Healthcare chief information security officers and chief information officers have a lot on their plates when it comes to protecting the data and systems that are the lifeblood of provider organizations.
Looking to offer CISOs and CIOs help on a number of fronts, Healthcare IT News sat down with health data security expert Chris Bowen to discuss four subjects:
- The most recent and ongoing updates to the Trusted Exchange Framework and Common Agreement, or TEFCA.
- Impacts of the Log4j vulnerability on the healthcare industry and patient privacy.
- Strained health systems battling cybersecurity threats with limited budgets.
- The challenges of securing data in the cloud.
Bowen, CISO and founder of ClearDATA, a healthcare cloud security company, goes into detail on all four subjects to shine a light on answers to these healthcare security problems.
Q. You closely follow all of the updates to TEFCA. What should healthcare CISOs and CIOs know about the latest with TEFCA?
A. Ask any healthcare CIO about their challenges, and you’ll hear war stories of driving new technologies to better care for patients. You’ll also hear about the difficulties of interoperability and data exchange.
Yes, many think the healthcare industry solved this problem years ago with the advent of health information exchanges. However, the sad reality is that healthcare organizations must join multiple HIEs, and many don’t share data.
The pandemic shined a bright light on the weaknesses of our data sharing models as many healthcare organizations struggled to report data in near real time to the government accurately.
As a result, healthcare organizations spend precious resources building point-to-point interfaces between organizations. The authors of TEFCA hope to reduce duplicative network interfaces and allow healthcare organizations to be more efficient.
TEFCA’s broad objective is to simplify healthcare data exchange at scale. And we’re not talking about your granddad’s idea of scale. We’re talking about zettabytes of data created by the proliferation of health data liquidity, especially catalyzed by the pandemic.
To achieve its rallying cry, TEFCA has three critical goals: Create a unified policy and technical “floor” for nationwide interoperability; simplify connectivity for organizations to improve patient care, enhance the welfare of populations and generate healthcare value; and enable individuals to gather their healthcare information.
As a CISO for a multi-cloud healthcare tech company, my advice to healthcare CISOs and CIOs is to pay particular attention to the QHIN Technical Framework and the nexus of privacy and security requirements.
The technical framework addresses information flows, data exchanged and functions to support technology and exchange. TEFCA encourages QHINs to build from current capabilities, deploy known standards and keep an eye toward future approaches. This approach means that different QHINs will start from various states of maturity.
Know as well that QHINs will need to meet very high security standards. The QHIN must be certified. It must also comply with the Security Rule, conduct annual security assessments, have a CISO, and the most challenging requirement, obtain cyber risk insurance.
QHINs should start budgeting for that now because it’s expensive, and coverage is not guaranteed. Healthcare CIOs should ensure that the QHIN is certified by a reputable third party and that it has enough cyber insurance to support you if a breach occurs. Beyond that, make sure to outline responsibilities in your agreements with the QHINs.
I’d also encourage CIOs to pay attention to the TEFCA FHIR exchange pilots planned for Q3 and Q4 of this year. In an industry where talent is highly demanded, prepare to dedicate some resources to the pilot and think about getting a program manager involved to help you through the added workload.
Q. In a nutshell, what is Log4j? And what has been its impact on the healthcare industry?
A. Log4J is a Java-based logging tool now known to have multiple serious vulnerabilities. One of the vulnerabilities is remote code execution flaws that can provide an attacker with complete control of a system.
Log4j is a widely distributed logging library developed by Apache. Application developers use Log4j to track what happens in their software applications or online services. If an application crashes, the developer accesses Log4J to determine what caused the crash.
In a virtual briefing shortly after the vulnerability was publicly disclosed, CISA Director Jen Easterly called the Log4J vulnerability “one of the most serious” in her 20-year career in cybersecurity.
The vulnerability [CVE-2021-44228], first reported by Alibaba researchers on Nov. 21, 2021, is a remote code execution vulnerability found in Log4J, which application developers use prolifically, including in medical devices. It is also a fundamental component of many cloud services and can be exploited with just 12 characters.
As soon as this vulnerability became public, our ClearDATA team observed an unprecedented volume of events related to reconnaissance and initial exploitation attempts. This stage is where the attacker actively interacts with a target system to gain more information about services, software and potential vulnerabilities to exploit.
As knowledge of the vulnerability spread, the healthcare industry also observed attackers leveraging Log4j to deliver ransomware payloads. ClearDATA successfully blocked attempted attacks, but it kept us busy for weeks and still does. Due to its massive adoption, Log4J will pose issues to developer and security teams for much longer than most expect. I urge our healthcare security and technology leaders not to let their guard down on this one.
Q. It seems like hospitals and health systems are always battling cybersecurity threats with limited budgets to mitigate risk. What do CISOs and CIOs who find themselves in these circumstances be doing?
A. Given the Russian attacks on Ukraine, and the U.S. and NATO ally response, the threat of cyberattack is higher than it has ever been. Russia is committed to using cyber warfare as part of its war playbook, and has been attacking us for years.
In the U.S., we’re preparing. Much of the U.S. critical infrastructure is owned or managed by private sector partners. The Department of Homeland Security, through the Cyber and Infrastructure Security Agency and the FBI, have been working very closely with all critical infrastructure partners.
These agencies are working to ensure information sharing and ensure critical infrastructure partners implement proper cyber operational hygiene.
CIOs and CISOs should look at what they can do now while planning for longer-term solutions.
Short term actions include:
- Put your security and IT operations teams on high alert for any suspicious behavior.
- Examine your networks and update firewall configurations with the latest guidance from CISA, the FBI and your firewall vendor.
- Consult your data maps and fortify systems that transmit, store and process sensitive data.
- Scan your assets and patch vulnerable systems.
- Shut down unnecessary assets that are running.
- Rotate passwords for all users.
- Make sure you implement multi-factor authentication ASAP.
- Make sure your data and your applications are backed up and in a safe location away from your production systems.
- Enhance your operational and security monitoring.
- Share with your workforce how to identify threats, including avoiding phishing attacks and malware.
Longer-term actions include:
- Inventory your technical assets and ensure they are maintained, monitored and managed.
- Eliminate the use of end-of-life systems that no longer have manufacturer support.
- Use hardened compute images devoid of unnecessary open ports, services and software.
- Start a data discovery and mapping project if you don’t know where your data is.
- Hire more cybersecurity talent, or find a great partner to help in this area.
- Alter your data models to reduce the blast radius in case of hacking attempts.
It’s important to understand that there are downstream effects for every successful attack on a healthcare provider. Compromised data affects a patient in dramatic ways.
If a healthcare organization is taken offline because of a ransomware attack, patients don’t get the care they need. Surgeons postpone their surgeries, information necessary to perform a life-saving surgery becomes inaccessible, ambulances face diversion to healthcare facilities miles farther, and patients suffer.
The stakes are high in healthcare. I’m mindful, though, of the CIO or CISO struggling to attract the talent necessary to help mitigate the risks. Cyber talent is expensive and in limited supply. Cloud talent is costly and in limited supply. Combining the two skill sets drives the price even higher. I’m empathetic to their plight.
They know what to do, but their budgets often don’t let them invest where they must. The Health Sector Coordinating Council and the Cyber Workforce Development Initiative published the Health Industry Cybersecurity Workforce Guide to help CISOs and CIOs find and develop cyber talent. I consider it a valuable resource.
I also come back to culture. Suppose a company has a great culture, rewards its employees, and values them by supporting them in their career development. In that case, it’s easier to attract cyber and cloud talent.
Make working for your company fun. Make it rewarding, and drive it all home with a worthy mission. I’m not an organizational coach, but I do know what a good organization feels like. Two of my favorite authors on organizational health are Patrick Lencioni and Jim Collins. I urge leaders in any organization to consider their teachings.
Q. What do you say to healthcare CISOs and CIOs who continue to have concerns about security in the cloud?
A. Healthcare providers have been cautious cloud adopters, but they also understand that the cloud offers strong security measures and attractive “pay as you go” cost models. Yes, providers also know that they have to roll up their sleeves, learn entirely new technologies, and be responsible for data and application security.
Healthcare providers struggle to transform their digital front doors to serve patients better. Still, finding and keeping skilled resources to operationalize cloud workloads is a daunting task. Talent is expensive and increasingly scarce.
I’ve been preaching the value of the cloud since 2011, and I’ve always believed the cloud to be a better solution than an on-premise data center. To the CISO and CIO, I urge you to begin your cloud journey if you haven’t already. Get a partner to show you how, and by all means, insist on transparency in your security, compliance and operational performance indicators.
Ultimately, for providers, it comes down to how best to protect patient data while innovating to better serve and attract patients as demand for highly qualified talent continues to outpace supply.