity.
Healthcare Dive: Most hospitals know that cybersecurity and breaches are important. Knowing this is a daily threat, what's the next step for prevention?
David Finn: Healthcare should be doing what every other regulated industry has been doing for decades. It starts with asking the right questions, which the industry has not done yet. When healthcare leaders outside of IT talk about cybersecurity today, the question is usually, “How do we protect ourselves and comply with all these regulations, and how do we keep from being the next headline?” The question should be, “How can we make good, rational decisions (business and clinical) given the risks we face?” You will always get the wrong answer if you ask the wrong question, and the results have borne that out, consistently and repeatedly. Far too often security is relegated to the IT department rather than making it a strategic function of the business.
The five key principles of compliance and security are governance; secure information access; information protection; infrastructure management, and; infrastructure security and protection.
Don’t get me wrong, there are a lot of tools, training, and workflows as you look across these areas but it all starts with governance, in this case, information governance. Like any other critical asset (people, capital, or inventory), information is a strategic asset that requires high-level oversight in order to be able to use it effectively for decision-making, for performance improvement, for cost management, and for risk management. Strong information governance will shift the focus from technology solutions to the people and policies that generate, use, and manage the data and information required for care and the related process. This means making information security not only a technology issue but a business issue. You will always need security tools around the data but the business must assess and manage risk with technical guidance from not only IT but all stakeholders in the data/information.
Feisal Nanji: We have to change the notion of governance. If we think about who the security officer reported to is, typically it's the CIO. The CIO is also responsible for operations and if you saddle them with the IT monitoring function, which is what security is, then you in essence have the fox around the henhouse. The operational demands on a CIO in a hospital are insanely huge. So what needs to be done? There's needs to be a dotted line toward general counsel because you need to have this healthy tension between IT operations and IT security and if you don't do that, you're going to fail.
Santosh Varughese: A key consideration needs to be on understanding what the problem is. Over the last several decades, the solution for data breaches has been focused on the network and that obviously has not worked very well and I believe that there's a transition that's going on today that is focused on the protection of the data because in the last few years an idea has emerged called "breach acceptance." In other words, all of the technology and solutions that have been deployed to protect the network which is sort of the outside wall -- what's thought to be the only way to protect against breaches -- have not worked very well. So over the last few years, the idea has developed going into the future as the amount of data are accelerating that we have to understand this kind of situation where data breaches occur. The focus needs to also be on the actual data and how we're going to be protecting the actual data once a breach occurs, which they will. The only way you can apply solutions to that is by looking at new technology.
Hospitals have a slow culture change, CIOs and CMIOs -- in terms of data and cybersecurity -- note budgets don't always allow for robust prevention solutions. What can be done from their end?
Feisal: If you really think about what a hospital is, it's a very open environment and the fundamental purpose for a hospital is to provide excellent care to make sure patients are safe. When you take a look at what needs to go on, CIOs need to take a step back and understand what their business is and realize that based on the business, there are certain things that can change and some that cannot. A hospital is composed of a couple of major elements. For one, clinical delivery. This is fundamentally important because clinicians are very stressed out and you cannot upset clinical workflows so if you're thinking about any kind of security or service effort, it's fundamental not to upset any kind of clinical workflow. This is one of the reasons it's been slow to move the shift in the right direction. You also have this notion of clinical management. Clinical management is how you actually manage the vast teams of nurses and doctors and therapists providing these services. A lot of security issues come from insider threats. A third piece is this notion of clinical research. That is a fundamental problem especially in academic medical centers where it's very loosey-goosey on how people handle data because they want to use data to figure out how best to provide new care protocols in the future or to test pharmaceuticals.
It's a monstrously complex system. The revenue cycle includes discharge and transfers information you have to extract. Then you have to code and if you use external coders, you have to sanitize your coding submissions because the CMS -- which pays for much of this -- will really strangle you with fines and so forth. Then you have procurement and HR so when you think about all the clinical preparation and the business processes in a very open environment, you have to make sure that fundamentally you're not upsetting patient care or impeding clinical workflow. That is fundamental for what a CIO has to do so whatever tools and solutions you might want to adopt, you have to realize this is a fundamental problem that CIOs very much struggle with. Your problem is the massive free flow of information that occurs in thousands of databases. It's not easy.
Warren Brennan: I think there has been a profound change in the workforce skills and attitudes. I think this is a generational shift. The personnel that are in place today and the issues of import to them do not include protection of data or such security. They are struggling to use the tools they have -- many of which are antiquated -- and their own personal skills are quite antiquated. I think one of the profound issues is going to be a very long learning curve in the 12 to 17 million people that are employed in healthcare.
Santosh: You're absolutely right. I believe healthcare is in a way disconnected. So far within the last couple of decades, we've been racing ahead going from paper to digital. However, a fundamental idea was missed: The data is part and parcel of healthcare delivery. It has been an afterthought. That's why the disconnect has occurred between delivery and the data required to support that activity. A fundamental thinking we need to change is healthcare delivery must include the protection the data that is required to deliver that healthcare. Either the data that are presented to the healthcare system before the delivery and the data that is created during the delivery. That kind of thinking was and still not here. It will take a generational shift to understand the importance of that because data for health organizations is a strategic asset but I don't think it's considered as one.
Feisal: I actually disagree with you that. Maybe so five years ago but now in any hospital environment -- with more than 10 beds especially -- everyone knows that data privacy is fundamentally paramount. They are terrified of fines. They recognize this so this has occurred in the last two or three years. I think there has been a seismic shift. The question is what do we do about it. The notion of using data to providing better care protocols is a massive undertaking and it's just started spurred on by the ACA, a new business model. You have all these quality measures that will require vast volumes of data and they still don't know how to protect it as well as they should.
Santosh: No, I agree with you on that one. I'm not talking about the privacy aspect. I know that's all becoming very clear. I'm talking about the fundamental asset of the data to be used in many different ways, not just protection of data. I agree with you but I'm talking about the use of data or consideration of data as a strategic asset just like other assets: Buildings, equipment, things like that. There was a disconnect over the last couple of decades and it is now only occurring in the minds of leadership to realize that data is a part and parcel of healthcare delivery and it has to continue in that way. I believe there are still a lot of people in leadership that do not look at data as a strategic asset. But you're right. Maybe instead of a seismic shift there's bunch of little tremors here and there and that seismic shift is still a long ways to go before it has any major impact. But I agree with you in terms of privacy.
Feisal: What you're saying is two different things. One is that people aren't aware of security. I think that's not true but what I think you said correctly is that information as a strategic asset is only just being recognized at hospitals and I agree with that.
What do providers need to know about implications of future data-sharing among healthcare professional?
Warren: The reciprocal question is where are they going to learn what they need to know? This is an industry at the leadership level that is partially clinical and increasingly so at the executive level and the managerial schools and education -- I don't mean to demean them -- but I would assert that very few if any of them have the educational content in that curriculum to be preparing such people today.
Santosh: I totally agree with this.
Warren: The industry is probably where they're going to get their education. A vendor community will probably be the source where most of these people come from in the first meaningful generation of having security officers.
Art Layne: There is a need for more education about the current state of data security and the magnitude of breaches occurring in healthcare. From the perspective of a hospital CEO, a data breach is one of the worst things to deal with. It's not like many other companies where customers are simply account numbers. When hospital PHI is stolen, it will include medical records for virtually every employee, physician, board member and local leaders as well as all of their families. It's not like shutting down a credit card. PHI data can be used to create complete identities, forge passports, steal health services and blackmail patients for years. At some point, patients will hold healthcare providers accountable for these breaches and no longer accept monitoring services as sufficient for what can be years of consequences. Providers will then have to make some hard decisions about the resources needed to deal with a problem that is getting worse every year.
What types of technology new or old that have working for data protection?
Feisal: You've got to have a wide range of access. You can't simply say “These are my applications.” The internet is blowing that apart. There are lots of ways in which data can get lost and there are new avenues for data use especially through the web and cloud based applications so you can say a lot of tools don't work. Most hospitals don't realize a lot of people probably have data privilege that they shouldn't be having so privilege management -- who has the keys to the kingdom -- shouldn’t exceed more than a handful of people. Instead, we find thousands of people have keys to the kingdom and you got to use tools that allow you to manage this properly. Some tools that haven't work that have been hyped are security information event management systems because they're clunky to operate and very complicated. They need to be simplified. Another area is cloud applications. Most hospitals don't even know which people are using which cloud applications so they're dumping tons of data onto the cloud without recognizing they might not have a BAA with that cloud vendor. And that's a problem because every department wants a specialized web application which is now a cloud-based application. A lot of these haven't been vetted or analyzed so there isn't really a process -- forget about tools -- for the hospitals to identify who’s using which cloud application and when. We finally have emerging tools called cloud access security brokers which are touching on this. But there is still a huge problem in providing too much access to too many people to too much data. How that's going to get solved is a little more complicated and it requires both a process understanding and limiting interactions with people who should not have data.
Have you dealt with a breach? What did you learn?
Warren: I can make an external statement. This is a public case. A large multi-hospital system in Maryland found itself with ransomware in six or seven of its hospitals. Completely shut down its EMRs and communications and they tried to go back to paper operations in the interim. The problem was that the only people that remembered the paper system were over the age 45. Utter striking chaos.
Feisal: I was doing work at a hospital system and they had a very simple breach. It was a shared point site that was incorrectly administered and you had lost very minor data but it was a lot of patients. What happened immediately was a whole flurry of losses. It's very important to have a prepared plan. Make sure you know that your marketing and communications teams have templates ready to go. The response is particularly important. You want to take responsibility right up front and explain fully what's going on and be transparent. I think that's important that you don't lose any patient confidence because once you start losing patient confidence, you start losing your customers.
Do patients actually notice these breaches and how is confidence actually affected?
Warren: In the specific case I was referencing in Maryland, there was a significant concern. Many patient came back saying "I want to opt out of the system. I don't want my data stored." Whole new problems arise.
Art: I agree with Warren. Three months ago, there was a data breach of about 7.3 million records from a large health system and the records that were breached, the patients received a notification that they were going to provide a monitoring service but they didn't think any data had actually been stolen. Within a week, my daughter told me she multiple applications had been submitted to credit cards using all her record information. She made it clear to me she would not go back to that health system. I have no doubt there are going to be many patients that will be blackmailed with the information that was stolen and there will be lots of stolen IDs. I have not talked to anyone in this large community that has not been affected by that breach that does not have concern and does not have questions about whether or not they are going to go back to their health system.
Warren: From the operating side. I'm a vendor in the healthcare industry from data analytics side. We all sign BAAs with some skill and precision and historically the indemnification clause has typically been at the order of two times for professional services. So if I perform $20,000 worth of work for you, I got a $40,000 risk. I'm getting significant evidence across the industry here the parent organizations -- health systems -- are demanding the indemnification clause start at $5 million for any vendor anywhere in the system because the cost of the breach is in access of $4 million and that is going to change potentially significant relations between vendors and providers.
How long do you think it will take to meaningfully reduce the hacks that seem to occur daily?
David: Well, that’s a trick question, in my book, but a good one. The hacks and attacks will not abate in the foreseeable future. Can we reduce the number of successful data breaches and ransomware attacks, for example? Yes, and we could do that fairly quickly with some training of end-users, with some additional tools and/or services at the organization level and with appropriate staffing and training of the security and risk management functions in healthcare. That will take Board-level and Senior Management engagement and sponsorship. I can tell you that we’ve seen success in both these areas with minimal investment. It just takes the focus and organizational will to make the change. And then you have to begin to design and implement security as a strategy driven by the business needs -- that is probably a 3- to 5-year effort. But that is when you’ll see real change. When IT and information management become strategic functions of the business. No one lets their buildings go unmaintained and yet the data is just as important an asset as the facility. I’d say that it is more important. The data actually represents the patient and no one leaves patients unattended or unprotected in their hospital or clinic. Why would you not protect their information to the same degree?
Follow Jeff Byers on Twitter