Of the myriad challenges Erik Decker has faced in the two decades he has spent in IT (including 12 in information security), perhaps none was more daunting collaborating with some 150 colleagues to develop a set of best practices for managing cybersecurity threats. Beyond that, the goal was to provide an answer to the often asked question, “What do we need to be doing,” and tailor it based on the size of the organization. After a year and a half of discussions and “healthy debates,” the group has come to a consensus, which will be detailed in a report due out later this year.
In this interview, Decker, who serves as Chief Security and Privacy Officer at University of Chicago Medicine and is wrapping up a term as AEHIS Board Chair, talks about the “awe-inspiring” experience of being part of 405(d), how the relationship between providers and device manufacturers has evolved, and the key challenges facing CISOs.
- Best practice sharing in cybersecurity – “It’s like an immune system.”
- Threats that “move at machine speed”
- Prioritization challenges: “Do I put the dollar in the security pocket or the patient care pocket?”
- Detection & incident response: “It’s getting in early so you can snuff it out quickly.”
- Categories of threat actors
- Medical device security & the “finger pointing”
These are very structured data elements that we can share with one another — if someone sees malicious activity, they can notify others and take proactive measures. It’s like an immune system.
For some of these organizations, it’s literally a question of, do I put the dollar in the security pocket or the patient care pocket? How can anyone make that choice?
They have a general response of what to do when a cyber incident rises up to the level where it has become a problem and they can respond accordingly, but they’re not necessarily doing proactive work.
You have manufacturers who are bound by Microsoft’s patching cycles, and you have providers who are trying to manage devices in a secure way. And then when these issues arise, people are sharing information in real-time, as I mentioned earlier, and not in ‘machine time.’
Gamble: Hi Erik, thanks so much for joining us today. It’s becoming increasingly important to stay on top of cybersecurity challenges, so we look forward to hearing your thoughts. First, can you tell us a little bit about your organization?
Decker: Sure. University of Chicago Medicine is a multihospital system with several ambulatory sites as well as off-site clinics and physician practices. We’re one of the premier academic medical centers in the country, and we focus quite a bit on the tripartite mission of research, care, and education through training future physicians, innovating and discovering new science, and providing specialized care to our patients.
Gamble: You’ve been with the organization since 2014, but have been in the information security sector for a while longer. Can you talk about the collaboration that goes on among CISOs and other cybersecurity leaders across the industry to help improve cybersecurity?
Decker: Sure. There are specific organizations like ISAC (Information Sharing and Analysis Center) and Information Sharing and Analysis Organizations (ISAO), which provide a forum for cybersecurity professionals to notify each other about malicious activity, and share best practices as well as indicators of compromise (IOC). These are very structured data elements that we can share with one another — if someone sees malicious activity, they can notify others and take proactive measures. It’s like an immune system; the idea is once someone becomes aware of a bad agent at play, they can let the whole body know.
Gamble: How is that type of information usually communicated?
Decker: There are a lot of different ways. There’s a lot of maturity in the space that still needs to happen. A good portion of it happens through standard email or specialized messaging platforms, which is good because it allows security professionals to get to know one another, ask questions, and get answers. It’s not ideal, though, in an era where threats move at machine speed, whereas communication through emails and texting does not.
There are, however, ways to achieve that. There are a few formats out there, like STIX and TAXII, and there’s specialized technology that can ingest threat intelligence information in highly structured manners, but I would definitely say it’s still not at the level where we’re able to just feed the system with confirmed threat data that can then be propagated everywhere and everybody can consume it in real time. It’s a matter of what level of sophistication organizations have reached, and how well can they consume the information.
Gamble: Right. So, at the CHIME Advocacy Summit last month, you talked about detection and response, which often gets lost in the shuffle with cybersecurity conversations. What do you think are the biggest challenges with creating and maintaining an effective incident response strategy?
Decker: If you think about it, there are many different types of players and organizations that make up the healthcare sector, and they come with a varied degree of sophistication and resources. And so, a large system like University of Chicago Medicine that has provided a lot of resources and support to establishing a strategic security program, although we do have our challenges, we don’t struggle as much as the small critical access hospital in the middle of Idaho where the margins are thin. For some of these organizations, it’s literally a question of, do I put the dollar in the security pocket or the patient care pocket? How can anyone make that choice?
It’s very difficult for folks who don’t even have dedicated security people to be able to stay up on detection and response. The first thing everyone does is put prevention mechanisms in place, and that’s good — prevention is critical. But once that’s in place, you have to move on to the next thing, whether that’s security, or any other IT needs.
Leaders are forced to make tradeoffs, and so it’s really difficult for folks to invest as much in the detection and response side of the house as they want to. What happens — and I’m speaking about the industry in general — is that those institutions will adapt some type of detection capability. They have a general response of what to do when a cyber incident rises up to the level where it has become a problem and they can respond accordingly, but they’re not necessarily doing proactive work.
To use the immune system analogy, it’s responding to a cold after you’ve already been infected. Instead of taking Tamiflu at the first indication of a sniffle, which can lessen the impact, it’s waiting until you have a full-blown cold and are down for the count. It’s the same thing with cybersecurity — at what point can organizations identify the problem? That’s what the detection and response capability is all about. It’s getting early in so you can snuff it out quickly.
Gamble: I imagine one of the challenges there is staying on top of all the different types of threats that are out there.
Decker: There are so many bad actors, and so many ways in which they can do bad things, and that’s not counting the unintentional incidents. We consider those to be threats as well. And so you have the intent behind these incidents, and the level of sophistication of that intent. We have a model where we group the various threat actors into buckets based on their motivations so we can understand that context as we develop and implement our programs. It ranges from the nefarious single individual who’s trying to make a name, to the group of individuals who are essentially committing a crime of opportunity, to activists who have a very specific purpose in mind. Unfortunately, these groups have gone after health systems, with the most disturbing example being when Boston Children’s Hospital was targeted by Anonymous.
It’s hard to imagine, but it happens — even to a children’s hospital. And then there are higher levels of sophistication, like organized crime, which is focused on economic gains, and terrorism. It’s something that, unfortunately, has to be on our radar because of the direct threat it poses to patient safety. If these groups have the capability, they’ll go after a connected medical device.
Finally, there are nation-state cyberattacks. These are really difficult, because now you’re talking about protecting the organization against a state actor, where the motivations aren’t about shutting down the hospital or causing harm — they’re around espionage. What can we take from health systems that will help those in developing countries have a competitive edge against the United States? This one hasn’t been talked about a lot, at least not yet. I believe it will become a bigger focus in the next five years.
Gamble: It’s pretty daunting.
Decker: It is, for sure. And there are a million different touchpoints inside of a health system, especially a large system. To try to keep your arms around all of these touchpoints, which are organic and fluid — that’s the challenge cybersecurity professionals and IT professionals face.
Gamble: Let’s talk about device security. In a recent CHIME-KLAS survey, a large percentage of health IT executives identified manufacturer-related factors (such as out-of-date operating systems or an inability to patch) as root causes of medical device security issues. Is that consistent what you’ve seen?
Decker: Absolutely. This is another challenging area, because you can’t just point the finger at one particular party and say, ‘that’s the reason we’re having this problem.’ If it were that easy, the problem would have been fixed a long time ago.
If you think about the lifecycle of a medical device, manufacturers go through exhaustive and extensive testing processes when they develop new products, and those time horizons are years in the making. If, for example, they’re embedding Microsoft Windows into a medical device, during that period of time before it gets cleared by the FDA to be released to the public, you might have already cut off about five years on the effective lifecycle of the operating system.
By the time it actually hits the market, it might have maybe two or three years of effective life according to Microsoft’s patching schedules and OS maintenance. And if you’re talking about CT scans or a linear accelerator, these devices are incredibly expensive, and so they have may lifecycles inside the organization for periods of 15, 20 or 25 years. So that’s part of it.
You also have consumer technology. You have manufacturers who are bound by Microsoft’s patching cycles, and you have providers who are trying to manage devices in a secure way. And then when these issues arise, people are sharing information in real-time, as I mentioned earlier, and not in ‘machine time.’ That becomes even more complicated in the medical device space, because there’s an entire bureaucracy involved, which can slow things down even more.
To install a patch when the manufacturer has to go through all these quality assurance processes to make sure it’s not going to cause harm, really is a big struggle. Now, the FDA has made it evident that there is no expectation for manufacturers to go through clearance after they are initially cleared for cybersecurity issues. Contrary to popular belief, they don’t have to be cleared again before applying a patch. They do, however, have to go through quality assurance.
And that’s the flipside. You want to be able to do a quick patch in order to address the root problem, but the patch might cause issues because these devices are so sensitive.