Cybersecurity attacks have become increasingly common — and debilitating — in recent years. And yet when Change Healthcare, a unit of UnitedHealth, was hit by ransomware in late February, it truly rocked the industry, causing disruptions both to patient care and billing information systems nationwide, according to HHS.
The reverberations of the attack are still being felt, and likely will be for some time.
“It was a wake-up call,” said Chris Akeroyd, CIO at Children’s Health, citing the “porous” nature of healthcare and the myriad partnerships required to deliver care across the continuum. The Change event, he noted, “emphasized the impact of business continuity that third party services have within our environment. We have to get down and really understand process and data flows, how we use third parties, and where they operate within our environment,” he said during a panel discussion with Chris Bowen (CISO/Founder, ClearDATA) and Vince Fitzpatrick (Director of Information Security, ChristianaCare).
In fact, Bowen believes “this never would’ve happened had they put multifactor authentication in place,” he said, adding that credentials were compromised followed by a ransomware variant being installed — and left undetected for nine days. “This could have easily been addressed with proper hygiene.”
For leaders like Akeroyd and Fitzpatrick, it serves as a blueprint for how not to shore up systems. During the discussion, they shared insights on how high-profile incidents can affect cybersecurity strategies, and what their teams are doing to avoid becoming a statistic.
All about “readiness”
While the ultimate goal is to stop any attacks before they happen, the reality is that it’s no longer a matter of if, but when, said Akeroyd. Therefore, the focus should be on reacting as quickly and effectively as possible. That speed, he noted, “comes down to readiness in the organization — how well versed the C-suite and board are on what risks look like and how they can impact business.” At Children’s, “it’s a regular conversation we’re having so that we can make swift decisions. After all, the bad guys only have to be right once.”
On the other hand, the “good guys,” or in this case, IT and cybersecurity leaders, need perfect scores, according to the panelists. During the discussion, they offered best practices on how to take steps toward achieving that goal.
The visibility factor
“A lot of times, there’s just no visibility,” said Bowen, who warned attendees of the dangers of drift, which occurs when security environments unintentionally move away from established standards, putting data at risk.
Preventing such drift, however, isn’t easy, according to Akeroyd. “Sometimes it just happens; there’s a little bit of change in a process that the SOC-2 doesn’t pick up,” he said. “We have to do our due diligence upfront to make sure we know where our data is, how it’s flowing, and what’s the impact to the organization.”
Bowen concurred, adding that knowing where data — especially PHI — exist is critical. “If your data is where it’s supposed to be, it makes all the difference in the world from a timing perspective and a reporting perspective.”
ClearDATA aims to address this through its Managed Health Cloud, which provides continuous monitoring in cloud environments, including PHI discovery capabilities, and its CyberHealth Platform, which provides visibility into how data is being used and identifies non-compliant actions. “Our primary directive is to protect patient data,” said Bowen. “That’s what we live and breathe for.”
Tight controls
One of the most important ways to protect information is by enforcing multifactor authentication — and maintaining tight controls on the network, according to Akeroyd. “We don’t allow any direct network access for our third parties. We manage those accounts closely even when they’re shared,” he said. For example, Epic’s account remains deactivated unless there’s an active support ticket, in which case “we have a conversation to turn those on.”
This type of vigilance is critical, said Bowen, noting that the longer credentials sit unused, the more likely they’re picked up by the dark web. Having a solid managed detection and response team, however, can help deter that. “If we see someone being compromised in a certain way, we’ll throw out automated changes to the group policies to block it from happening to the other customers we have,” he said. “And we do that quickly.”
Red flags
Another key advantage in working with trusted cybersecurity platforms is the ability to spot red flags — such as simultaneous requests to reset both a password and MFA, which Akeroyd’s team won’t allow. The same goes for a lost phone and forgotten password. “From an IT standpoint, we’re going to make you wait to get both taken care of,” he said.
They’ve also altered the process for resetting passwords for remote employees. Now, individuals are asked to hold up their driver’s license while on camera, instead of just sending the information electronically. “We’re starting to validate better,” Akeroyd said.
Fitzpatrick supports the move, noting that the helpdesk is perhaps the most vulnerable area in an organization. “They’re getting attacked constantly,” he noted. “People call trying to impersonate physicians or nurses and reset their accounts. And that authentication piece is very difficult.”
Password spraying
Unfortunately, it’s only going to get tougher. Without the proper measures in place, it’s nearly impossible to protect against an attack, whether it’s targeted toward an individual or a group. Children’s, for example, was recently hit with password spraying, a tactic in which hackers use a single password to try to break into multiple accounts. As a result, several accounts in the perioperative department had to be locked, which didn’t go over well.
“It’s not a good experience, because now you’re impacting on-time starts, and revenue is calculated in minutes,” said Akeroyd. “I’m having a conversation about why we’re costing the organization money, but we can’t just unlock the accounts.”
There’s a balance that needs to be struck, said Bowen. “If you have surgeons who are trying to start a procedure and they can’t get into the system, that’s a problem. But on the flip side, if you just unlock the accounts, that could be a huge problem from a security standpoint. It’s something we have to pay attention to every single day.”
“Walk through this”
The key to managing these very tricky situations, according to Akeroyd, is in being transparent and collaborative with those on the frontlines. “As technicians, we’re not qualified to assess clinical impact. That’s where we need to have good partnerships on the clinical side,” he said. “After the dust settles, let’s walk through this and be practical.”
At Children’s, he admitted that “it took some time” to get to the point where they could reach an agreement around downtime procedures that satisfied both parties. “Sometimes technology is going to fail right in the middle of a procedure,” and the organization needs to be prepared.
That means constantly having to ask, “What are we doing on the automation side? What lessons are we learning? And how can we start scripting some of these things to take advantage of what we’re seeing?” he said. “We need to think about how do we shut spray attacks down. We can’t just sit here and let them happen.”
Elevating the discussion
Although having strong relationships with clinicians is certainly advantageous, what’s just as critical is securing buy-in from executive leadership, the panelists stated. “You can’t do this as a CIO or CISO by yourself,” said Fitzpatrick. “You have to have full support from your board and your CEO. You need to be rowing the boat in a way that’s consistent with everyone else.”
It’s not always easy, as healthcare organizations are notorious for being siloed, especially when it comes to risk management. “We have a great working relationship with privacy, but not with finance or other risk departments,” he said. “It would be excellent if we had a rich, overarching risk framework to discuss these issues or concerns.”
That’s where communication with executives on the business side is pivotal, said Fitzpatrick. “It’s letting them know that information security does not have the answer for everything. We’re not going to flip the switch to get everything back up and running. There will be downtime, and they need to be ready for that.”
As the industry picks up the pieces from the latest large-scale breach, that understanding has become more important than ever, said Akeroyd. “We need to really think about business continuity. This is an organization-wide responsibility; not an IT responsibility.” As CIOs, “it’s our job to elevate that discussion and make sure it’s happening appropriately.”
To view the archive of this webinar — Reexamining Third-Party Risk Management Around Critical Service Providers (Sponsored by ClearData) — please click here.
Share Your Thoughts
You must be logged in to post a comment.