The former director of the Obama administration's cybersecurity commission is cautioning the health industry about moving too quickly to data-driven innovations and automation without adequate security consideration, advice that comes as the industry is faced with increased ransomware and other denial of service attacks.
“Healthcare is looking for all the ways to automate and create efficiencies as fast as possible, but it's got to be having the security consideration at the same time,” said Kiersten Todt, former executive director of President Obama's Commission on Enhancing National Cybersecurity.
Todt spoke last week at an event hosted by the Wall Street Journal during the Healthcare Information and Management Systems Society annual meeting in Las Vegas, on providing advice for healthcare executives about preparing for and surviving a cyber attack.
“Data breaches are not a demonstration of failure if you've prepared appropriately and you have the right type of infrastructure in place to manage the disruption, block the expansion and impact of the event,” Todt said in an interview with Inside Cybersecurity that recapped her March 7 remarks as part of a panel discussion at HIMSS.
Todt cited the unique challenges faced by the healthcare sector given the large number of “end points” in the use of data, the diversity in size of healthcare organizations, and the “sensitive” nature of the data used by healthcare providers.
“I can't think of another critical sector where you have an individual representing an enterprise,” said Todt in referring to a single-physician practice, and “all the way up to an entire hospital network.” She said this wide variation in size poses a significant security challenge for healthcare providers, where “the smallest operation can be the weakest link along the value chain.”
The sensitive nature of the data used by the health sector also poses a challenge, according to Todt.
“We're approaching a point where critical information is more important than critical infrastructure,” she said, adding “this goes to another level” when talking about the healthcare industry because of the “sensitive information” it handles.
“It's not just personally identifiable information” but information about the most personal aspects of an individual's health, “which is a different level of compromise and privacy vulnerability than in any other sector,” said Todt.
Todt said the move toward automation has to include human intervention because of the “ethical issues” related to automating certain healthcare functions and the fact that individuals are at the “end point” in the use of this data.
“More has to be invested in that understanding”of the role of individuals, noting that emails and networks are among the top “vectors” for attacks on the health industry, Todt said. “We have to be careful about what gets automated.”
She argued that cybersecurity has “got to be a risk management approach” and “the ineffectiveness of compliance” with regulations in meeting evolving cyber threats.
She said the industry's requirements under the Health Insurance Portability and Accountability Act -- which governs the privacy and security practices of healthcare providers -- will have to “align with innovation” as the industry becomes more automated, interconnected and reliant on data.
How the industry will “reconcile regulations and with use and effectiveness is a challenge,” she said. “Innovation has to be at pace with security, and if innovation runs ahead of security, particularly in health care, we run the risk of breaches, but truly run the risk of physical harm” for patients.
Todt cited the commission's report issued in December 2016 and its recommendations on incentives as advice for the rapidly changing health sector.
The commission recommended “building in incentives for the development of these devices and systems,” she said, while noting the role of non-profit organizations in health care is different than other critical sectors, such as the financial services industry which is also heavily regulated but driven by profit.
The health industry is “so eager to innovate and the security conversation is not running in parallel,” so there is “not a true understanding how all this innovation is impacting security,” Todt said.
Todt spoke on a panel that included James Routh, chief security officer at Aetna, and Harris Schwartz of NTT Security.
HIMSS officials at the meeting released the group's third annual cybersecurity survey which found that email phishing remained one of the top threats for the industry.
“Most healthcare organizations’ cybersecurity programs have room for improvement,” concludes the annual report. “Significant barriers exist for remediating and mitigating security incidents. Some organizations do not yet have formal insider threat management programs. Risk assessments widely vary from organization to organization,” the survey found. -- Rick Weber (rweber@iwpnews.com)