In an interview with Chief Healthcare Executive, Lee Kim of HIMSS outlined the current threats, how health systems are responding, and where they need to improve.
Hundreds of healthcare organizations have been breached in cyberattacks in recent years, and experts such as Lee Kim said the health sector remains far too vulnerable to bad actors.
Kim is the senior principal, cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS). Scores of hospitals have been hit with ransomware attacks. CommonSpirit Health, one of America’s largest hospital systems, suffered a ransomware attack this fall, and patient information was accessed. More than 600,000 people were affected by the breach, according to the U.S. Department of Health and Human Services.
“The threat of ransomware hasn't gone away,” Kim told Chief Healthcare Executive.
“Certainly the extortion techniques that are used to try to force hospital systems to pay ransom, that’s certainly in vogue at the current time," she said. "I think as we look at the past incidents in this past year, obviously, ransomware is among them.”
Hospitals and health systems are vulnerable to other threats, including those aimed at third-party vendors, as well as attacks that prey on individuals who want to help a colleague, manager or another business in a time of need.
Health systems are paying more attention to cybersecurity, but Kim said hospitals and healthcare leaders can still be doing much more to repel attacks or at least minimize risks. In an interview with Chief Healthcare Executive, Kim outlined the threat landscape and where systems must improve to protect patients and avoid costly attacks.
“We do see some organizations that essentially are probably applying a wait-and-see approach because they haven't been breached yet,” Kim said. “And I think it's human nature to be more reactive and wait and see then be proactive.
“Unless, of course, you've actually had an incident.”
(See excerpts of our conversation with Lee Kim in this video. The story continues below.)
Each year, HIMSS conducts a survey of cybersecurity professionals to gauge what kind of threats they are facing, and what kind of support they are getting from their organizations in improving their defenses. In the HIMSS 2021 survey, two out of three cybersecurity professionals said there were significant security incidents within the previous 12 months. (Here’s a link to the new survey, which is being compiled now.)
While ransomware attacks command significant attention, health systems are often being victimized by “the old tried and true supply chain style of attacks,” Kim said.
Attackers are finding ways to infiltrate vendors to get into health systems and hospitals. And since hospitals rely on hundreds of vendors, Kim said they offer a way to bypass health system defenses.
“They feel as though going through that side door is easier than going through your front door, so to speak,” Kim said.
“They will probe and try to infiltrate your third party partner to get to you. And we've seen that sort of attack since at least January 2014, in the healthcare sector and other critical infrastructure sectors,” Kim said. “So some of the old ways of getting in are not new, they've been with us. But unfortunately, third-party vendor management tends to be a bit of an area where for many organizations, it still needs improvement.”
Healthcare systems must pick up the pace in shoring up vulnerable areas after attacks, Kim said. Too often, hospitals have been hit multiple times because they haven’t addressed weaknesses or deployed up-to-date defenses.
Hospitals and health systems should be monitoring the alerts from the federal government about cyberattackers, ransomware threats and software vulnerabilities.
“If these things aren't adequately addressed, then of course, they will be exploited time and time again, especially if these are ones that are very, rather trivial to exploit, especially if these are ones that are quite, quite common,” Kim said.
“These bad actors are smart,” she said. “They'll use the same tactics, techniques, procedures or very trivial variations of them to try to get in. And why do they, for example, need to invent a new esoteric, obscure way of getting in where they could get in through more or less, the front door.”
Healthcare systems also need to give more thought to threats that could emerge from inside the organization and leave systems vulnerable.
“It's always a risk that we have insider threat, whether it's people that are negligent, or whether people that are malicious, such as disgruntled employees and contractors,” Kim said. “So inside of our healthcare organizations, hopefully, we'll be thinking about maybe putting together formal policies and procedures around that.”
‘It’s all about priority’
HIMSS held a cybersecurity conference in Boston earlier this month, and Kim said she’s hearing some encouraging words about health systems investing more to improve their defenses.
Some are finding it’s “an easier ask” to implement steps such as multi-factor authentication, she said. More healthcare organizations are also putting in more time on staff training, she said.
Still, many systems aren’t spending much on cybersecurity. In the 2021 HIMSS survey, 40% of participants said 6% or less of their information technology budgets were devoted to cybersecurity.
“Just like so many things in life, we have the cybersecurity haves, and we have the cybersecurity have nots,” she said. “This will always be the case.” Some can invest in next generation technologies, she said, while other systems will be relying on open source and lower-cost solutions.
Many hospitals are also dealing with financial struggles, and more than half of the nation’s hospitals may finish 2022 in negative margins, the American Hospital Association has projected.
While hospitals face some dire finances, Kim said hospitals could pay the price if they don’t invest properly in cybersecurity. Cyberattacks threaten the health of patients, and attacks are costly in terms of recovery and lost revenue, Kim said. The average healthcare breach cost $10.1 million, according to an analysis by IBM Security.
Plus, cyberattacks can damage health systems in ways beyond finances and operations.
“Obviously every organization wants to be out of the headlines,” Kim said. “And I think that we know, based upon the various studies that monitor metrics, such as how much do data breaches cost us, that most of the expenses, most of the costs, are not necessarily even paying ransom, they aren't necessarily even dealing currently with the incident.
“They're just so expensive,” Kim said. “So, so many more expenses involved in terms of the recovery, and also ensuring that the organizations are more resilient. So the long-term impacts, the long-term costs and long-term economics, I think, are much more significant than what's in the short term. And for those of us, I'd say that are acutely aware of the risks to patients and the risks to our businesses, from the administration perspective and the financial perspective, I think those are the organizations where, even though there is less money to go around, it's all about priority.”
Leaders, clinicians must engage
Healthcare organizations that are typically doing better with cybersecurity have strong commitments from CEOs and their boards of directors, Kim said.
When top leaders are involved, information technology teams and cybersecurity professionals generally have an easier time making the case for greater investments in security.
Top healthcare leaders and boards must be involved and engaged, Kim said. Boards should also be getting - or seeking - regular updates on cybersecurity within the organization.
“A cybersecurity program will not function by itself in spite of a wonderful program setup, if it doesn't have support of the organization, of the leaders that are helping to push change,” Kim said.
Clinicians must be involved, particularly to promote cybersecurity as a priority to protect patients, she said. More health systems are getting doctors and nurses involved and taking a cross-disciplinary approach to cybersecurity, Kim said.
Health systems should also consider giving chief medical information officers and chief nursing information officers prominent roles in cybersecurity efforts, Kim said.
“These are the people that are in and out of our emergency rooms, and they have regular clinical duties, but they also work on the informatics side,” Kim said. “So they're very attuned to what's going on in terms of informatics, and as it bridges to IT. And they're such a valuable wealth of information because they do sit between those two worlds.”
“I think that it's now time for the industry to integrate them more into our strategy as it relates to our cybersecurity and frankly, our data privacy programs as well,” she said.