Bob Chaput
Clearwater Compliance

Healthcare systems are playing major catch-up when it comes to cybercrime. Bob Chaput of Clearwater Compliance explains more

Are hospitals and healthcare systems doing enough to protect against cyber attacks and cyber threats?

The punch line is this: hospitals and healthcare systems are playing major catch-up. Incentive moneys to digitise healthcare has taken priority. Historically, we have been years behind other industries in the adoption of technology, and when it comes to safeguarding healthcare information, a decade behind. In addition, hospitals traditionally view cyber risk management as an issue for their information technology professionals to manage. What we are seeing is the perfect storm emerging. Patient health is extremely vulnerable. The changing threat environment and the internet of things (IoT) is blurring lines between information security and patient safety and is requiring each discipline to expand its scope.

Healthcare leaders need to gain greater visibility into what’s happening enterprise-wide as it relates to IoT devices and proactively monitor threats across the organisation. It’s not only about the traditional IT assets such as the electronic health record system and the pharmacy and radiology systems, it’s also about biomedical devices that are attached to our patients or implanted in them. We see this as a large and growing business risk management issue, around which healthcare could be doing a whole lot more.

Medical devices today can be used in the home, across networks in hospitals, and embedded in the patient. However, many IoT-enabled medical devices were manufactured without understanding the full implications of cybersecurity. IoT-enabled medical devices can expose people, hospitals, and manufacturers to many significant risks. These risks include possible harm to a patient’s safety and health, loss of Protected Health Information (PHI), disruption of information flow of connected devices, physical interference with equipment, impact on business operations, damage to critical infrastructure, and unauthorised access to devices. Within hospitals, these devices enter through numerous channels. Any threats to the confidentiality, integrity, or availability of information represent threats to patient safety. Identifying and mitigating potential risks in legacy and connected devices is an important challenge for the industry. Many organisations are starting to take action on the cybersecurity and privacy fronts.

Hospital and healthcare systems in particular are playing major catch-up as it relates to cyber attacks, and there are opportunities for improvement. What we’ve had in the US as a result of the Electronic Health Records (EHR) incentive monies that have been awarded by the government through the 2009 American Recovery and Reinvestment Act (ARRA) is a great digitisation of our health care system. This significant investment in digitising healthcare has really taken priority over the matter of safeguarding it.

Is technology moving too fast for health systems to keep up?

There’s no doubt that the evolving pace of technology is moving too fast for the healthcare industry, but traditional approaches to patient safety and healthcare information risk management need to run alongside and evolve to address today’s technology and emerging direct threats to patients.

The fast change of technology opens the door to a wide spectrum of threats, ranging from traditional intrusions designed to steal PHI to more novel attacks, such as tampering with biomedical devices or blocking access to essential records systems. Information security has become an essential component of patient safety. Concurrently, the information needed to provide care resides in more places than ever before, including electronic health records; the smartphones, tablets and laptops carried by physicians and other caregivers; intelligent medical devices such as smart pumps, monitors and implants; patient portals; and mobile health apps, not to mention provider partners, business associates and other members of the patient care ecosystem. Safe, quality care depends on timely access to this information. Therefore, any threats to the confidentiality, integrity or availability of information represent threats to patient safety.

In large hospitals or health systems, departmental heads have a fair amount of autonomy over their selection and deployment of technology, and there are risk consequences. The IT person who is responsible for the networking and computing, applications and infrastructure is often unaware as new devices are attached to his or her networks. It’s a challenging problem for CIOs.

Hospital and Health System CIOs and Chief Information Security Officers (CISOs) must collaborate with peers to integrate their cyber or information risk management (IRM) strategy into their organisation’s overall enterprise risk management/governance, risk managament and compliance strategy. Both must become part of day-to-day operations and address the requirement to respond to inevitable cyber incidents and restore normal operations. When hospital leaders adopt an integrated IRM/ERM strategy, there can be greater returns for the organisation in terms of expanded knowledge, informed decision-making and reduced cyber risk. But, when they choose to ignore the strategic importance of IRM, the resulting complaints, breaches, failed audits or cyberattacks can erode the confidence of patients and staff, limiting the organisation’s ability to grow.

With so many areas to protect, how do hospitals and healthcare systems go about understanding cyber exposures?

First and foremost, hospitals need to do a better job of understanding their exposures. Hospitals and healthcare systems should be encouraged to look at the expanded ecosystem of the healthcare organisation and conduct a comprehensive information risk management (IRM) approach that is not a checklist. It’s a fundamental matter of identifying exposures and understanding them better. Understanding cyber exposures, it’s the starting point.

How have hospitals and healthcare systems become big targets for cyber attacks? What threats are they actually facing?

What better place is there for a bad guy to look than in health care—it’s single biggest hub for data. It’s a veritable library of our personal information and a treasure trove of that information. Not only do we have electronically protected health information, we have other personal identifiable information that includes driver’s licenses, dates of birth and, probably, payment card data.

The types of cyber threats and attacks that organisations are facing include these four categories—adversarial, accidental, structural and environmental. In doing a risk analysis, these are the four categories that are evaluated.

Of those four categories, the cyber attacker falls into adversarial. Organisations have threats in the adversarial category other than foreign nations. It might be a malicious insider, and that individual may be the person who’s siphoning and infiltrating all kinds of data from the organisation.

The accidental cyber threat can be in or outside the organisation. It can be as simple as a backhoe operator digging up a fiber optic cable that could disconnect your hospital from its electronic health record system.

Structural threats are subject to the laws of physics; we’re dealing with electro-mechanical devices there.

Environmental risks have to do with fires, earthquakes, mudslides and hurricanes. Health care can fall victim to these natural disasters.

In your opinion, what is the safest way to safeguard patients’ healthcare?

First step is to conduct comprehensive risk identification and assessment. The second step is to build a programme—not a once-and-done programme—but to adopt a cyber security framework, formal process and maturity model mentality; establishing, implementing, and maturing a programme.

The only way you can do this is if you understand what your exposures are. The most effective way is at a very operational level, by adopting a comprehensive, accurate risk analysis. This way you will gain a better understanding of your exposures and be able to address importance compliance.

Building a programme that adopts a cyber security framework, adopting a process and maturity model mentality, is showing continuous process improvement. This work needs to turn into establishing, implementing and maturing the programme.

Hospitals must be very wary of a “control checklist”. Controls are a guide and source of actions you might take when, and only when, you understand what your exposures are. In the absence of that, you may be overspending or you may be woefully under-protecting your information assets. So you need to be wary of control checklists.

Checklists will tell you to implement encryption, a firewall, data leak protection, a strong malware system and a good training programme, but if you have limited resources, how do you know in what order you should implement those? You will only understand that when you know your exposures.

How can a captive help solve the problem?

It’s about revenue and reputation and regulation … what we are seeing is that privacy/cyber risk is bleeding into professional liability issues.

A captive structure can be the keystone to a healthcare organisation’s risk management strategy. Captives have long been a haven for funds used to finance risk.

But, difficulties in measuring cyber exposures and concerns over the size of the exposure are still holding many captive owners back. Rather than securing funding to address the after-effects of a cyber attack, organisations should understand how a captive can be used to provide grants to the captive owner for reducing cyber risk and improving patient safety through training, periodic risk analyses and compliance assessments.

Do you think there should be more regulation in terms of cyber security for healthcare to make sure these big organisations understand their cyber exposures?

I’m not a fan of more regulation. The issue here is enforcing the regulations that already exist, implementing more accountability.

If anything, I would tweak the regulations around accountability. The mantra of health care is “first, do no harm”. All we need to do is move this newly created matter of creating harm onto the agenda of those people who have, naturally and historically, been risk managers.

The latest interviews from Captive Insurance Times
The latest features from Captive Insurance Times
Jeremy Colombik of MSI and NCCIA chair explains to Becky Butcher that Notice 2016-66 could be detrimental to not just North Carolina, but other domiciles that are home to smaller captives
Dan Towle, president of CICA and Zach Finn, professor at Butler University, discuss their new professional development partnership, which will see students learn about the variety of career opportunities in captive insurance
Join Our Newsletter

Sign up today and never
miss the latest news or an issue again

Subscribe now
Alan Cabello of AGCS discusses blockchain technology, captives and the future
Alan Fine of Brown Smith Wallace explains how the industry should proceed after the Avrahami court case ruling
Dana Hentges Sheridan, general counsel and chief compliance officer at Active Captive Management, provides insight into the differences between business risks and insurance risks
Predicting when interest rates will change is difficult, which is even more reason to maintain a disciplined approach to your investments, according to Stephen Nedwicki of Comerica Bank
Looking ahead to 2018, Phillip Giles of QBE North America predicts continued uncertainty for the healthcare reform
Michael Schroeder of Roundstone explains why transparency, control and cost savings are the secret sauce offered by a medical captive
Domicile profiles
The latest domicile profiles from Captive Insurance Times
Tennessee’s governor, commissioner, general assembly and business community have all worked together to create ‘explosive growth’ in the state’s captive insurance industry. Julie Mix McPeak explains more
Newly-appointed chairman of CCIA Michael Maglaras suggests that the future is bright for state’s captive industry
Asset Servicing Times

Visit our sister site
for all the latest asset servicing news and analysis
Although the Isle of Man is currently focusing on updating its regulatory framework, Solvency II, Brexit and the Asian market all hold big opportunities for the island
Debbie Walker of the North Carolina Department of Insurance tells Becky Butcher why the state is among 2017’s standout performers
Experts convene to talk to Becky Butcher about the stability that Guernsey represents in a challenging financial and political environment
In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive
With a dedicated captive plan in place, the Lone Star State is on the rise, says Josh Magden of the Texas Captive Insurance Association
After 36 years of captive business, Vermont boasts a culture of legislative change, and still has a few tricks up its sleeve. Dan Towle and David Provost explain