Gray Areas: The Misconceptions That Are Compromising Cybersecurity Efforts

The health IT industry is approaching a pivotal time with security. Although most leaders seem to understand the ramifications of a data breach, there is still a lack of awareness when it comes to how critical a cybersecurity strategy can be — particularly when most of the work happens behind the scenes. Two people who are trying to change that are CIO Rod Dykehouse and CISO Matt Snyder of Penn State Hershey Medical Center.

In this interview, they talk about the CISO’s role as point person during a crisis, the CIO’s role in communicating the value of cybersecurity initiatives, the difference between compliance and security, and the misconceptions when it comes to federal regulations. As organizations continue to grow, the need to get a better handle on data protection will only increase, according to Dykehouse, who has been with the organization for nearly five years, and Snyder, who was hired in 2014, who also discuss their strategy in negotiating with vendors to increase device safety.

 

Q&A With Rodney Dykehouse, CIO, and Matthew Snyder, CISO, Penn State Hershey Medical Center, Part 2

[To read part 1, click here.]

Gamble: Matt, this is your first role in health care. What were your thoughts going in? Can you talk about the learning curve and how different it was compared to other industries?

Snyder: I know Rod’s laughing as you say this, because I look 10 years older from when I started here. In my past experience, I had dealt with HIPAA requirements. I worked at organizations where we had physiological and radiological monitoring, and there was some protected health information. So I had familiarization with the regulatory part of it.

What really surprised me coming out of the federal and state government — where we’ve been dealing with cyber threats a lot longer — is the lack of awareness in healthcare about what the threat is, how to respond, and the wide varying approach that’s being taken to meet requirements. I think people forget that this is regulated industry. Yes, we’re here to serve patients — that’s our primary mission. But you have to do it within this construct of data protection.

When you look at the approaches being taken by different healthcare systems and hospitals, some of them are taking the straight compliance approach of, ‘I have a checklist and I’m going to do these 10 things, and when we do that, we’ll be HIPAA-compliant, and that’s enough.’ Or, ‘we’ve met PCI compliance and that’s enough.’ They’re taking that approach. And then you have other people who take the auditor approach, which is very closely aligned with compliance, and still others who take more of a risk-based approach. It’s just the wide spectrum of varying maturity levels, varying approaches to security, and a lack of standardization across the industry on what it means to be HIPAA-compliant, or to meet a regulatory framework.

When I look at medical devices, it reminds me of data systems from several years ago like industrial control systems. They weren’t made to be put on networks. They weren’t made to be connected to the Internet. They were meant to be isolated standalone devices. And then one day we put them all in the network, and we’re surprised that they’re vulnerable and being attacked. I would say that’s what caught me off-guard the most, that healthcare is in the development phase, and things are pretty ad hoc, whereas a lot of industries have already gone through the maturity cycle. That’s the challenge.

Rod: To expand on that a little bit, healthcare has always been focused on privacy around PHI and protecting the patient’s information, somewhat because of HIPAA, largely because of the nature of what we do and the importance of that when dealing with the clinical environment. But I think health care has used privacy as a proxy for cybersecurity, and that is a very distinct difference. I think the industry has suffered with the transition that cybersecurity is much broader than privacy. If your systems are not secure, then you’re not going to be able to maintain things as private in that regard. I believe, as Matt said, it’s a matter of maturation, but we have a lot of catching up to do to get to that cyber-secure environment, and being certain that things remain private within our systems and processes is a critical component.

 

Gamble: Right. One of the things you said during the CHIME TED Talk session at last fall’s forum was, ‘compliance is not security.’ Can you talk about that conception and the misperceptions that are out there?

Dykehouse: I think healthcare largely has focused a lot on policy. ‘This is the policy and people shouldn’t do this, so we claim they’re not doing it.’ In reality, people are people. Just because it’s a policy, doesn’t mean everybody abides by it all the time, and so we can’t just assume that’s the case. We’ve had some very strong and appropriate policies here, and in other places where I’ve been. But cybersecurity goes much further and deeper to provide technology and other protections to be able to audit and verify that the policies, compliance, and so forth are in place.

Snyder:  This is one of my favorite topics for discussion, primarily because I used to interact heavily with chief auditing officers and third party assessors. And I always thought it was really interesting when I would have somebody do a cybersecurity audit. They’d come in with a perfectly developed vendor-specific checklist — ‘Do you have a policy? Yes? Okay, great.’ Then they’d go down this list of items: what are your password complexity requirements, etc. And just like we saw at Target and everywhere else, compliance does not translate into effective cybersecurity. Compliance is the bare minimum.

Another thing that’s important — and I know audit folks don’t like to hear this—but sometimes you’re being audited by people that don’t understand cybersecurity. They are not practitioners. They probably don’t have a lot of implementation experience — at least in most cases — and they’re really challenged to understand. They’ll give you a list of things you should be doing, and you’ll say, ‘that might cost us $100 million.’ We don’t have $100 million to spend. We have to make a lot of risk-based decisions and make those types of changes to our organization, but compliance doesn’t accept that. Compliance says, ‘do XYZ.’ It’s black and white. Cybersecurity is not black and white. Cybersecurity is completely gray.

What bothers me is when I see the CISO reporting to the chief compliance officer. Because when that happens, you know the program has been taken to some degree and changed into a checkbox, and it’s, ‘Yes, we’re doing the bare minimum, and we’re 100 percent compliant.’ You look back at those organizations after there’s a breach, and you find that they’re not really doing effective cybersecurity. They’re not out there doing continuous diagnostics and mitigation. They’re not out there doing real-time testing of their security controls. They were just checking the box, and that is a huge challenge, especially when you start to look at HIPAA.

If you look at the majority of HIPAA fines, about 80 percent reference risk management. They always ding a lack of effective risk management process and lack of effective risk documentation, and that’s really what cybersecurity is. It’s a bunch of informed and risk-based decisions that you make based on the best available information you have, and it can go either way. Sometimes it works out, sometimes, it doesn’t.

The other issue is that there are a lot of different interpretations even within OCR and the other auditing agencies, because it really depends on the person that’s there. It’s like driving down a road where there are posted speed limits, but there are 10 sheriffs running a radar, and each one has their own interpretation of what too fast is.

 

Gamble: Right. Another topic I wanted to touch on is the leader’s role in pushing manufacturers and vendors when it comes to things like medical devices and getting the right wording into contracts. I’d like to get your thoughts on that.

Dykehouse: Sure. Just as I think the healthcare industry is maturing in its understanding of cybersecurity needs, demands, and threats, the medical device industry has done the same. The problem we have with medical device manufacturers is that largely to date, they have not designed or built in basic cybersecurity protection. Historically, as buyers of that equipment, we haven’t demanded attestation for cybersecurity in the contracts. And so in that regard, we’re all guilty.

There remains, I believe, a very strong resistance by the medical device manufacturers to the question, ‘why don’t you’ because their answer is, ‘You haven’t demanded it.’ If there are one or two manufacturers of patient monitors and neither one offers it, how do you negotiate that into a contract? So we have a long way to go.

Part of it falls on the FDA. I think there’s a very significant role that the federal government needs to play in terms of mandating, not providing guidance for cybersecurity protections. They need to say that if you’re going to build it, cybersecurity must be built into that. And even if the FDA says that today, the lead time to get these things designed, built, and in the marketplace to replace the unsecure devices is very long.

Over the next two or three years, we’ll be purchasing up to $30 million of patient physiological monitors. We’re going to buy what’s currently available in the marketplace, and they’ll be installed her for six to 10 years, or perhaps longer. And I can’t imagine what the increasing complexity and efficiency of cybersecurity threats will be in 10 years. The obligation to keep it secure falls on us before it gets to those devices, and that’s a problem. This applies to IV pumps, to implantable devices, defibrillators, everything. As an industry and a population, we need to be very sensitive and aware of this challenge and the manufacturers should take it upon themselves to get in front of this. We’re seeing a little bit of that, but there’s still great resistance to it.

Snyder: To expand on what Rod said, as providers, we deeply care about our patients and we are going to eat as much risk as necessary to be able to care for those patients effectively. That’s our entire mission. When medical device manufacturers create devices that come with hard-coded passwords that are vulnerable and not being patched, in essence what they have done is basically indemnify themselves and fully transfer that risk off to the provider, and we have to accept that risk because we need it to treat patients.

To say that’s one-sided is an understatement. We’re not going to say, ‘no, can’t buy this device, knowing it can be used in the critical care of a patient.’ We’re going to buy it. We’re going to accept it even with these vulnerabilities because the benefit outweighs the risk in that scenario. But the way these contracts are being structured is basically, ‘take it leave it.’

The medical device manufacturers know that cybersecurity is important and the FDA has put out pre and post-market guidance on this, but it’s just that: guidance. Medical devices aren’t like traditional IT systems. IT systems have a five- to seven-year lifecycle where things are being refreshed. Medical devices really run on a 10- to 15-year lifecycle. The process of making devices cyber-safe is going to take a very long time, even if we started today.

I also think contracts are important because there’s a lack of understanding on the roles and responsibilities between providers and manufacturers, and sometimes there’s a lack of transparency. You might get a device that says it’s compliant, but you need to do 50 things and configure it 50 ways to meet requirements, and that’s not always understood upfront.

 

Gamble: Does this apply to Internet of Things devices as well?

Snyder: Yes. In some instances, Internet of Things (IoT) devices have the same characteristics as medical devices. They’re being built with hard-coded passwords that are the same on all the devices and can’t be changed easily. They’re not being patched or managed as effectively as they could be. I think we’re going to see a natural linkage between these devices.

We also need to remember that something is going to occur with one of these devices; it’s just a matter of time. When that happens, we don’t want to see an erosion of trust between providers and patients. This needs to be addressed, and soon.

 

Gamble: Any final thoughts for CISOs and CIOs on the importance of staying on top of these issues and staying in communication with each other?

Snyder: The most important thing is you have to communicate all the time. There has to be transparency. You have to talk about where you’re at, how things are going, and how you’re going to work with all these other teams. Cybersecurity can’t be done alone. That’s really important. And education is also a huge factor. You have to educate your workforce; they’re the first line of defense. You have to continue that education. You have to talk about uncomfortable things. There has to risk-based decision-making that’s occurring.

And you don’t ever want to be the only person that knows all the bad news. You want to make sure there’s transparency and universal understanding. I’m always striving to make sure executive leadership is informed of the risk that we’re facing and the risk that we’re accepting, and making sure that risk is acceptable to them, and allowing them to influence and provide feedback on how I can course-correct. When you’re dealing with an issue as complex as cybersecurity, that communication and trust with them is paramount to build an effective program.

Dykehouse:  I would echo that. Matt clearly has the passion you want in a CISO. He’s a great addition to our team and he’s a great leader. We’ve come a lot farther in terms of awareness and understanding with him pushing us.

Gamble:  Great. Well this has been really interesting and enlightening, and I really appreciate both of you taking the time to talk. Thanks so much, and best of luck going forward!