CYBER CORNER
In Philadelphia, Cybersecurity Leaders Parse the Current,
Challenging Landscape On Feb. 8, during the Healthcare Innovation Mid-Atlantic Summit, industry leaders parsed the complex landscape around protecting the security of people and data in this challenging moment By Mark Hagland
O
n Thursday, Feb. 8, during day two of the Healthcare Innovation Mid- Atlantic Summit, which was being
held at the Bellevue Hotel in Philadelphia, industry leaders parsed the complex land- scape of this moment around cybersecu- rity in healthcare, looking at the range of threats besieging U.S. patient care orga- nizations right now. Healthcare Innovation Managing Editor Janette Wider moder- ated a panel that included Julian Mihai, chief information security officer at Penn Medicine (Philadelphia); Daniel Uzupis, CIO and information security officer at Jefferson County Health Center (Fairfield, Ia.); and Richard Staynings, healthcare technology and cybersecurity strategist, affiliated with both cybersecurity firm Cylera and with the University of Denver. Early on in the discussion, Wider asked
panelists, “How are we preparing for the newer, evolving threats in healthcare? And is this situation of global concern?” Staynings said, “We are not alone. My role takes me all over the world. Nearly every healthcare system around the world is being hit by ransomware attacks. However, unlike other indus- tries, Healthcare will typically pay the ransoms, because Administrators want to restore their systems quickly. Attacking healthcare has unfortunately become a very lucrative industry in which criminals can easily attack us, and our propensity to pay ransoms fuels a lot of this activity. The Russian invasion of Ukraine did divert some energy away from ransom attacks last year for a short while and that caused a little bit of a dip in the volume of attacks.” What’s more, Staynings added, “There’s
also been a lot of restructuring of the Russian CIS criminal gangs; but I think we’ll see a ramp-up of some activity moving forward. Whether or not the Kremlin is involved directly is yet to be
32
determined, but it’s a grey warfare attack against the USA and other NATO coun- tries health systems. Providers are fighting 24/7 battle to try to defend their systems from these highly sophisticated attacks, but it’s a David-and-Goliath battle, and right now, Goliath is winning.” Uzupis, whose organization is a
critical-access hospital-based system in rural Iowa, testified that “I see everything coming in waves: ransomware, business e-mail compromise; a lot of this comes cyclically. Jefferson County Health Center is located in Fairfield, Iowa, a commu- nity of 10,000 people. And people will say, ‘We’re small, who would attack us?’ But what I’m seeing more than anything else is a need to focus on policy. The one thing that has saved people in Iowa is that people are distrustful. It comes down to making strong policies. What you do in cybersecurity has to be the first thought.” Indeed, Mihai said, “I see increasing
sophistication in the attack tactics. For the first time, we’re seeing where somebody builds a small website around a niche clinical topic as a Watering Hole. They use it to infect visitors with malware. So when a clinicians looking for a small niche search are attracted to the fake site, they go in and get infected, and then infect the entire organization. So you can’t think about staff training as fixed, stock training. So my team is constantly working with our partners to determine the emerging types of attacks, and cor- rectly training our employees. And you hear everywhere about the zero-trust concept. And it’s more important than ever for us to realize that no matter where you are, somebody in a large organization is going to click on something. So it’s very important to detect quickly, because that gives you the biggest chance to contain and eliminate the threats.
32
hcinnovationgroup.com | MARCH/APRIL 2023 Mark Hagland
Looking at the PATCH Act—the
Protecting and Transforming Cyber Health Care (PATCH) Act introduced into the U.S. Senate last year, but which was not included in the appropriations bill funding the Food and Drug Administration (FDA) for another year, that was passed in June (the PATCH Act is working its way through the Senate Health, Education, Labor and Pensions (HELP) Committee at the moment), Staynings noted that “There was legislation that went through Congress last year that addresses some of the problems of medical device security. The biggest issue is that 75 percent of connected devices on hos- pital networks are medical devices. These devices were designed to do one or two functional clinical things very well over their projected life cycle of many decades. Many were never designed to be connected to the medical network however. The prob- lem is that medical device manufacturers aren’t very good about releasing security patches to known vulnerabilities. So the PATCH Act requires cybersecurity to be designed into all new medical devices, and for manufacturers to release timely security patches for any CVEs moving forward. It also has some retroactive impact on exist- ing devices, and the FDA can pull the rug from under the worst offenders, though final FDA rules have yet to be published with the exact details.” Staynings went on to add that “The Act
also protects the sharing of security threat and vulnerability disclosure data and other information without fear of lawsuits from manufacturers. It doesn’t address all of the legacy problems of the countless devices we have in health systems across the world, or the risks these present to the medical network, but does address broad issues and the security of new devices.” Further, he added, “FDA, CISA, HHS, are now empowered to work together in
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36
