In 2015, the Obama administration signed into law the Cybersecurity Act. For the healthcare industry, the move held significant implications — it was the federal government’s way of saying, it’s time to get serious about this issue.
With one piece of legislation, the gauntlet was thrown.
Two years later, the Health Care Industry Cybersecurity Task Force — a diverse group of leaders charged with identifying a list of recommendations to improve cybersecurity practices across the industry — released its report to congress. Through a serious of in-person meetings and calls, representatives from sectors including medical device manufacturing, insurance, and health systems discussed the key challenges in keeping data safe, and what needs to happen going forward.
The key takeaway from having so much experience gathered in one room? For starters, the problem is far more complex than those outside of health IT realize, and it’s going to require a great deal of collaboration, according to Theresa Meadows and David Finn, two members of the 22-person Task Force, who spoke with healthsystemCIO.com about the experience. Secondly — and perhaps even more importantly — the entire approach to cybersecurity must change if we’re going to see positive results. What that means is that security must be viewed as a patient safety issue — not an IT issue.
In this interview, we talked with Meadows, who serves as CIO at Cook Children’s Health Care and has a nursing background, and Finn, a self-proclaimed “recovering CIO” who has been Health IT Officer at Symantec for 8 years, about what they believe to be the most interesting findings from the report, what they learned from serving on the Task Force, and the next steps for CIOs and other leaders.
- Call for “one voice” to represent cybersecurity at HHS
- Action items for CIOs
- No. 1 issue in HHS Wall of Shame
- Beyond HIPAA risk assessments — “That’s a small piece of the bigger security puzzle”
- Lessons learned from the process
- “Everyone sees the importance of protecting patients.”
- Next steps
It’s going to be important that we have one voice at HHS that speaks to this sector. That way, when there are problems that come up, issues that need to be resolved, or ambiguities as to who is responsible, we can go to them and say, ‘What’s the real answer?’
The problem is that most people don’t even have a baseline. I think if CIOs spent some time evaluating what the risks are from a security standpoint and putting plans in place — even if they’re only mitigation plans on how to address certain risks — we would be further along than we are today.
As much as we like to think everybody’s not passionate about this topic, everybody is. And while we might all have different points of view, at the end of the day we were able to agree that it’s about the patient and ensuring that the patient is protected.
What we hope is that the industry, the device makers, and the providers keep moving forward with the recommendations. No one should stop and wait to see what Congress is going to do. Everyone is in a freeze about what’s going to happen with the Affordable Care Act, but the bottom line is that security issues aren’t going to change.
Finn: There’s always been a lot of confusion in this area — even at the federal level, the FDA sometimes gets ahead of HHS, and vice versa. Now we have the Department of Homeland Security and Information Sharing and Analysis Centers and HCIC and NCIC, and so it’s going to be important that we have one voice at HHS that speaks to this sector. That way, when there are problems that come up, issues that need to be resolved, or ambiguities as to who is responsible, we can go to them and say, ‘What’s the real answer?’
I think that is one of the big issues, and I believe it’s possible. This is certainly not the first call for it. I know both HIMSS and CHIME have called for this role or something similar, so I think this is a doable recommendation. It would really resolve and streamline a lot of the efforts that trickle down in the industry and cause a lot of confusion.
Meadows: I agree. In the discussions I’ve had with Secretary Price, the feedback I’ve gotten is that he feels security is a very high priority. I hope that’s the case and that he’ll take this into consideration, because I believe having someone in that role could be a very big first step in bringing the public and the private sector together. I expect us to have some discussions about this in the near future, because I don’t think this is going to go away. It’s going to continue to bring questions and thoughts about how to move forward.
Gamble: Along those lines, the report identified a number of recommendations that were broken down into various categories, including the federal government and CIOs. What do you feel are the most important action items for CIOs?
Meadows: For me, one of the most important things I can do is ensure I’ve done a good risk assessment of my organization, and I have a strong plan in place to either mitigate problems and address them when they occur, not if, because they probably will occur. The problem is that most people don’t even have a baseline. I think if CIOs spent some time evaluating what the risks are from a security standpoint and putting plans in place — even if they’re only mitigation plans on how to address certain risks — we would be further along than we are today. Hopefully, we will develop a common framework that can be used to those risk assessments, which is one of the things we recommended.
I also think CIOs need to spend a lot of time with their security officer, with their boards, and with their executive leadership focusing on education. Because until everyone is educated and bought into a security strategy, it’ll be very difficult to deliver one. And so from a CIO perspective, that’s where I believe we need to focus.
Finn: I would certainly concur with that. We need to improve our readiness through awareness and education that starts at the lowest levels of the organization, and includes everyone from the CEO to the board. And that education must be done by the CIO and the CISO. That’s number one.
Looking at some of the studies from last year, a third of organizations don’t have a dedicated security person, which was a requirement under the security rule beginning in 2005. That doesn’t even necessarily mean it’s their only job, but it means there is someone who is focused on security. But at the CIO level, that means doing inventory on your current environment and documenting systems and devices. It’s doing that risk assessment around them; doing the replacements or upgrades that are needed and addressing the issues that can be addressed.
The tricky part is if you have systems running XP and you know they need to be replaced, you probably can’t probably replace everything in one year. But you need plans for addressing them and hardening the ones that can’t be replaced, and then leveraging what you have within the environment — the network segmentation, isolation of critical devices, hardening — and basically looking at the risks and mitigating the most critical ones, and then prioritizing and working down the line. Like Theresa said, it’s doing the risk assessment that’s been required for many years now. We still find huge gaps; lack of an adequate risk assessment is the number one issue cited on the HHS Wall of Shame.
Meadows: What you find is, if those risk assessments are done, they’re geared toward PHI and HIPAA, and so there’s a huge gap of other security issues that haven’t been looked at or even thought about. That gap has to get closed. People think they’re meeting the intent by doing their HIPAA risk assessment, but that’s just one piece in the bigger security puzzle.
Gamble: Right. I can imagine it was interesting going through this process, as you have more than dozen people with very different perspectives. What were your overall thoughts on the process, and what did you learn?
Meadows: I learned a lot about a few things. One was about how the federal government works. I think I was pretty naïve about how the decision-making processes works and how the different entities within the federal government work. That was a little surprising to me, and so, not having interacted at that level before, I learned a lot.
Secondly, I learned that as much as we like to think everybody’s not passionate about this topic, everybody is. And while we might all have different points of view, at the end of the day we were able to agree that it’s about the patient and ensuring that the patient is protected. So, whether you were a medical device manufacturer, a drug developer, or a security professional at a health plan, everyone saw the importance of protecting the patient.
I think we all learned a lot about each other’s perspectives, and to think about things a little differently. Whereas in the past I would be the first one to complain about the FDA and medical device manufacturers and say, ‘they never do anything to support us,’ now I understand that they have some very large issues they have to address, and it’s not as easy as just sending me a patch. I wish it was, but it’s not. I learned that there’s a process of trying to be a bit more patient but also being more direct in what I need with the people that I partner with. So I think it was very eye-opening from that perspective.
Finn: It sounds like Theresa and I had a very similar experience. I was certainly naive about government operations. But I will add that one of the appealing things of being part of the Task Force was the makeup and the call for the diversity across the healthcare sector. That was one of the reasons I signed up to participate, and as Theresa said, it was very compelling to hear those different perspectives.
To me, the focus on the patient was fascinating, but another interesting thing that emerged is that most of us are from organizations that have the wherewithal to send someone to these meetings and spend the time and effort. We didn’t have a lot of people from small physician practices or critical access hospitals, and yet, everyone on that Task Force recognized that is where most of the care in this country is still happening.
And so you’ll find a lot of references to things we can do for small providers and incentives that can be provided, because they’re the ones who are behind, and for good reason. They don’t have the time, money, or resources. But because we’re all working together now, they represent a risk to the big networks they can connect with, the payers, and the providers. So I was really amazed at the focus on small providers and the recognition that this is still where most of the care in this country happens, and I was very glad to see that.
Meadows: I agree, 100 percent.
Gamble: So the big question many have is, what happens now that the report has been published? What are the next steps?
Finn: It will go to two committees in the House and two in the Senate, and they will digest it, and provide their feedback. What we hope is that the industry, the device makers, and the providers keep moving forward with the recommendations. No one should stop and wait to see what Congress is going to do. Everyone is in a freeze about what’s going to happen with the Affordable Care Act, but the bottom line is that security issues aren’t going to change. No matter how health care is funded, we’ll still need security.
I believe Congress, the Senate, and the House will start to address these issues and make decisions. For instance, one of the things we called for is to complete work on the CISA Act Section 405D. There actually is a 405D work group in place under the Office of the CIO at HHS, and they’re developing a framework to align a healthcare industry cybersecurity approach based on the NIST CSF. So some of this work has already started, and I hope more will be ongoing, but no one should feel compelled to wait for someone else. We all have to do our part in security.
Gamble: Absolutely. The final thing I wanted to ask is, do you feel that the Task Force is on the right track in achieving what it set out to do?
Finn: I believe so. I have to tell you, I’ve been a little surprised at the feedback I’ve gotten from CIOs and CISOs in the industry. I’ve been doing this for about 35 years, and I’ve never seen anything like it. I had a CISO write to me saying, ‘I don’t agree with everything in it, but this is really a good starting point. This is a good way to bring everyone together and start moving in the same direction.’ Not everyone is going to agree with everything in it, but I think everyone agrees we have to improve security in health care. We have not done a good job up to this point, and it’s time to change that approach and make those fixes.
Gamble: Great. Thanks so much for your time, and I look forward to speaking with you both in the future for an update.
Finn: Thank you, Kate.