CEO Report – Mitigating Cybersecurity Risk
Posted on March 01, 2020
"Computers are useless. They can only give you answers." — Pablo Picasso
What comes to mind when you hear the word “tailgating”? Meeting with friends on a crisp fall afternoon outside the football stadium of your favorite team, firing up the grill, enjoying a few drinks before the big game? Until a few years ago, that is exactly what came to my mind. Unfortunately, “tailgating” has taken on a new meaning for me, and words and phrases like phishing, spear-phishing, smishing, vishing, spyware, malware, ransomware, and social engineering have conspired to keep me up at night. If you are unfamiliar with these terms, you need to get up to speed, and in a hurry.
Cybersecurity has leapt into the public consciousness in a big way, and the terrifying reality is that, according to all the experts, healthcare is now the number one target of cybercriminals across the globe. The average cost of a healthcare-related breach is nearly three times the industry average, as personal health information can be as much as 10 to 50 times more valuable on the black market than credit card information. Beyond the financial risk, reputational harm — jeopardizing the trust of the patients and communities we serve — could be even more expensive.
In Michigan alone, we know all too well that no hospital, health system, physician practice or health insurance company is immune from an attack — and those are just the cases that we know about, which have been reported in the media. It isn’t just patient health and financial data that is a target, but even medical devices. Three years ago, the first documented cyberattack that affected medical device operability occurred; more recently, Medtronic in 2019 recalled certain MiniMed insulin pumps due to cybersecurity risks. To state the obvious, hospitals care for the vulnerable, the sick and the injured. Our need to be open 24/7/365 makes us soft targets for cybercrime, particularly ransomware attacks. The possibility of having to close an emergency department, or the inability to access an electronic medical record, is literally a case of life and death.
The MHA is taking this threat very seriously. My top priority as MHA CEO is the physical and psychological safety of our staff, as well as the safety and confidentiality of the data that we have been entrusted to house. As a result of a comprehensive review of our protocols, including both physical and cyber “penetration testing” by an expert consultant, we have implemented significant new safeguards. All MHA employees now must wear a photo ID badge/swipe card, and entry to our headquarters requires dual-factor authentication (using the physical swipe card, as well as entering a passcode). Visitors can no longer simply gain access to our facilities (and potentially our servers and computers) by walking in the front door, as we now have a state-of-the art badging process to proceed beyond the lobby. All MHA employees — myself included — are required to complete periodic cybersecurity training. And we routinely test ourselves with phishing schemes generated by our consultants to gauge whether we are recognizing and appropriately dealing with fraudulent and potentially damaging emails. We have deployed a new, more robust Barracuda service that, in the last month alone, successfully prevented 259 real-time phishing attempts against the MHA. Finally, we have implemented dual-factor authentication to gain access to our work PCs and laptops, thereby creating another line of defense should these devices fall into the wrong hands.
I am proud to say that the MHA is also working with our members to address this critical issue. Together with several partners, including Beaumont Health, Michigan Medicine, Munson Healthcare and Cyber Force Q (formerly Sequris), the MHA helped found the Michigan Healthcare Security Operations Center (Mi|HSOC), based in Plymouth. The Mi|HSOC is an advanced cybersecurity capability created for healthcare providers by healthcare providers, with the proven ability to prevent, detect, analyze and respond to cybersecurity events. This entity — the first of its kind in the nation — is operating 24/7/365; has created a shared workspace for the exchange of technologies, practices, processes and lessons learned; and is actively aligning with both state and federal critical infrastructure protections. In addition to tracking a steady stream of metrics, the Mi|HSOC is routinely engaging with authorities such as the Michigan State Police Cyber Division, the FBI and even the Secret Service. For those who are familiar with the MHA Keystone Patient Safety Organization (PSO), you can easily see many parallels here in terms of our approach; for years the PSO has allowed us to collect and analyze patient safety data from our members while also convening experts and caregivers in “safe table” meetings to learn about risks and how to deploy best practices.
MHA Chief Information Security Officer Mike Nowak and MHA Senior Vice President of Corporate Support Services Charlie Johnson have been doing a great job “running point” on these internal and external cybersecurity efforts. We also continue to work with our friends at the American Hospital Association (AHA); the AHA recently hired John Riggi, a former leader of the cybercrime unit at the FBI, to a new, full-time position to facilitate work in this space. In addition, the Healthcare Sector Coordinating Council has released a guide to help healthcare organizations attract and retain skilled cybersecurity talent, while a U.S. Department of Health and Human Services task group has released cybersecurity guidelines for the healthcare field.
Complacency is not an option when it comes to cybersecurity; we must continue to be vigilant and cautious. Doing everything in our power to mitigate this evolving risk is our best option to allow our physicians, nurses and staff to do what they do best: care for our patients. As with other important challenges, please know that the MHA is here to help.
As always, I welcome your thoughts.
Posted in: MHA Rounds