In 2015, the Obama administration signed into law the Cybersecurity Act. For the healthcare industry, the move held significant implications — it was the federal government’s way of saying, it’s time to get serious about this issue.
With one piece of legislation, the gauntlet was thrown.
Two years later, the Health Care Industry Cybersecurity Task Force — a diverse group of leaders charged with identifying a list of recommendations to improve cybersecurity practices across the industry — released its report to congress. Through a serious of in-person meetings and calls, representatives from sectors including medical device manufacturing, insurance, and health systems discussed the key challenges in keeping data safe, and what needs to happen going forward.
The key takeaway from having so much experience gathered in one room? For starters, the problem is far more complex than those outside of health IT realize, and it’s going to require a great deal of collaboration, according to Theresa Meadows and David Finn, two members of the 22-person Task Force, who spoke with healthsystemCIO.com about the experience. Secondly — and perhaps even more importantly — the entire approach to cybersecurity must change if we’re going to see positive results. What that means is that security must be viewed as a patient safety issue — not an IT issue.
In this interview, we talked with Meadows, who serves as CIO at Cook Children’s Health Care and has a nursing background, and Finn, a self-proclaimed “recovering CIO” who has been Health IT Officer at Symantec for 8 years, about what they believe to be the most interesting findings from the report, what they learned from serving on the Task Force, and the next steps for CIOs and other leaders.
- Key findings from the report
- Complexity of security issues — “It was really eye-opening.”
- “This isn’t an IT or a security issue. It’s a patient safety issue.”
- Challenges with medical devices
- Security as a “strategic function of health care”
- Better education & training for caregivers
- Government incentives for cybersecurity training
It’s imperative to define and establish leadership governance and expectations for the industry. If we can reach a common ground and agree that this a patient safety issue and all start moving in the same direction, that would be a major event.
When we initially bought these devices, there was no expectation of integration. There was no expectation of connecting to an EHR. And so the issue is twofold: how do we address all the legacy issues that exist in the current market, and how will we address the issue going forward with new devices?
We all got into this mess together. We recognize that we have to climb out of it and solve these issues together.
Now it’s about the business. At the end of the day, security really is a strategic function of health care. Although it hasn’t historically been viewed that way, now it has to be, because it can shut a hospital down. So we’re going to have to look at this differently and change the way we think about data and security.
Gamble: Two weeks ago, the Cybersecurity Task Force published the highly-anticipated report that was a year in the making. Let’s start by talking about the key findings that came from the report. What stood out most to you?
Meadows: There were a couple of things. Some are probably readily transparent to everybody, but it’s important to point out that there’s a lot of complexity when it comes to security. I’ve gotten a lot of feedback about having 100 recommendations, but what we tried to do is include something for everyone. Because of the complexity of healthcare and how deep and wide security issues can be, we wanted recommendations that could be transferrable to anyone. That’s the first thing. For people who are in healthcare, this was common knowledge, but to those who are outside of healthcare and in government, it was really eye-opening to see how complex this issue actually is, and that a single task force is not going to resolve all the different concerns there are around cybersecurity.
The other area where I personally feel like we made a lot of headway on is the medical device front. There was a lot of excellent work and a lot of hard conversations that occurred around medical devices, and I feel like we might have made some headway with the FDA around some of the recommendations. Initially, I wasn’t sure how that would go. But we made progress as far as understanding and really appreciating what the issues are.
Finn: Absolutely. The recent ransomware attacks began alerting CEOs, CFOs and boards of directors that this was bigger than a technical issue or a security issue. And so I think it’s important that the Task Force report starts out by saying, ‘This is not an IT issue. It’s not a security issue. This is a patient care and a patient safety issue, and we need to address it like that.’ That’s probably the underlying theme. You have a government Task Force saying, ‘Security is wonderful. Privacy is wonderful, but we’re talking about patient lives.’ And I think that will change the momentum now that we’re talking about what it really is, and not trying to throw security under the bus.
That was a big theme to me. Going back to my CIO days, one of the issues we had was that everyone thought we had all the privacy and security rules we needed with HIPAA. But they were very ambiguous. They were very descriptive rather than prescriptive. There were conflicts with state laws. There were conflicts within federal agencies about who did what, who could regulate what, and how it was regulated. And so, to me it’s imperative to define and establish leadership governance and expectations for the industry. If we can reach a common ground and agree that this a patient safety issue and all start moving in the same direction, that would be a major event.
This was one of the real wake-up calls, as Theresa talked about. While those who are in the provider space certainly understood it, the Task Force members who are from medical device makers or big pharma really had to start to understand that we need to meet organizations wherever they are. Big organizations are much further down the road with security than private physician practices, and this report recognizes that by saying, ‘These are the recommendations. If you’ve done them, great. If you haven’, here is where you start. But let’s all starting moving toward the same goal.’
Gamble: That’s a great point. Theresa, you brought up medical devices. Is there an issue as to where the responsibility falls? What were the key findings?
Meadows: I’m not sure it’s about who is responsible; I think it’s more about where to start. Because if you look at medical devices, there’s a huge legacy issue. These devices aren’t managed on the same type of cycle that you would see with EMR software, or even any other piece of software in any industry. Typically, when you buy a medical device, you’re banking on a 10- to 15-year life, and the investment is quite large. The problem is that when we initially bought these devices, there was no expectation of integration. There was no expectation of connecting to an EHR. And so the issue is twofold: how do we address all the legacy issues that exist in the current market, and how will we address the issue going forward with new devices?
There certainly is a lot of responsibility on new device development that lies with the manufacturers, but how do we solve the problem of the legacy devices, and how do we move that forward? That’s going to require collaboration, because as a CIO, the last thing I want to hear is, ‘We can fix your security issue, but that means you’re going to have to spend 10 million and replace all of your IV pumps.’ That’s not really going to be a fun conversation to have. And so I think the legacy issue is much harder to address than the go-forward stance.
Finn: Theresa just described the biggest issue, and it really is two separate problems. The first is how to fix this going forward — that’s actually relatively straightforward. The report calls on device makers and the government to step up their involvement, and recognizes that providers will have to play a role. But by far the bigger issue is the legacy systems. That, unfortunately, will fall on the device makers in how they encapsulate or close off those devices. And the answer is not, and simply cannot be, ‘We’re going to end-of-life all of the equipment, and hospital providers will have to buy everything new from scratch.’ That is not a viable option.
We all got into this mess together. We recognize that we have to climb out of it and solve these issues together. And that’s one of the appealing things — the diversity of the Task Force. To say it’s just the device makers or the hospitals or big pharma just isn’t going to do it. We’re all going to have to sit down together, whether it’s under government auspices, or just the industry itself saying, ‘Look, we created a mess. It’s time for us to develop a plan to address it.’ But the overwhelming theme is that it’s going to take involvement from everyone.
Gamble: The need for collaboration was definitely a big theme in the recommendations, and I can see why. Another thing that really struck me was the point that some organizations feel they are forced to choose between cybersecurity and other key initiatives because of resource constraints. What can be done to help alleviate this?
Finn: That’s a very good question, and that’s one of the important reasons to frame this as a patient care, quality of care, and patient safety issue. Theresa’s still in that environment and has a nursing background, so she really understands that — not just from a CIO perspective, but from a caregiver perspective, which very few of us have.
That’s exactly the issue. We need to forget about this as an IT problem. IT has to be involved, but it really is a patient issue. And all of a sudden, that shifts the focus for a CEO, CNO, or CFO, because now it’s about the business. At the end of the day, security really is a strategic function of health care. Although it hasn’t historically been viewed that way, now it has to be, because it can shut a hospital down. It can hurt a patient, or in the worst-case scenario, kill a patient. So we’re going to have to look at this differently and change the way we think about data and security. That gets back to some of the other imperatives like the healthcare workforce, and the awareness and education and training for those individuals on the front line who are seeing patients, caring for patients, and delivering the care and the associated services around. This needs to be a long-term effort, and it’s going to be a cultural and societal change as well.
Meadows: To your question about how the government can get more involved, this is the perfect opportunity to create more incentives for people to cultivate security awareness and personnel, much like they did with Meaningful Use, where they developed centers to help small physician offices become compliant in understanding the requirements. I think there’s an opportunity to offer funding or incentives around educating more security personnel.
The reality is, when it comes to security, everyone has to be educated. We can’t just say, ‘Well, the CISO is educated, so I don’t need to know anything.’ That’s not enough. We need across-the-board education to help people really understand all the risks associated with it. And I think incentives can be used to help start to form a workforce that’s a highly educated around security.
Gamble: You brought up CISOs, and as we know, a lot of organizations don’t have someone in that role, which leaves a sizeable gap in terms of security expertise.
Meadows: Absolutely. And even if you do, it’s very difficult to retain good security personnel. Having just recently gone through this, my team knows that if you have a strong person, they can get recruited and go somewhere else, and then you’re in an in-between point. Even organizations that are highly evolved reach those points where you need security expertise, and so I think it’s going to be an ongoing struggle to get more visibility into the education and development of security professionals.