Healthcare under attack: What are the next steps?

The recent Anthem breach impacted almost 80 million people and promptly put cybersecurity in healthcare on the front burner. Lisa Gallagher, HIMSS vice president of technology solutions, spoke with Clinical Innovation + Technology about next steps for the industry.

Q: Were you surprised by the Anthem breach?

LG: I had heard that there had previously been similar attacks. This is not the first time we’ve seen nation-state hacktivists and since it’s not the first time, there are probably folks like that still targeting us. From that point of view alone, there will be attempts on a very serious scale with very serious skilled hackers.

Q: The federal Health IT Policy Committee spent a good deal of time during their last meeting discussing the privacy and security aspects of the draft national health IT strategic plan. There was some discussion that perhaps it would be best to focus on reducing harm rather than preventing cyberattacks since that is virtually impossible. Do you agree?

LG: The discussion at the HITPC was not just related to breaches, but rather it was largely related to patient consent. Under current law, in order to access data outside of TPO, we have to have either consent or use de-identified data. The discussion was that if we keep focusing on how we get the science of de-identification to the point where it’s completely error-proof and non re-identifiable, we will not succeed. That’s extremely difficult.

Therefore, we may want to look at some benefit/harm analysis. What is unsolvable down one path may be solvable down another. For example, if a patient was willing to opt-in to a certain kind of research with de-identified data, knowing that with some changes it could be re-identified, but also knowing that it could be housed in a “walled off” dataset and not used for anything else, then perhaps this is an approach that works for the patient and the researcher.

So, the theme of the discussion was that we’re not going to solve every problem by de-identification so we need to think about what else we can do.

Q: What can the healthcare sector learn from the Anthem attack?

LG: Given the nature of the attack, we know it was nation-state actors executing an advanced, persistent threat (AVP). In other words, they’re going to keep banging at the door until they succeed. We know this is happening. That realization really is coming to the sector. It’s not just breaches of privacy and hobbyist hackers—it’s serious attacks that are persisting. That takes it to this level where we not only worry about what individual organizations are doing but perhaps apply additional resources to the sector. There are some bills in Congress related to this and the president has been speaking about threat data sharing. We know that we have a pretty serious issue. We’re talking about ways to support the sector, not that we wouldn’t focus on individual organizations and trying to continue support of those, but we can do both. That’s the realization I’ve seen from the breach. 

Q: What can and should healthcare delivery organizations be doing about this issue?

LG: The healthcare sector is very diverse. There are organizations of lots of different sizes, abilities, staffing levels and resources. Large systems with CIOs and CSO/CISOs are all working on this problem and doing a lot. But it’s a broad sector we’re looking at that includes many smaller organizations. It’s hard to generalize, but I think organizations are really working hard on this and they’re all doing so in accordance with their own level of expertise, sophistication and resources.

That doesn’t mean we don’t have a long way to go. We can’t talk about these issues anymore solely in the context of individual organizations and what they are and aren’t doing. This is a critical infrastructure being attacked externally so that’s not an entirely productive approach. It’s part of the conversation, but it’s not the only symptom. We need a lot of support on the threat data side of things. You can’t fight something you don’t know about, but there is no one consolidated place to find actionable threat information. We have bills in Congress and the president’s executive order but we are really recognizing that one thing we can do is focus on resources and infrastructure for gathering, consolidating and making available actionable threat data specific to the sector.

Q: Is there an ideal end-state for privacy and security in the healthcare sector?

LG: It’s always going to be a work in progress. I get asked by CIOs and CISOs where they can go for threat data. If the answer I have to give is 5-10 different places you can see how that wouldn’t work. Creating another source is not going to work. One source of consolidated threat information that’s actionable would be a big improvement.

Healthcare is one of the critical infrastructures for the nation which is a definition that comes from the Department of Homeland Security (DHS). DHS works with each sector and a sector-specific agency which for healthcare is the Department of Health and Human Services (HHS). They work together to support the critical infrastructure of healthcare and that’s where I think support at the federal level should come from. They need to figure out the best way to do that.

One suggestion is a consolidated threat source but there are probably other things they could do also. We at HIMSS focus on providing tools, resources and education at the organization level but inasmuch as this is a threat to a critical infrastructure, there is probably a lot more that could be done to support the sector as a whole.

A health sector coordinating council has been convened by DHS and one of the outputs is supposed to be an Information Sharing and Resource Center (ISAC). I think its funding and functionality is fairly limited at this point; but, it already exists and could be expanded and better funded.

There are a lot of things going on. When you have a sector under attack, it comes to a new level. People need to come together more. We may not need additional mechanisms but more focus and more cross-effort coordination and maybe more funding and resources so we can understand the threat level and respond accordingly.

Q: What would you like to see happen on the privacy and security front this year?

LG: I would like to see the Office of Civil Rights give us a plan for HIPAA audits. HIMSS is going to give additional input on the ONC Interoperability Roadmap. I look forward to the evolution of that roadmap as a plan to deal with interoperability, privacy, security, etc. There will be a lot of hearings on the Hill--some around cybersecurity. Those won’t necessarily be focused on the healthcare sector, but we do need to understand what we need to do as a nation to protect our critical infrastructure. Our efforts need to be accelerated, mature and deep, and this year would be a good year to do that. If we continue to just discuss and debate and at the same time expect individual organizations to fight a battle against external threats, that’s not a good scenario.

If Congress passes a bill with funding for cybersecurity, we want to get the money where it needs to go as quickly as possible. In some sense, we’re dealing with things we knew we were going to have to deal with as we share information. Cyberthreats are adding a new level of complexity. It’s a really changing environment right now.

The ONC Interoperability Roadmap also raises lots of questions around privacy and security from the policy side when it comes to information sharing. The laws, regulations and program requirements at the state level all become challenging when sharing information. We at HIMSS are giving significant input on the interoperability roadmap. With interoperability as a goal, all of these other challenges become potential barriers. We want to make sure we’re working on the right things in order to be able to share information as we need to. It’s really evolving to a new paradigm where we all understand the rules of the road for sharing and at the same time protect the patient’s data.

Q: This will most likely be a huge topic during the upcoming HIMSS convention. Are you ready?

LG: We’re standing up on the show floor a new area called the “HIMSS Cybersecurity Command Center” which will consolidate information and resources around the topic. There will be lots of vendors, consultants and other resources. We’re going to have security challenges and do an interactive exercise with a specific threat. We’re trying to make sure we have a place attendees can go to talk specifically about cybersecurity. This is the first year we’re doing this but it has gotten a tremendous response.