Patients in Colorado Springs and across the United States are exposed to a patchwork of cybersecurity risks in health care, as some providers struggle to keep pace with ever-changing threats.
The U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force report identified grave cybersecurity gaps, alongside a dramatic escalation of cyber attacks that put “personal privacy, financial security, health care research, and, most troublingly, patient safety” at risk.
The report noted some health care systems have failed to implement protections due to a lack of awareness, financial resources or staff.
“Given the level of interconnectivity and diversity within the sector … and the disparity between organizations’ ability to address cybersecurity issues, health care as a whole will only be as secure as the weakest link,” the report stated.
El Paso County Medical Society CEO Mike Ware said while Colorado Springs health care providers recognize the importance of cybersecurity, there are “two extremes” in the level of protection against cyber threats.
“When we start talking about that boots-on-the-ground aspect of what’s really being done, that’s where the two extremes come in,” he said.
“On the one hand you have organizations that are really investing in [cybersecurity] — they’re taking those steps on the front end and understanding what’s important and what’s necessary.
“There is another half that agree that … they need to be vigilant, but they seem overwhelmed. So they’re almost waiting and sitting back to see what happens and hoping that they don’t get hit.”
Ware said some are derailed by the scale and cost of the task.
“Organizations large and small are grappling with what is truly an appropriate investment and what is … just another vendor looking to take money out of their pockets,” he said.
The task force stated its year-long study “demonstrates the urgency and complexity of the cybersecurity risks facing the health care industry.” At the same time, Symantec’s 2017 Internet Security Threat Report said medical records contain most of what the data hackers want, “making them ideal for one-stop stealing.”
Fernando Pedroza, information security director at UCHealth, said the industry is a target because cybercriminals are interested in both identity theft and health care fraud.
“Every industry is a target, and an organization is only as good as its weakest link,” he said in an email.
“The major difference in health care relates to two items: Health care has both traditional computing devices (PCs, laptops, etc.) and medical devices.
[Medical devices include a wide range of instruments including ventilators, pacemakers, insulin pumps and IV drips.]
“Both demand diligence and information security management, but they are very different in terms of how they are managed. Making sure we assess, identify and mitigate/remediate those weakest links is essential to security.”
Pedroza said UCHealth has a dedicated team of internal and external experts working on cyber threat preparedness, invests in technologies to monitor and detect issues, partners with security vendors to expand in-house capabilities, and participates in public and private collaboration organizations to share and fight cyber threats.
Kris Kistler, chief information security officer for Centura Health, said patients using a variety of health care providers could “absolutely” be exposed to a patchwork of cyber risk exposure.
“There is [a wide spectrum of preparedness] — and a lot of that is health care organizations that have not allocated the correct amount of budget into cybersecurity initiatives or efforts, or … just don’t have the means to afford the same kind of controls that larger organizations are able to implement,” he said.
Centura Health’s data security team monitors vendor alerts, public newsfeeds, websites and paid sources for new security alerts and warnings on a daily basis, Kistler added in an email.
He said Centura’s protective measures include ingress and egress firewalls, URL filtering, next-generation anti-virus, anti-malware, multi-factor authentication, intrusion detection systems, data loss prevention, anti-spam and anti-phishing, targeted attack prevention, email sandboxing, centralized logging and alerting, a robust security incident response program and security awareness training.
The task force noted that innovations for medical devices and health IT are outpacing the development of regulations for those devices.
Kistler and Pedroza both identified that same challenge — increased security for medical devices — as a pressing issue for the health care industry.
“The [Food and Drug Administration] released new guidelines for biomedical systems late last fall, but they’re just guidelines; they’re not enforcing those guidelines,” Kistler said. “That leaves us in a very hard place. We have to implement other mitigating controls because many of those devices don’t meet current standards.”
Kistler said Centura applies a mature risk evaluation process and mature mitigating controls for such devices, and Pedroza said UCHealth includes all medical devices in its overall information security protection plan, with additional targeted strategies for specific devices.
Kistler also emphasized the importance of an organizational framework to create formality and tracking behind security initiatives.
“Security awareness training, while important — and I want to make sure I specify that it is absolutely important — is still never going to buy [an organization] more than 75 percent tactical resistance, if you will,” he said.
“Because they’re always going to have new people coming on board, people going off board, people that just get careless and have a bad day. So security awareness training … although I stress it is absolutely important … is not enough on its own.
“There needs to be other technical measures to catch that next 25 percent that the security awareness training does not catch.”
Kistler pointed to the HITRUST Common Security Framework, which includes controls from more than 25 industry standard security and regulatory frameworks, as one that offers more specificity and controls for health care organizations.
Centura achieved HITRUST CSF certification in 2012 and has maintained it at a level well above the average of other health care systems, he said.