“The reality is that we are dangerously insecure,” reads the introduction to the report released earlier this year from the bipartisan national Cyberspace Solarium Commission. “Your entire life – your paycheck, your healthcare, your electricity – increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised.”
In healthcare, as the most targeted industry, we already know that of course. But nationwide, the stakes are even higher.
“Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage,” according to the report. “A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
At the HIMSS Healthcare Security Forum on Tuesday, Senator Angus King, I-Me., who co-chaired the Cyberspace Solarium Commission (which issued a 200-page report offering more than 80 recommendations toward a multi-layered national cyber defense strategy), said the federal government has to do much more.
But that doesn’t absolve healthcare organizations in the private sector from their own responsibilities as phishing campaigns proliferate, ransomware attacks reach a fever pitch and nation state actors take aim at the COVID-19 vaccine supply chain, he said.
“The pandemic has taught us two important lessons in the healthcare field,” said Senator King in his keynote.
The first is that “the unthinkable can happen,” he said. “A year ago, none of us would have been talking about wearing masks, social distancing, and hundreds of thousands of people dying. I mean, it was literally unthinkable to have this tragedy occur. Well, a cyberattack is unthinkable, too, but the pandemic taught us that the unthinkable can happen.
“The other thing this has taught us is how important telehealth is,” said King. “In the first weeks after the onset of the pandemic, telehealth visits went from 12,000 a week to a million a week across the country.”
That’s great for enabling care delivery in the midst of a pandemic, but that raises new issues, he said.
“Who thought before that a home router was a security risk, was something that we needed to worry about, because a lot of the telehealth is not from remote facilities to the hospital, but from the home to the hospital or the healthcare provider. All of a sudden, the connection into the home and the router in the home, and all of the infrastructure is also at risk.”
(As an aside, King said that one of the “number one priorities coming out of this, in terms of the economy and infrastructure, is broadband. It’s got to be ubiquitous and it’s got to be affordable.”)
When it comes to cybersecurity, in the healthcare sector and beyond, “unlike many other national security threats – terrorism, for example – this is not a strictly government function,” said the senator. “In fact, it’s not even a majority government function: 85% of the target space for cyberattacks are in the private sector. That’s where we’re vulnerable.”
So there has to be a much closer connection between the private sector and the government, he said.
“And that means reporting. That means sharing information. That means developing relationships of trust. You have to trust that when you report to CISA, you’ve got to be able to have confidence that that will be acted upon and that the information you share will help to protect others.”
The government can “write laws, set up joint reporting systems and all of those kinds of things – which we have recommended in our Solarium Commission report,” he said. “But it’s also got to be more intangible in terms of trust and confidence and sometimes unaccustomed close relationship between the private sector and the public sector, because that’s the only way we’re going to be able to defend ourselves.”
As the government gears up to develop a more comprehensive strategy, the healthcare industry has some steps it can take on its own, said King:
- Go to the cloud. “In our report we recommend cloud-based systems because it’s a lot easier to have a really strong and important security at one place in the cloud, rather than rely upon the security arrangements of hundreds or thousands of different individuals. If you’re on the cloud, you have less of a risk for ransomware attack because you can download your data that otherwise would be held for ransom by an attacker. So the judicious use of the cloud, I think, is one of the important things that we can do.”
- Always patch. “It seems pretty basic. But I’m sure many of you … sometimes pull out your hair when the patching doesn’t happen on a timely basis. You’ve got to go and make that happen.”
- Share information. “If your entity is being attacked, chances are someone else already has been or will be in the future. And to the extent we can share information through CISA, through other government organizations, through your national organizations, that could be very helpful. It can help you, but it also can help prevent serious attacks to your colleagues at some later date.”
- Prioritize basic cyber hygiene. “I can’t remember the exact figure we were given during our deliberations in this area, but some huge number – 85 to 90 percent of malicious cyberattacks – can be prevented by good ol’ cyber hygiene: educating your workforce not to click on phishing emails; checking on the background of people that you don’t know that are trying to penetrate your system; being very careful about opening attachments.”
Meanwhile, on a larger scale, the U.S. government absolutely has a responsibility to develop a better overall national cyber strategy, he said.
“Part of the failure of our strategy thus far has been a lack of a real deterrent, a lack of something that our adversaries feel is something they have to worry about. I want a group of people sitting around in the Kremlin saying, ‘Well, maybe we shouldn’t attack the next American election because we know they’re going to respond. We know it’s going to cost us something. Historically, there hasn’t been much of a cost paid by our adversaries.”
Cyberattacks are inexpensive for foreign bad actors to perpetrate, he pointed out.
“I once did a calculation that Putin can hire 8,000 hackers for the price of one jet fighter.” said King. “There’s got to be a cost imposed in terms of a response. And we’ve got to have a deterrent capability. That’s one of the major recommendations of our Solarium report. That’s what we’ve got to do in order to protect you on the national level.”
No question, this is a fraught new era.
“It is an incredibly serious and dangerous risk to the United States and to your critical and important and essential institutions throughout the country,” said King. “You have an important role in protecting your institutions. The government has a role to assist you in that. And if we all work together, we can minimize this risk.”
Taking Stock of Progress and Looking Ahead
This December, we look back at a challenging year – and forward to what we hope is a better, stronger, more connected and resilient healthcare ecosystem.