Cybersecurity in healthcare is at a tipping point, poised to move from the voluntary to the mandatory, although not quite yet. For now, it’s still up to organizations as to whether not they want to comply with any specific framework or set of best practices. Of course, demonstrating adherence to 405(d)’s HICP should get some favorable consideration if things go south, and a lack of basic controls will get you laughed out of your cyber-insurance provider’s office, but technically it’s still up to you. And, for now, that will continue with the release of HHS’s HPH-CPGs – a set of essential and advanced best practices that should serve to help organizations cut through the noise and plot a sound cyber course, according to Intermountain Healthcare VP & CISO Erick Decker, who also serves as chairman of the cyber working group of the Health Sector Council. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Decker discusses why the CPGs are important, how most attacks happen, and what security professionals can do about it.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
… an example is 92 percent of organizations have put multifactor authentication on email, on the email portal, so that sounds like a good number, except for the fact that phishing and credential attack via social engineering is the number one attack that hits organizations. So if you don’t have multifactor authentication on your email system, and all you have is a password protecting your account, it’s going to get hit and people are going to use that account to impersonate you and do more attacks.
… part of the problem in cybersecurity is it’s so big and there’s a lot of noise; there’s a lot of vendors in the space, a lot of people trying to get your attention and talking about, ‘this is the most important thing to do.’ If you don’t have sophisticated cybersecurity professionals, it’s hard to understand what actually is the most important thing to hit first.
If you’re doing everything that you’re supposed to be doing, you’re absolutely right that you are a victim in this case and you should not penalize the victim. I completely agree with that statement. If you’ve ignored it and you’ve grossly ignored it, I don’t know, I mean, in this day and age, that’d be like walking outside in negative 5-degree weather in shorts and T-shirt and getting upset that you got hypothermia.
Anthony: Welcome to healthsystemCIO’s interview with Eric Decker, Vice President and Chief Information Security Officer with Intermountain Healthcare. I’m Anthony Guerra, Founder and Editor-In-Chief. Erik, thanks for joining me.
Erik: Thanks, Anthony.
Anthony: All right, Erik, a little bit about your organization and role, if you want to start off with that.
Erik: Intermountain Health is an integrated delivery network located in the mountain west regions. So we’re primarily based in Utah, Nevada, Colorado, Idaho and some other states, minimally around that area. An integrated delivery network means that we’ve got both the health plan and the provider side, the healthcare delivery service. So we cover about a million lives under our health plan and quite a bit of lives on the delivery side of care.
Anthony: All right, very good. I know your main job is only one of the things you do. So if you want to briefly list the most important industry policy-related roles that you’ve taken on.
Erik: Yes. I call it my second job, ironically but no payment, there’s no remuneration that happens there. But now I serve as the chairman of the cyber working group of the Health Sector Council and what that is, is a critical infrastructure policy advisory committee. It’s called CIPAC. There are 16 critical infrastructures that are outlined in the National Defense and Authorization Act which originally came through some executive orders under the Obama era. So those 16 critical infrastructures – some examples are finance, oil and gas, water, transportation, healthcare, agriculture, and so forth. And these are infrastructures and organizations that actually make up our nation’s critical infrastructure but are generally run by private industry. And so, because of that, there’s a national interest in making sure that those are protected from all hazards, cyber being one of those hazards.
The cyber working group has about 425 organizations that are members, about 1,000 people inside representing those 425 organizations. And if you are a critical infrastructure owner and operator, and you’re in healthcare, you should absolutely be participating in this group. We produced 27 publications over the last six years. Three of them are joint release products with Health and Human Services. This is where HICP came from and, if you’ve heard of 405D, that’s one of the task groups inside the Cyber Working Group. HICP was the inaugural product of that which is cyber hygiene, that’s been embedded in law. OCR has been instructed to consider the adoption of HICP during any enforcement action. That’s an avenue of progress on how the industry and the government have come together to try to bolster up our resiliency across the industry.
We do a lot of work with HHS. We do a lot of work with CISA, as well as the Office of National Cybersecurity Director at the White House and the National Security Council at the White House.
Anthony: All right, very good. So the developments on the policy front in December, HHS released its introductory strategy for healthcare sector cybersecurity. They’ve got four points in there – established voluntary cybersecurity performance goals, provide resources to incentivize and implement the practices, implement in HHS strategies to support greater enforcement and accountability, and expand and mature the one-stop shop within HHS. So there’s things in there that they’re going to work on and what they’re going to come out with are, and we love acronyms, right? Healthcare and public health sector specific cyber performance goals, HPH-CPGs. They talk about high need organizations who will get help implementing measures deemed essential (but not enhanced).
Now, in trying to give the industry some idea of what’s happening, we can say that it should jive with CISA’s cross sector CPGs and HICP, which you mentioned. So they’re saying, “here’s where we’re going. We’re going to be working on this stuff. We’re going to take input, but don’t be too scared because there’s stuff out there that anything coming out will jive with, so you’re not going to get hit out of left field with some crazy stuff.”
Erik: That’s right.
Anthony: That’s my reading of it. You tell me if I’m on the right track.
Erik: That’s exactly correct. And honestly, it’s the relationship and the partnership of the Cyber Working Group and the relationships and partnerships that we’ve had with our federal partners that has gotten us there. The federal government has recognized that hospitals in particular are getting beat through ransomware attacks and other disruptive attacks and more needs to happen. We have developed HICP. We developed HICP at the end of 2018 when that was published, and HICP is hygiene. It contemplates five threats, 10 practices, to mitigate those five threats and it’s a how-to guide for the small, medium, and large-sized organizations, and we actually broke it up in a playbook for each of those three designations because everybody’s a little different. How you handle cyber for a small critical access hospitals is very different than for a large integrated delivery network like Intermountain. So think of HICP as the how.
The CPGs, the cybersecurity performance goals, which originally came out from CISA for all 16 critical infrastructure – that was, I believe, last year when they released that – those are more outcome-driven statements. So what we’ve done working with HHS – and HHS has been developing the CPGs – is we took some of the outcomes associated to the CPGs and said, “this is what we want to achieve. HICP is the path to doing it.”
And so that’s how those two things come together. You’ll see very prominently that it shows in that way. So the good news is, is if you’ve done HICP, you’ve actually done the CPGs, generally speaking. There’ll be some evaluations that you’re going to need to do. It is very specific and very targeted to some very essential things. But I think it’s not going to be out of left field. And now hopefully, you’re not going to think, “oh geez, now I got a whole bunch of other stuff to do.” It really, I mean, if you haven’t done these things then this is really giving you a pathway for exactly what you need to be focused on minimally to prevent against some, and respond to, some of these disruptive attacks that are hitting us.
Anthony: So I’m thinking it’s not going to be like some of the interoperability stuff they came out with. They came out with some stuff a little while ago about, you had to be able to respond to these requests from anywhere for patient information. And that everyone was like, “whoa, that’s a lot of work. We’ve got a lot of stuff to do.” It was a little bit of panic. My guess, and you tell me if I’m wrong, is that if you have a CISO, if you have someone with that title and they’ve been working towards a framework and you’ve got cyber insurance, which means you must have jumped some hurdles. When this stuff comes out, I’m guessing probably going to be in very good shape.
Erik: Depending on your organization and what your level of capability is, you certainly will know exactly what those things are. You will probably have already, you brought up cyber insurance, you probably will have already discussed it with your underwriters. We looked at those essential, those mandatory things that the cyber insurance underwriters are looking for as well, and conceptualized that in the same model and so forth. It hopefully is incredibly aligned. I mean, the fact of the matter is we did a landscape analysis last year where we studied cybersecurity capability in hospitals, that was actually one of the major inputs into the CPGs. And there’s a lot of things that I think people assume that are happening, and they’re actually not in its totality.
So an example is 92 percent of organizations have put multifactor authentication on email, on the email portal, so that sounds like a good number, except for the fact that phishing and credential attack via social engineering is the number one attack that hits organizations. So if you don’t have multifactor authentication on your email system, and all you have is a password protecting your account, it’s going to get hit and people are going to use that account to impersonate you and do more attacks. It could be business compromise attacks. It could be trying to phish to get to more privileged access. It could be deploying malware. I mean, it can be used for all different types of things. And that delta from 92 percent to100 percent represents a significant number of hospitals in the United States that haven’t done that.
So that’s a good example of some very, very basic things that just have to be in place in this day and age in order for you to protect against the attacks that are happening. And those are non-sophisticated attacks. It’s actually very easy to conduct that attack.
Anthony: So the high needs organizations will get some financial help implementing the essential measures. What about the timing on this? Should they wait for funding or go ahead? Will they be reimbursed if they go ahead now?
Erik: The first point is when the CPGs are released to note that these are voluntary CPGs, so what comes out in that first bullet point of that concept paper is not a mandatory enforcement requirement. That’s the third bullet point of what HHS is working on.
The second thing I’ll say is when we were conducting the landscape analysis, we interviewed about 20, 25 different hospital systems, including the high-need organizations. And when we asked them a question like, “help us understand the resource constraints and the challenges that you face,” every single one of them said, “just tell us what to do.” Because part of the problem in cybersecurity is it’s so big and there’s a lot of noise; there’s a lot of vendors in the space, a lot of people trying to get your attention and talking about, ‘this is the most important thing to do.’ If you don’t have sophisticated cybersecurity professionals, it’s hard to understand what actually is the most important thing to hit first.
Even HICP is still pretty big. It’s got 10 practices. It gets into some depth, but it doesn’t prescribe, you do these things and then these things and then these things. The CPGs are going to be more clear and more tactical if you want to think about it that way. It’s very directional. I think the higher need organizations will get the gift of focus. One of the considerations that was built into the CPGs was cost. Are these things going to come with a high cost in order to get to the essentials? And we did not want to include things that just were filled with high cost. So the impact to threat mitigation was all part of the calculus that was used. Not to say that there’s not cost inside the CPGs. There are some things that are going to cost, but there’s also plenty of things in the CPGs that are just people time to work on instead of hard license cost or things along those lines. I think that will help.
All of that said, absolutely the high-need organizations need help, from the industry association side, from multiple angles. Through the industry associations, when I go up to the hill and I talked to both Senate and House folks, I bring this up. I bring up different types of options that could be potentially contemplated. Within the cyber working group, we have provided the federal government a policy recommendations paper that talks about some of the models that could be used for a reimbursement strategy or a granting strategy or something along those lines. I think it’s actually important for folks to know there are grants in place today that you could apply for, that you can get some cyber help with. FEMA actually has a grant active today that’s connected to some networking dollars, and you can use that if you apply for it for some cyber assistance there. So that’s an option.
All of that said, there’s still is more. Like what I just described is not enough to bolster up an entire industry. HHS is working with Congress right now trying to figure out some new appropriations that could be applied into this space. I don’t have any answers for you on, is that successful, is that not successful? You know our Congress today. We continue to push the ball down the road on the budget, and so it’s hard to get stuff in right now, but the need is understood, and we are having these discussions.
Anthony: So when this came out in December you posted some stuff about this – trying to put a little color around it – there was a little bit of pushback from some entities. You said the first iteration will be voluntary, but I guess the anticipation is that at some point some of these things will become mandatory. There’s language in the four points about enforcement and accountability that scares some people, that scared some people, and you posted your point of view which was along the lines of: “hey, this has to be done, it just has to be done.” I wonder if you want to just talk about that a little bit.
Erik: Yes, so first of all, as a collective cyber working group, we understand the balance between voluntary practices and mandates, and we understand the challenges for those who have and those who do not have. So we do believe that there needs to be incentives in place to assist those who don’t have in order to get to mandates. But we also believe and frankly, again, when we were talking and doing these interviews in the landscape analysis and so forth, every one of them, when we ask the question, “would you support a mandate if a mandate was driven?” They said, “as long as there’s funding for this, absolutely.” Because it offers clarity on exactly what needs to be done and in a lot of cases they say, ‘we’re just too busy to spend the time to try to understand the threat landscape and get this perfectly right. If you just tell us what to do, we’ll just go do it.’
In healthcare, there’s a longstanding history of that; of you will put an environment of care in place, standards of practice in place. And these are the rules that you will follow; CEOs get that. And so, I think there actually are folks who are going to welcome that if there are funding, if there’s an incentive to get them there. And I think that’s really the crux of this. I personally do believe that we need to get clearer with this. We’ve been trying voluntary security since HIPAA came out; the security rule came out in 2005. We’re almost 20 years into it and we haven’t been able to stop the flood of ransomware attacks that have hit our industry. It only accelerates year over year. And we do have hygiene. We do have all this clarity. We do have some additional carrots that have been released. HICP, like I said, it’s connected to the enforcement action now with OCR, if you’ve done it and you become a victim of one of these attacks, OCR is instructed to consider your adoption of HICP during enforcement action. That has helped, but has it helped to get the entire industry to move? I think there’s more that’s needed there.
As long as we balance it right and as long as the controls, the CPGs, that we’re applying are informed by the industry and are specific to the threats that we’re facing, and there’s dollars to help those that are in need, I think that this is absolutely the right path.
Anthony: So it’s really interesting, the position that you’re in, and I can tell you want to get this right. This is really important, and you want to get it right. Tell me your thoughts.
Erik: Yes. Perfection is not possible, and when they come out, people are going to look at them. They’re going to beat them up. I’m sure somebody’s going to question why this and not that? Of course, all of that is going to happen. We live in this industry. What I’ll tell you is this: it was informed by the landscape analysis – the landscape analysis took an adversarial mindset. How are we getting beat? We studied that. We looked at FBI data. We looked at CISA data, HC3 data, open-source data from our cybersecurity vendors and we compared that to the stated capabilities of our hospitals. The two major studies were the CHIME’s Most Wired survey and the AHA KLAS Censinet survey. And both of those studies essentially looked at the journey that organizations were on to the NIST CSF, the cybersecurity framework to HICP. The AHA KLAS Censinet survey looked specifically at HICP, and for those organizations that have the capability, so there’s bias there in that you already have to be this high on the ride to do that, but we got an understanding of where they are.
And then we looked at it a different way. The Cyber Working Group came together and said, “here are the practices that we think are important from four tranches of priority.” Of course, HHS, CISA, National Security Council, they took all of this input and then they came back to us again and asked us questions – ‘Does this look right? Does that look right? No, yes, no, yes.’ And we did this round and round and round iteration until the final result was solid.
I think, honestly, if you look at how the attacks are happening, there’s three main ways that organizations are getting beat, or the initial compromise, I should say – it’s social engineering, of course, no surprise there. But let me give a good example of that.
Social engineering that includes social engineering your help desk. Calling up and saying, “I lost my phone. I need to add another multi-factor device.” The help desk comes back and says, “well, just give us the last four of your Social and your date of birth.”
“Oh sure, I’ve got all that.” Because all of that has been breached time and time and time again, that’s all on the dark web. I mean, that is a very bad identification verification process. And so, it’s very easy to bypass it. You don’t even have to hack. You just you hack the people essentially. So that’s one way.
The other way is you’ve got a vulnerability that’s on in your DMZ or on your network that’s exposed directly to the internet that gets hit because it’s a high criticality. It’s got remote code execution. And CISA actually produces a list of what’s called Known Exploitable Vulnerabilities or KEVs, more acronyms for you. And they have all kinds of intel that show which ones are being exploited right now by people. And so all you have to do is marry the CISA list to your list (of potential vulnerabilities) – and you need to do that now, not seven days from now, like literally right now.
And then the third one is third parties getting hit that have connectivity back to you. So there’s a lot in the third party space. They’ve got our data that can lead to privacy breaches. Yes, the Target breach in 2013 or 2014, that was an HVAC vendor who got compromised. They had connectivity back into Target, backchannel connectivity, and then they rode that and then they got into the network and conducted their attack. That’s a very common attack path, that network connectivity attack.
Those three represent 80 percent of the attacks that are out there. The attacks start with one of those three and then they all go to a privilege escalation attack. They go in and they get your most sensitive credentials inside your organization. It could be active directory, could be any number of different things and then they use that. Because once they have those master keys, essentially, they can then deploy ransomware, or they can then steal data, or they can then steal intellectual property, or do whatever, or persist for a long period of time and wait for something. Everything stems from that. So an adversarial mindset means you look at how that happens. You look at how 80 percent of the attacks are occurring and now apply what controls are the most important. So what are the things that you can get right up front to stop it from the beginning, and what are the things you can do right at the end, right before the bad stuff happens, and you sandwich it – that’s the strategy.
Informally, I have spoken to some CISOs who have unfortunately had these attacks happen to them – it’s a small n here, but it’s 100 percent. I’ve done on my own little informal study, I said, “I don’t want you to tell me what happened, because I know it’s already sensitive anyways, but I bet it was one of these three ways that they got in. And the privilege escalation was the last thing that they did before it all went bad.” And to a T, all of them nodded their head.
So the bad guys, this is their playbook. I mean, it doesn’t matter. It’s their playbook for healthcare. It’s for transportation. It’s for energy. It’s for everybody. Our job is to disrupt that playbook. We need to make this expensive for them to do this attack. We’re not going to stop them from conducting the attacks. There’s always going to be crime. There’s always going to be people who want to do this stuff. They’ve got business models themselves. They’ve got their own efficiency targets that they’re trying to hit and things like that. So, the more that we make it difficult and put friction in place for those attacks to work, the better off we’re going to be.
Anthony: Excellent points. One of the concerns around the CPGs was don’t punish the victim. So I’m just going to leave you with that final question – how do you balance all these things? We don’t want to punish the victim but at some point, you have to have accountability.
Erik: Yes. There’s already a little bit of a line that’s been drawn. HHS won’t say this. I informally say it, or I guess informally say it on an interview (laughing). We already have a law that states if you’ve implemented these practices or efforts promulgated under 405D, you are doing what is considered a recognized cybersecurity practice and you will be given consideration in a victim situation.
There’s a little bit of a line that’s already been drawn with that. So what does that mean: if you haven’t done them, I mean now, again, this is where HHS will not say, ‘well, then you’re going to immediately get penalized,’ they’re not saying that. But you’re on an upward slope that you have to start arguing. CPGs are adding more clarity to this, and the essentials are essentials. And frankly, if you want cyber insurance now, depending on who you’re using, there are five controls that you absolutely have to have or you’re not even going to get insured and that’s not the federal government. That’s the industry applying that pressure. And so, it’s a losing argument anymore to say that any attack against you is, you are not responsible for it. If you’re doing everything that you’re supposed to be doing, you’re absolutely right that you are a victim in this case and you should not penalize the victim. I completely agree with that statement. If you’ve ignored it and you’ve grossly ignored it, I don’t know, I mean, in this day and age, that’d be like walking outside in negative 5-degree weather in shorts and T-shirt and getting upset that you got hypothermia.
Anthony: No, it makes perfect sense. I want to thank you so much for your time today, Erik.
Erik: Thanks, Anthony.