In this Q&A, David Finn, executive vice president of strategic innovation at CynergisTek, a cybersecurity consulting firm, shares his views on how the dwindling number of insured is affecting cybersecurity efforts in healthcare and how a solution lies in a commonsense approach to cybersecurity for healthcare programs.
This interview has been edited lightly for length and clarity.
What do you see happening with insurance coverage and how does that affect cybersecurity for healthcare programs?
David Finn: [The number of] Americans without health insurance is up about 3.2 million people from 2017. That is concerning because it’s the highest increase since 2008, which actually predated the implementation of Obamacare. Healthcare is about 18% of the economy, which is an unhealthy number for any single industry to consume that much of an economy.
Less insured lives mean less reimbursement for providers. At the end of the day there is no free healthcare. Someone is paying for it. Even if someone isn’t covered, either on the marketplaces or they don’t have their own insurance, those costs are going to be passed on or absorbed somehow, so the less money there is for patient care — because the number of patients doesn’t appear to be declining and the aging population is increasing — there’s going to be less money to do the other work of healthcare, the less important work, the back office work — things like security and IT and interoperability, which would actually improve healthcare if we could spend the money on making the healthcare system more automated, more digitized and more efficient.
How can a successful cybersecurity for healthcare program be built, even with diminishing budgets?
Finn: This is one of the many things that has perplexed me for many years because it isn’t rocket science. There is some technology needed, there are some skill sets needed. But one of the things I see is that a lot of organizations — maybe they’ve just been through their risk assessments, or maybe they’ve had an event and they’ve decided they need to fix that particular issue around technology and the weaknesses they may have or the vulnerabilities they may have — … [decide] they have to fix everything all at once and that isn’t how security gets built. You have to start with a vision of where you want to be. You have to decide what’s important for your organization.
So you have to scale your security program and understand you’re not going to fix everything all at one time. You have to prioritize those risks, determine what is most important to the organization, to the patient care, to the business of healthcare at that organization and then start building it.
I’ve seen organizations spend lots of money on bringing in tools to help them with security and then they realize they don’t have the staff to maintain them or the people they’ve trained to do that have left the organization. You have to match your security program to your technology plan and strategy, and both of those have to be connected to the overall business strategy of the provider. And those are the disconnects I see most often: designing security to support IT and IT to support the business of healthcare.
What is the starting point for building a successful cybersecurity for healthcare program?
Finn: It’s the one part of HIPAA that Congress and HHS got right, and that is starting with a risk assessment. But we tend to approach that as a technical security risk assessment, and that might have been fine when HIPAA was originally written because information technology wasn’t as key to the business of healthcare. You could almost look at it as an IT and security issue. But today, the business runs on the EMR, it runs on your enterprise resource planning projects around inventory and payments and receivables. It runs on the clinical systems for placing orders and fulfilling those orders.
But we haven’t made that adjustment in how we run the business. We don’t think of that EMR as our core business operation, so in a lot hospitals, a lot of physicians practices, they still think of IT as something you do in addition to caring for patients. But these systems are now part of your operation.
So our risk assessment has to change from being, ‘Oh, these ports are open and this system doesn’t have the right password length,’ to ‘What happens when Epic shuts down? What happens when IT can’t order X-rays because the [imaging] system is down?’ So we have to shift that focus on risk assessment to not only security — we still have to do that, we want everything to be secure — but we have to consider it in terms of the impact to patient care, the quality of care and the clinical and business operations of the organization.
What is an example of a personnel-friendly approach to a cybersecurity for healthcare program?
Finn: Everyone has to have a designated security person. But the truth of the matter is you can have a chief information security officer, you can have a fully staffed information security department, you can have a wonderful governance structure — but the technology risks come down to a personal level. People leave their machines logged on, people click on email that they shouldn’t.
Every person in your organization, and not just employees but workforce members — the volunteers, the visiting nurses, the doctors who come in — everyone is part of your security team and has to be built into that, they have to be trained. I’ll be the first to admit security training can be extremely dry and boring, so you have to engage everyone across the organization, and you have to do that in a way that is meaningful to them, that relates to them.
Everything you’re doing in terms of security in your organization applies to them at home, it applies to the mobile devices they use. Sometimes they are using those mobile devices to interact with hospital resources and you don’t control those end points as the security officer at the hospital. So it behooves all of us to make everyone more secure because everything is so interconnected. That’s what I mean by personnel-friendly. And kind of building it in: You don’t want to send people for three hours of security training on their first day. You’re better off doing 15 minutes every month, and that can be web-based or an email or whatever, and it becomes top of mind so you have a personnel-friendly approach to it.
Where organizations use phishing exercises, we’ve seen security actually be enhanced. The hit rate for those phishing exercises dropped way down and very quickly. We’ve seen click-through rates of 60%, 70%, 80% drop very quickly down to 20% or less. And that’s improved security without spending a lot of money or investing a lot of time.
And we could do that with other common attacks, making people aware of the issues, helping them understand it’s not only the patient information they’re protecting, but they’re protecting their own information, they’re protecting the hospital’s information and they’re making themselves more secure.