cybersecurity...two years after the ransomware wannacry wreaked havoc, the threat to hospitals from...

+ Understanding worm attacks + The risk between chair and keyboard

+ Anatomy of a breach - A virtual war room, transparent response and maintaining trust

CYBERSECURITYFighting worms and other threats

8.1 | SEPTEMBER 2019

Preventive mindset needed

There is a dirty little secret in medicine. Every doctor knows that a majority of illnesses can be prevented or at least considerably mitigated by an array of well-known preventive measures. But healthcare systems continue to struggle with implementing prevention. This is largely because taking prevention out of the equation makes healthcare economics easier to calculate, and also because pay-per-service models fit better to modern-day preconceptions with consumerism.

Healthcare has difficulties with prevention in another field, too, and this is cybersecurity. Modern hospitals have to be able to react properly to cyberattacks, of course. They need strategies for dealing with cyber-attacks. They need disaster-recovery plans, and they have to have communication concepts in place to minimize the damage once problems kick in.

This is what everybody talks about. But what should really be on the agenda and what fewer people think about is how to prevent a cyber-attack from happening in the first place. Like heart attacks, cyber-attacks normally don’t come out of the blue. Most originate within the medical institution in one way or the other. They happen because an individual wasn’t careful enough, or because the administration wanted to save money, or both.

If we are really serious about making digital healthcare cyber-safer, we need a new mindset on all levels. Providers will have to think about security at every stage of product or software development. Doctors and nurses will have to understand that convenience is not all that counts. And hospital administrations will have to accept that money for cyber-prevention is an investment into better quality of care. In the end, it will be the patient who suffers from a lack of prevention.

Enjoy reading!

Philipp Grätzel von GrätzEditorial Director HIMSS INSIGHTS

2 | HIMSS INSIGHTS 8.1 | SEPTEMBER 2019 | CYBERSECURITY

WELCOME

The risk between chair and keyboard

Dealing with an internet of medical threats

Welcome2 Preventive mindset needed

The Briefing4 Expect your crisis

Perspectives5 What are the biggest cybersecurity challenges globally?

Strategy

6 Understanding worm attacks10 Dealing with an internet of medical threats

Technology Update15 The risk between chair and keyboard19 Changing the cybersecurity culture

Global Trends24 Anatomy of a breach – A virtual war room, transparent

response and maintaining trust

Leaders of Change

29 Pushing healthcare to new boundaries31 What leaders know about cybersecurity

Community34 Working together to transform healthcare through

information and technology; an update

Upcoming Events35 Your chance to network, connect and innovate

10

15


CONTENTS

Primary Prevention• Have a communication plan and

templates in place: Who should be informed, when should they know and what is the process?

• Put departments in the lead for assessing worst case scenarios and emergencies.

Crisis Management• Launch communication plan. Use templates.

Define a single spokesperson.

• Set up a war room and a chain of command.

• Activate emergency plans on department level. Focus on critically ill patients.

• Inform vendors, partners, and referring institutions and organizations.

• Switch off. Isolate the problem. Put recovery plan into action.

Does it matter?• 4 in 5 US physicians have experienced

some form of a cybersecurity attack.

• 4 – 7% of total IT budgets of healthcare organizations spent on cybersecurity.

• $2.2m is the average cost of a data breach for a healthcare organization.

EXPECT YOUR CRISISNavigating a cybersecurity incident as a hospital is not a matter of luck. To a certain degree, it is a matter of skill. Mostly, though, it is about having a

plan and being prepared.

THE BRIEFING


Sources:

Workshop: Cybersecurity, A Collaborative Challenge; HIMSS Europe Conference 2019; Helsinki

Department of Health & Human Services / Healthcare & Public Sector Coordinating Councils. Health Industry

Cybersecurity Practices.

Working together to improve cybersecurity We must ensure all stakeholders work together to prevent

major disasters such as WannaCry recurring says Paul Timmers,

visiting research fellow cybersecurity and digital transformation,

Oxford University, UK.

Prioritize the security of healthcare devicesThe integrity of health information data, the availability of

health information systems and the security of devices are the

issues that should be prioritized says Richard Staynings, chief

security strategist, Cylera, US.

Medical devices are ripe for cyber-attacksThe Medtronic insulin pump hack has reinforced the

cybersecurity issues of medical devices says Dr. Alex Graham,

founding partner at AbedGraham, and providers must work on

the safety of devices in their estate.

US

UK

UK

Q. What are the biggest cybersecurity challenges globally?


THE PERSPECTIVES


STRATEGY

By Tammy Lovell

UNDERSTANDING WORM ATTACKS

Source: xxx

Two years after the ransomware WannaCry wreaked havoc, the threat to hospitals from worm attacks has not diminished. The BlueKeep

vulnerability is the latest to raise cybersecurity fears, but is healthcare doing enough to protect itself?

Source: GaViAl / Shutterstock


STRATEGY

Cybersecurity experts have recently warned that the CVE-2019-0708 vulnerability, dubbed BlueKeep, is a ticking timebomb that could turn into an entrance door

for worm attacks.

The flaw in the remote desktop protocol (RDP) present in Win-dows 7, Windows XP, Server 2003 and Server 2008, could allow

a hacker to connect to a server and execute arbi-trary code without user interaction.

Microsoft has warned that nearly one million com-puters connected to the internet are at risk and urged customers to update immediately to ensure a patch is in place.

“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced mal-ware could spread, infecting computers across the enterprise,” Microsoft wrote in a security notice to customers.

Axel Wirth, distinguished healthcare architect at US software firm, Symantec Corporation tells HIMSS Insights that although BlueKeep hasn’t been maliciously exploited yet, that shouldn’t put anyone at ease.

“This type of vulnerability, as we’ve seen with WannaCry, has the potential to do a lot of damage - mainly because of its potential to impact care delivery and shut down health ser-vices,” he warns.

ATTRACTIVE TARGET The complexity of infrastructure and number of different devices on the network make healthcare particularly suscep-tible to high impact cyber-attacks, Wirth explains.

“I don’t think there is another industry with so many devices running different operating systems of varying maturity and

I don’t think there is another industry with so many devices running different operating systems of varying maturity and age, integrated into one whole system.”Axel Wirth, Symantec Corporation

Cybersecurity is a clinical-risk problem

Saif Abed, MD, founding partner of AbedGraham Healthcare Strategies, says all stakeholders, including government agencies and suppliers, need to help ensure that cybersecurity is taken seriously and acknowledge potential risks to outcomes.


STRATEGY

age, integrated into one whole system. It’s a great challenge to maintain that and keep that secure,” he says.

This challenge is amplified by com-plex organizational structures, which impact quick decision-making over security issues, and the need to inte-grate with external health networks.

The richness of patient data available, which adversaries can use and monetize for many purposes, is a big driver for attackers. Patient safety concerns put health institutions under pressure to restore operations and has in some cases led to a willingness to pay hackers.

Last year, the Indianapolis health network, Hancock Health, paid a $55,000 ransom to regain access to computer systems after attackers injected malware and encrypted more than 1,400 files at the height of the flu season.

LESSONS LEARNED?So, with these risks in mind, why are health institutions still slow to carry out essential security tasks like patching?

A study by cybersecurity firm Armis, found that around 40% of healthcare delivery organizations have experienced at least one WannaCry attack in the past six months, despite patches being issued for the vulnerability.

The report attributes the problem to “old and unmanaged devices, which are difficult to patch due to operational com-plexities.” In healthcare organizations, medical devices are often based on outdated Windows versions, and cannot be updated without complete remodeling.

Networks should be kept separate as much as possible, so that if one segment gets infected, it doesn’t spread and the impact is contained.”Axel Wirth, Symantec Corporation


STRATEGY

GET IN TOUCHto let us know your thoughts

What do you think?

How much focus is placed on the ‘human side’ of

cybersecurity issues in your organization?

“Patching is an important component of any good security program, but there are many systems that can’t be patched easily, for example they may not be supported by the manu-facturer” says Wirth.

“Furthermore, you may have to synchronize your update schedule with clinical care delivery, especially if it is a complex and time-consuming process, requiring the upgrade of multiple devices at once or requiring retesting of the device.”

The NHS was particularly hard-hit by WannaCry, with the Department of Health and Social Care (DOHS) estimating it cost around $115m (£92m) and caused more than 19,000 appointments to be cancelled. Yet, a recent report by Imperial College London’s Institute of Global Health Innovation, con-cluded the NHS still remains vulnerable to cyber-attack, and must take urgent steps to defend against threats.

NHS Digital told HIMSS Insights it has triaged BlueKeep as a high severity threat and distributed guidance across the health and care sector, but there is no guarantee if the advice will be implemented.

URGENT MEASURES In addition to patching, Wirth says health institutions should consider their network security and architecture.

“Networks should be kept separate as much as possible, so that if one segment gets infected, it doesn’t spread and the impact is contained,” he says. It is especially important to keep business and clinical systems separate. External connec-tions should also be minimized.

In addition, Wirth recommends addressing the “human side” of the problem. All staff should be well-trained in how to use systems, so “they’re not doing something they’re not supposed to do and also they’re able to recognize a security incident should it occur,” he says.

It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” Microsoft security notice

1 0 | HIMSS INSIGHTS 8.1 | SEPTEMBER 2019 | CYBERSECURITY

STRATEGY

By Philipp Grätzel von Grätz

DEALING WITH AN INTERNET OF MEDICAL THREATS

Source: diy13 / Shutterstock


STRATEGY

Let’s face it, healthcare IT is no longer about having a bunch of clearly defined information systems commu-nicating smoothly with each other. Today, CT and MRI

machines, patient monitors, IV and subcutaneous pumps, ventilators, and even implants, are becoming computers, and are increasingly being connected to an ever more complex IT infrastructure. This ‘internet of medical things’ or IoMT, as it is sometimes called, has many merits, but it comes at a price. In the old days, cybersecurity was about monitoring a number of clearly defined ports and interfaces, and IT devices could be protected by installing security umbrellas that consisted of anti-virus software and firewall.

This is much more difficult with the IoMT. One reason is that medical devices often don’t feature up-to-date operat-ing systems, but older ones like Windows XP or Windows 95. Many of them use communication protocols that cannot be called modern anymore either. Furthermore, certified medical devices cannot simply be “upgraded” by a hospital with, say, an anti-virus software, because this could interfere with its clinical function and with regulatory approval.

MANUFACTURERS HAVE TO TAKE RESPONSIBILITYAs always with cybersecurity, there is not one solution to tackle the problem of cyber threats in an internet-of-med-ical-things-age. There is an obvious responsibility on the manufacturer, of course. This was illustrated this summer, when Medtronic announced that a number of its insulin pumps feature software problems that make them vulnera-ble for cyber-attacks. Among the affected pumps were several Minimed™ pumps with older software versions that are used

In an age of increasingly interconnected medical devices, cybersecurity reaches the level of CT scanners, ventilators, patient

monitors, and subcutaneous or IV pumps. New approaches are needed to tackle the risks – and a collaborative spirit in which both industry and healthcare providers acknowledge their responsibility

and act accordingly.

Certified medical devices cannot simply be upgraded with an anti-virus software, because this could interfere with clinical function and regulatory approval.’


STRATEGY

Is the risk for a diabetic patient in the US bigger than the risk for a diabetic patient in Europe? Presumably not.’

by ‘loopers’, i.e. type I diabetics who connect insulin pumps and blood sugar monitoring devices to open source dos-ing algorithms in a do-it-yourself fashion in order to build semi-autonomous insulin delivery systems.

In principle, the weaknesses could have led to a situation in which a hacker reprogrammed the insulin pump – a poten-tially life-threatening event. Nothing like this has occurred, or at least it hasn’t become known. But Medtronic neverthe-less recommended replacing the pumps with newer ones. Interestingly enough, this recommendation was only issued in the US. In Europe, the approach was different. In Germany, for example, patients were advised to not pass the serial num-ber of their pump on to others and to not connect the device to third-party software solutions.

What does that teach us? It teaches us that medical technology providers are willing to take responsibility in case of cyber-threats related to medicinal products. But it also shows that ‘risk for the patient’ is not the only criterion that determines how a company reacts. Local regulatory aspects seem to play a role too. Or is the risk for a diabetic patient in the US bigger than the risk for a diabetic patient in Europe? Presumably not.

THE CASE OF THE FAKE LUNG NODESWith the insulin pumps, there is a clear responsibility on the manufacturer. There is also a certain responsibility on the side of the patient – as is illustrated by Medtronic’s recommenda-tions to users. In other cases, the medical institution is in the driving seat in terms of responsibility to avoid cyber-attacks. Again, there is a good recent example. Israeli security expert Yisroel Mirsky from Ben Gurion University in Beer-Sheva showed early this year that he was able to use artificial intelli-gence algorithms to modify CT scans of the lung in real-time.

Mirsky went into the CT room of a radiology department and installed a Wi-Fi port that grabbed the CT datasets on their way from the scanner to the digital picture archive. The “hacker”, i.e. researcher, with his computer was sitting in the hospital


STRATEGY

Risks and benefits of individual cybersecurity measures have to be analyzed rigorously before implementing any measure.’

lobby, and the algorithm that was installed on the computer added or deleted lung metastases to the CT datasets within seconds, before any radiologist had a chance to even take a look at the pictures.

So who is responsible in this case? One possi-bility to avoid this type of attack is encrypting the data on their way from scanner to picture archive. This encryption is offered by many medical technology companies, but it is rarely used by customers because it takes time and makes radiological workflows more incon-

venient. In this case, the responsibility seems to be with the hospital. It could have used encryption but decided to not use it.

PATIENT SAFETY IS ABOUT MORE THAN CYBERSECURITYThere is a different angle to this latter story though. How realistic is the threat posed by a hacker installing a WiFi port in the CT room? Is the likelihood of this happening high enough to justify a measure that interferes with diag-nostic workflows or makes them slower? This question was asked by the German Zentralverband Elektroindustrie (ZVEI), a national industry association of the electronic industry. It issued a position paper in June in response to the recent cybersecurity discussions around imaging equipment, includ-ing the Mirsky publication.

In this paper, ZVEI argues that patient safety has many dimensions, with cybersecurity being only one of them. A gain in cybersecurity can be outweighed by a loss in clini-cal patient safety if the cybersecurity measure interferes too much with critical processes or slows them down too severely. In other words, risks and benefits of individual cybersecurity measures have to be analyzed rigorously before implementing any measure. In the case of the fake lung nodes on CT scans, a proper identity and access management that makes sure only authorized persons can enter the CT room might do the job. It would prevent a hacker from installing a Wi-Fi port without

The connection between interoperability and cybersecurity

Julian M. Goldman, medical director of biomedical engineering at Partners HealthCare System, explains the challenges of creating medical device interoperability and how hospitals and health organizations can pre-plan for cybersecurity attacks.


STRATEGY

having to activate encryption for short-distance data trans-port between device and digital archive.

TOWARDS PLATFORMS AND STRATEGIESOn a higher level, there are also platform-based solutions that address the issue of connected medical device cyberse-curity. Several innovative companies are developing solutions that act as institution-wide early warning systems for cyber-threats related to medical devices. The buzz word for these kinds of tools is security information event management (SIEM), which is about analyzing event data in real-time for early detection of cyberattacks.

This approach is taken by some of the ‘big players’ in information and security technology, but also by specialized startups that focus explicitly on the IoMT and on medical providers. An example is Manhatten-based Cynerio that offers a dedicated network-based solution for healthcare providers. It analyzes all communication that is getting in and out of connected medical devices in order to understand what the individual device does at any given moment and to detect anomalies.

In summary, what is true for cybersecurity in general is also true for IoMT cybersecurity. Being aware of potential problems is the first step and implementing a proper cybersecurity strategy is the second one. In a recent web essay on InsideDigitalHealth, Jon Rabinowitz from CyberMDX recommended to assemble cross-functional teams of healthcare and IT professionals to raise awareness for IoMT threats and for security best practices. After having prepared a complete inventory of connected medical devices and their individual risk levels, this team should draw on security professionals to profile normal network traffic activity and to implement controls to detect and prevent threats. Most importantly, every medical institution needs to be aware that cybersecurity in an age of connected medical devices is not a goal that can be reached, but a process that has to run on an ongoing basis.

Connected medical device cybersecurity is not a goal that can be reached, but a constant process.’


TECHNOLOGY UPDATE

By Philipp Grätzel von Grätz

THE RISK BETWEEN CHAIR AND KEYBOARD

Source: Rawpixel.com / Shutterstock

Patients and citizens are increasingly worried about cyber-attacks on medical institutions and medical data repositories. And they are very aware that professional users are among the main risk factors.

After all, cybersecurity is at least as much about behavior as it is about technology.


TECHNOLOGY UPDATE

A recent survey on healthcare cybersecurity that Price-waterhouseCoopers performed in Germany chose an interesting approach. Usually this type of survey is

directed at hospital CEOs or at healthcare IT professionals. But this time, PwC decided to ask the public. One thousand peo-ple were interrogated, and nearly one in three said that, in the case of a hospital visit, they would be deeply worried that IT systems might break down as a result of a cyber-attack. Every second German said they were convinced that hospitals are unprepared for cyber-attacks.

TWO OUT OF THREE WANT MANDATORY CYBERSECURITY EDUCATION FOR MEDICAL STAFFThese figures are high but not totally surprising. More remarkable was the “risk analysis” of the survey participants. When asked about the type of measures that might improve data security in hospitals, what came out first was neither penetration tests, nor surveillance, nor introducing a stand-ardized security concept. All this was mentioned, for sure, but what appeared at the top of the list with a staggering 87% of participants mentioning it was better education of staff.

In fact, 67% of Germans said that hospitals should be forced by law to train their staff on cybersecurity and proper behavior. Citizens, it seems, are acutely aware of where healthcare-related cybersecurity risks lie. Technology is an issue, but more important is the risk factor ‘between the chair and the keyboard’, in other words the professional user.

HIMSS CYBERSECURITY SURVEY: PHISHING NOT TAKEN SERIOUSLY?There is myriad data suggesting that this is true. In the recent 2019 edition of the HIMSS Cybersecurity Survey, for example, 59% of hospital representatives and healthcare IT profession-als in the US said that email was the most common point of information compromise. This indicates that phishing emails continue to be a significant security threat for healthcare organizations – despite the fact that this type of malware shuttle has been around for many years now.

Phishing emails continue to be a significant security threat for healthcare organizations.”

59% of hospital representatives and healthcare IT professionals in the US said that email was the most common point of information compromise.

Source: The 2019 HIMSS Cybersecurity Survey

DOWNLOADThe 2019 HIMSS

Cybersecurity Survey


TECHNOLOGY UPDATE

Avoiding phishing-related incidents is clearly a matter of staff education, and thus the US survey corroborates the “gut feeling” of the German public that there might be a problem with staff education in hospitals when it comes to cyberse-curity. Surveillance, too, should help to avoid phishing-related incidents. But surveillance, again, doesn’t seem to be taken seriously by hospital staff every-where. In the HIMSS survey, 36% of non-acute care organization representa-tives claimed that their organization did

not conduct phishing tests. The “risk between chair and key-board”, it seems, is not only about doctors and nurses.

HOW TO ADDRESS THE RISK FACTOR THAT IS THE HUMAN BEING?Why is it that supposedly intelligent adults too often end up paving the way for disaster? At the HIMSS and Health 2.0 European Conference in Helsinki, these questions were addressed in a cybersecurity workshop that brought together experts and hospital representatives from all over Europe.

Workshop participants identified several factors as being responsible for making staff members become a security risk in healthcare organizations. In line with the surveys above, a lack of basic education came up. At least some medical pro-fessionals still put too much trust into IT systems, and many aren’t aware enough of which type of behavior poses which type of risks.

Usability issues were also mentioned frequently. Doctors, one hospital representative said, wanted to cure patients, not deal with IT systems. If there are too many passwords or too complex workflows for storing or transferring data or for communication with patients or colleagues, the result will be “creative” evasion strategies that will in turn put patient data or hospital IT systems at risk.

Too complex workflows result in creative evasion strategies that put patient data or hospital IT systems at risk.”

Source: HIMSS

* Date of data: January 2018 – July 2019 – Europe.

Security tool in place

Anti-virus maleware tools

Intrusion detection & Prevention System

Security Risk Assessments

98%

71%

70%


TECHNOLOGY UPDATE

TALK ABOUT PATIENTS. AND INVOLVE THEM.Workshop participants agreed that there was not a single measure that will reliably eliminate the risk between the chair and keyboard. An impor-tant aspect, many said, was improving usability through security by design. Implementing voice recognition or face recognition, for example, could help to get rid of passwords, and thus elimi-nate a security-relevant process that is highly susceptible to misuse and also to “creative” (and risky) evasion strat-egies like pimping monitors with password stickers.

Talking differently about cybersecurity and cyber-attacks could also help. Healthcare was about patients, a workshop participant said, and thus education about cybersecurity should also be about patients. Instead of lecturing about tech-nology, security education should be about telling stories about patients that illustrate the risks that cyber-attacks pose for them.

Patients could in fact take an active responsibility when it comes to reducing the risk of cyber-attacks on healthcare organizations. There is an example from a related field, medical hygiene. Like with cybersecurity, there are clear and evi-dence-based behavioral measures that can be taken to reduce risks posed by a lack of hygiene, most prominently handwash-ing and disinfection. Some years ago, it was shown that among the most effective measures to improve staff hygiene behavior was asking patients to remind their doctor or nurse to clean their hands when entering the room. What would happen, if a patient asked his doctors after an encounter: ‘Have you logged out properly?’, or ‘Have you closed my file?’

Implementing voice or face recognition could help to get rid of passwords, and thus eliminate an error-prone process.”

Source: HIMSS

* Date of data: January 2018 – July 2019 – Europe.

Formalized policies

Acceptable Use Policy

Physical Access Policy

Data Destruction Policy

IT Security Training

Policy related to BYOD

92%

84%

71%

81%

67%


TECHNOLOGY UPDATE

By Piers Ford

CHANGING THE CYBERSECURITY CULTURE

Source: pathdoc / Shutterstock

Ransomware and Denial of Service attacks make the headlines when it comes to hospital cybersecurity, but internal cultural and

technological vulnerabilities are often more to blame for an ongoing cycle of healthcare data breaches. Three leading cybersecurity

experts have some fundamental suggestions for a more proactive approach to managing this constant threat.


TECHNOLOGY UPDATE

Ransomware and malware attacks continue to plague hospitals and institutions, scoring frequent and dis-ruptive hits. Internal data breaches are commonplace.

Risk-laden network links with external agencies and partners abound. Security weak-spots are discovered in legacy systems and new applications alike. Clinicians working around medi-cal device security protocols expose chinks of vulnerability in the IoMT.

Anyone building a picture of the state of cybersecurity in healthcare globally would struggle to find encouragement for the beleaguered hospital CIO, with many organizations appar-ently unable to break out of a reactive cycle and shift to more proactive defence strategies.

Bald statistics do little to improve the anecdotal picture. In April, the US Department of Health and Human Services reported 44 healthcare data breaches for the month, a record. The fact that the number of individuals affected fell by 29% from 963,794 to 686,953 compared with March was not exactly grounds for optimism, given the potential scale of the impact.

Cyber risk and privacy management specialist IT Governance publishes a monthly blog of data breaches reported world-wide. The healthcare sector is well represented and while these lists are a litany of phishing, ransomware and DDoS attacks, they are also peppered with more banal cybersecu-rity failures that hint at the cultural challenge of managing risk in many institutions. These range from unauthorized employees accessing patient records to coding errors that unwittingly expose records.

The June post referenced the accidental sharing of 37 patients’ email addresses in an invitation to a support group distributed by NHS Highland. Meanwhile in New York State, a member of the Independent Health Insurance company was emailed doc-uments containing personal information on more than 7,600 fellow members. And a web advertising company helping law firms to sign up possible clients exposed 150,000 records from

The biggest challenge for a hospital CIO is being able to communicate the likelihood and impact of a breach and introduce whatever is necessary to prevent it.”Dave Kennedy, TrustedSec


TECHNOLOGY UPDATE

an unsecure database, containing personal details of acci-dents, injuries and illnesses.

Verizon’s 2019 Data Breach Investigations Report underlines the extent to which, when it comes to managing cybersecu-rity risk, internal processes and policy enforcement failures (59%) are more likely than external threats (42%) to leak data. Despite this, leading cybersecurity experts suggest there is cause for cautious optimism in the way some hospitals are building more proactive strategies despite their complex cul-tural and technological legacies.

SIGNS OF PROGRESSDave Kennedy, founder and senior principal security con-sultant at TrustedSec, says a number of his healthcare clients have made significant cultural adaptations and now do a very good job of cybersecurity management. But this is not some-thing that can be solved overnight by throwing more people and resources at it.

“Being more proactive means having the ability to fix issues as they are identified over time,” he says. “The biggest chal-lenge for a hospital CIO is being able to communicate the likelihood and impact of a breach and introduce whatever is necessary prevent it. And describing possible impact to a board is difficult.”

Kennedy advocates recruiting people specifically to build sus-tainable programs that will help an institution move away from an infrastructure riddled with missing patches and misconfigurations. A more frequent patch management pro-gram for applications and systems is a core recommendation, alongside enhanced – and enforced – multifunctional pass-word management.

He says it is also vital for IT leaders to have high visibility into their infrastructure, with comprehensive log management. The window of risk is often greatest between an attacker’s initial breach of an administrative system and their subse-

The positive sign is that a lot of new network and virtualization technology is helping to create less exposed infrastructures.”Elliott Frantz, Virtue Security


TECHNOLOGY UPDATE

quent passage into clinical and patient record systems – the point at which it becomes a major issue.

“On average it takes two hours to respond to a breach,” he says. “You can’t prevent everything but you can try to respond to and remove the threat faster than the attacker can break through to other systems.”

APPLICATION WEAKNESSElliott Frantz, CEO of Virtue Security, has previously spoken of the cybersecurity weaknesses caused by hospitals running unnecessary IT services and in particular, the vulnerability of applications in their runtime state. He agrees that system visibility is crucial to seeing and understanding the risk level at any given time. Proactively aiming to reduce the hospital’s overall risk and exposure is, he says, a more effective strategy than what has often seemed the default setting – an ongoing game of “crushing ants”!

“These are such highly connected environments,” he says. “A lot of employees need access to a lot of systems – and this creates inherent risks. Traditionally, a hospital has wrapped technology around its business, leading to multiple segregated pieces. Instead, they need to use technology to solve security by design. The positive sign is that a lot of new network and virtualization technology is helping to create less exposed infrastructures.”

Compromised data in healthcare Threat actors in healthcare

Medical Internal

Personal External

Credentials Partner

Multiple Parties

72% 59%

34% 42%

25% 4%

3%Source: Verizon


TECHNOLOGY UPDATE

He would like to see more being done to improve application security. “We have seen a lot more hospitals taking a bigger interest in tackling application security problems, and that’s a good thing,” he says. “But the picture has not improved sub-stantially.”

For Jason Gillam, CIO at Secure Ideas, the main issues to be addressed are often more cultural than technological. He points out that low-level attacks and breaches are particularly successful – and do not necessary require sophisticated high-tech solutions.

SOFT TARGETThe threats themselves remain relatively unchanged, and healthcare is a soft target made softer by the nature of ‘businesses’ that have never considered themselves to be technology companies. This often leads to lax technical com-petence when it comes to cybersecurity. Where a breach occurs because of a misconfigured server or database, it is generally because somebody did something at a relatively basic level without understanding the consequences for security.

“In healthcare security, we’re taught above all else that life and limb are important,” he says. “So data and personal information are not always the top priority, and this drives what happens. A lot of activity that might be considered sus-picious in any other industry is overlooked. We need to make a cultural shift from cybersecurity as a compliance check-box to doctors treating the protection of their patients’ personal data as a priority,” he says.

While Gillam has noted some examples of this happening, the sea-change is nowhere near enough. Healthcare faces a major challenge in invoking such a huge cultural shift across its often massively dispersed environments – and as the statistics suggest, progress continues to be at shuffle pace. Cybersecurity is not about to relinquish its status as the big-gest thorn in the CIO’s side any time soon.

We need to make a cultural shift from cybersecurity as a compliance check-box to doctors treating the protection of their patients’ personal data as a priority.”Jason Gillam, Secure Ideas


GLOBAL TRENDS

By Lynne Minion

ANATOMY OF A BREACH – A virtual war room,

transparent response and maintaining trust

Source: YJ.K / Shutterstock


GLOBAL TRENDS

It was something that we didn’t expect. It came from nowhere,” the organization’s chief privacy officer and gen-eral counsel Marion Hemphill told HIMSS Insights.

It was 26 October 2016 when the national blood service was notified by the Australian government’s cyber emergency response team that information on its donors was available online. What followed was an urgent effort to discover the source of the breach and shut it down.

“We were approached by a third party, AusCERT, who’d been approached by a blogger who had come across the private information,” Hemphill said.

With members of the executive dispersed around the coun-try on that Wednesday morning, a remote response team was rapidly convened.

“We had to really quickly get a virtual war room together and get on top of the facts to try and figure out how we could move forward, how we could mitigate it and what we needed to do to respond. The first 48 hours were very intense.”

What they quickly determined was that 1.28 million records – including names, contact details, genders, dates and coun-tries of birth, blood types and whether people had engaged in high-risk sexual behaviors – had been exposed. An employee at a third party contractor had inadvertently saved a 1.74GB file containing the details of 550,000 people who had booked

When one of Australia’s most prestigious and critical health services suffered a major data breach three years ago, it

sent shockwaves through the sector. But now the Australian Red Cross Blood Service is acting as a leader in the field and

sharing cybersecurity lessons learned.

We really didn’t want to lose public trust as the nature of what we do relies very heavily on that.”Marion Hemphill, Australian Red CrossBlood Service


GLOBAL TRENDS

appointments on the Donate Blood website between 2010 and 2016 to a public-facing server. The data had been accessible online for 50 days.

IMPLEMENTING A DATA BREACH PLANOnce the Blood Service was aware that data was at risk, its breach policy plan proved crucial, according to Hemphill.

“You are running to keep up during that time because the event’s happened, the clock’s ticking and you want to mini-mize it as much as possible.”

The executive team joined the virtual war room, with the next layer of management standing by. “You don’t want to do something that is going to impact the rest of the business in a negative way, that’s going to create another problem. For example, we are a 365 day year business so we’re going to make sure that, particularly on the IT side of things, you could shut down a particular part of your IT infrastructure but if you do that you might shut down something that is critical for other reasons. So you have to have the right heads in the room.”

The Blood Service’s response was so effective that the Office of the Australian Information Commissioner, which investi-gated what was the country’s biggest ever data breach, chose not to fine the organization.

“Data breaches can still happen in the best organizations, and I think Australians can be assured by how the Red Cross Blood Service responded to this event,” the then commissioner Tim Pilgrim said in 2017.

“They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process.”

The Blood Service collects 1.4 million blood donations each year and supplies blood and plasma, as well as organ and bone marrow products, to healthcare providers nationally.

Data breaches can still happen in the best organizations, and I think Australians can be assured by how the Red Cross Blood Service responded to this event.” Tim Pilgrim, the then AustralianInformation Commissioner [2017]


GLOBAL TRENDS

Such a vital service – one that relies on volunteer blood donors and government funds – needs to be trusted, which is why the breach response prioritized transparency.

“We felt that by being very transparent with stakeholders – the donors and also with government and the Information Commissioner – that we would make sure people were com-fortable that we were doing everything possible to make sure any impact was mitigated. We really didn’t want to lose pub-lic trust as the nature of what we do relies very heavily on,” Hemphill said.

Rather than retreating into silence following the breach, as many other organizations do, the Blood Service also chose to share insights with health providers into how they could deal with cyber-emergencies and prevent them.

“We’re very happy to share because we’re interested in other stakeholders and the Australian public in general having their information protected as much as possible.”

Those insights include engaging cyber experts to help plug weaknesses and avoid threats.

Sources of breaches — top five sectors from 1 April 2018 to 31 March 2019:

Personal services Human error

Malicious or criminal attack

System faultEducations

Legal, accouting & management services

Finance

Health service providers

4

4

4

3

2

9

40

39

57

113 90

77

59

31

23

Notifiable Data Breaches Scheme 12-month Insights Report

Healthcare tops the list of breaches by sector, according to the Federal Government's Office of the Australian Information Commissioner

Source: Office of the Australian Information Commissioner

The world is changing, practices change and we have to make sure that we keep up.”Marion Hemphill, Australian Red CrossBlood Service


GLOBAL TRENDS

“The world is changing, practices change and we have to make sure that we keep up.

“So we made sure that we got appropriate expertize to guide us and to make sure that we had appropriate procedures and practices in place. And that will never finish, we’ll keep test-ing that and make sure that we keep our advice up-to-date and make sure that we’ve got people who can help us with modern trends in terms of risks in the system.”

‘CYBERSECURITY IS EVERYBODY’S RESPONSIBILITY’As part of its contractor sourcing strategy, the Blood Service also demands confirmation from third parties on their data, privacy and cybersecurity practices, with require-ments built into contracts. Audits are then conducted to ensure ongoing compliance.

In addition to that, all levels of the organization are involved in ensuring cyber hygiene.

“Good practices for data and privacy have to be embedded right the way across the organization and that starts at the board and then all the way down through to every level,” Hemphill said.

“Many years ago it would have been seen as something that the IT department or the legal department, when it came to privacy, would have looked after. But now, like safety, it’s everybody’s responsibility.

“[Donors] were kind enough to give us their blood, and they need to give us their information for safety reasons along with that. And so we, as the steward or the custodian of both the blood and the information, have to make sure we have safe practices around both.”

Good practices for data and privacy have to be embedded right the way across the organization and that starts at the board and then all the way down through to every level.”Marion Hemphill, Australian Red CrossBlood Service


LEADERS OF CHANGE

FarmaTrust using blockchain to improve security, transparency of dataFarmaTrust CEO Raja Sharif says blockchain ensures greater data integrity in areas such as AI, analytics and regulatory reporting, which can increase public confidence in the use of data.

Pushing healthcare to new boundariesAll over the globe, innovative thinkers and doers are working to reform health and care through IT and technology. Get to know some of them.

DoD details cybersecurity priorities with MHS Genesis EHR deploymentThe Department of Defence in the US is deploying a new network built with cybersecurity in mind, using a risk management framework, and undergoing regular white hat assessments, says Program Executive Officer Stacy Cummings.

UK

US


LEADERS OF CHANGE

Protecting healthcare organizations from cybersecurity risksDeep Dive: In Part 1 of a four-part series, healthcare cybersecurity veterans discuss the major risks facing healthcare organizations, and why protecting sensitive data and systems is a must for providing care.

HIMSS TV features programming from major HIMSS events and many of the industry's thought leaders.

SEE LATEST COVERAGE

GET IN TOUCHto appear on HIMSS TV

How to build trust when dealing with patient dataTransparency with fair data usage is being explored in Finland, while the country’s general outlook is that data should be shared and used to improve services where possible, says Jaana Sinipuro, project di-rector at Sitra.

FINLAND

US


LEADERS OF CHANGE

By Rod Piechowski

WHAT LEADERS KNOW ABOUT CYBERSECURITY

Source: Syda Production / Shutterstock


LEADERS OF CHANGE

People want to get things done, so they take shortcuts, engineer workarounds, and use weak passwords. On the other hand, they also want to

help, so employees answer questions, make connec-tions, and try to keep the customers happy. Leaders know that attackers will leverage this tendency to be helpful in order to learn about the organization, and to identify potential weak points.

DATA IS NOT THE ONLY PROTECTED ASSETLeaders know that the good old days of merely protecting customer data from exposure are long gone. The word “data” sounds benign, passive, and harmless, but leaders know that it is the digital representation of both tangible and intangible assets. These include an organization’s reputation, mar-ket position, intellectual property, processes, lights, power, cooling, heating, financial stability, payroll, and much, much more. Leaders know that today, data is everywhere; it enables everything, including the ability to remain operational. Pro-tecting data confidentiality is just one piece of this intricate

Protecting data confidentiality is just one piece of this intricate puzzle. Increasingly, attackers target the integrity and availability of the data.”Rod Piechowski, HIMSS

Leaders know that the IT department alone cannot secure an organization. A holistic security program involves the entire

organization, and requires a culture of participation from top to bottom. Yes, there is a large technology component to securing

digital data but leaders also know that the easiest path to breach the best technical defenses is through an organization’s people.


LEADERS OF CHANGE

puzzle. Increasingly, attackers target the integrity and avail-ability of the data. Leaders know that without data integrity, trust disappears.

THE JOB IS NEVER DONELeaders know that security is an ongoing, never-ending disci-pline. A secure environment involves a long-term investment in people, processes, and technology, all of which change over time. People come and go, and must be trained into the cul-ture. Processes will always continue to evolve in the search for efficiencies and better patient outcomes. Technology is con-tinuously changing. All of these need ongoing maintenance and attention. What worked last year may be irrelevant this year. Because of this, leaders also know that security is an integral part of both strategic and financial planning.

COMPLIANT DOES NOT EQUAL SECURELeaders know that compliance is the floor. Compliance sup-plies a basic list of tools that should be in a proper toolbox, but it says little about how an organization uses those tools. A holistic approach goes beyond mere compliance and builds a security program designed for a specific organization’s needs. Security is not, as leaders know, a one-size-fits-all solution, and they guide the organization to identify the right balance of acceptable risk. Of course, leaders know there will always be some risk: it cannot be completely eliminated.

LEAD BY EXAMPLELeaders know that everyone plays a part in making an organ-ization more secure. If the CEO’s password is “12345” the organization is wide open for attack. If the CEO believes the company has nothing an attacker would want, then the com-pany is an “open book,” and the organization is wide open for attack. When the CEO believes that proper security protocol is too disruptive or inconvenient, and insists that while secu-rity is fine for everyone else, the CEO is a policy exception, the company is in big trouble. Leaders know that in these cases, word gets around the company fast. Credibility and respect are lost. Attackers know this, and thus, the battle is lost.

A holistic approach goes beyond mere compliance and builds a security program designed for a specific organization’s needs.”Rod Piechowski, HIMSS

Platform expansion to increase knowledge-sharing

Following the creation of the European HIMSS

Nursing Informatics Community earlier this year,

the HIMSS Nursing Informatics & Midwifery

(England) network will meet at the HETT show,

taking place in London at the beginning of Octo-

ber. The aim is to shine a light on the amount of

untapped digital leadership within the nursing and

midwifery networks in England.

More than a dozen local networks will convene to

discuss the future digital nursing and midwifery

workforce, examining their pivotal role in enhanc-

ing the patient journey across primary, secondary

and social care sectors with the ambition to move

care from the hospital to the community. The in-

teractive workshop based program includes pres-

entations by leading informatics and digital health

experts, as well as opportunities for attendees to

contribute their solutions in the creation of new

‘digital workplace’ for the future ‘digital nursing

and midwifery workforce’. Nurses and midwives

in attendance will receive complimentary HIMSS

individual membership, which will provide them

with resources for continued learning throughout

the year.

In October, HIMSS chief executive Hal Wolf will be

speaking at the 2019 Open Innovations Forum in

Moscow, Russia, about the impact of smart tech-

nologies on healthcare and wellbeing globally, fol-

lowing the accession of the Skolkovo Foundation,

Russia’s biggest technological city and home to

more than 2,000 start-ups, to the HIMSS Partner

Innovation Exchange family.

The D-A-CH Community will have the opportunity

to join leading HIMSS experts and Germany’s Min-

istry of Health executives to discuss the roadmap

to digital excellence of German healthcare during

the annual European Data Summit organized by

the Konrad Adenauer Foundation, taking place in

October, in Berlin.


The Communities team is preparing to expand their platforms for more regions to share knowledge and best practice, helping to tackle some of the most pressing issues that industry is dealing with.

Your chance to network, connect and innovateJoin our EMEA events to meet the people who matter in health IT

JOIN US

JOIN US

HIMSS @ HETT 1-2 October 2019, London, UKHIMSS has partnered with HETT (Healthcare Excellence Through Technology), a leading UK event attracting over 3,000 healthcare attendees, 130 speakers and 120 exhibitors. HIMSS will be contributing to shaping educational sessions in a HIMSS@HETT theatre on the topic of digital maturity, as well as providing HIMSS TV coverage and footage.

2020 HIMSS Global Conference & Exhibition9-13 March 2020, Orlando, Florida, USThe 2020 HIMSS Global Conference & Exhibition, 9-13 March, 2020 in Orlando, is the leading health information and technology conference, bringing together nearly 45,000 professionals from 90+ countries for the professional develop-ment, innovation and collaboration they need to transform health around the world — all at one time, all in one place. Choose from 300+ education sessions, 1,300+ vendors, hundreds of special programs and endless networking events.

JOIN US

HEALTH – The Digital Leaders 5-6 November 2019, Berlin, Germany‘HEALTH – The Digital Leaders’ is the annual innovations meeting of executives and decision makers in German healthcare. HIMSS has teamed up with Handels-blatt to bring together the people that can truly drive the digital transformation of the country’s health system. HEALTH focuses on the value of digitization and innovation for providers, society, the economy and patients; it creates a unique platform for healthcare’s leaders to share, learn and network with an impact.


UPCOMING EVENTS


CONTRIBUTORS

INSIGHTSs e r i e s

SIGN UP!

Vice President for International

Programming and Content

Pascal Lardier

Editorial Director

Philipp Grätzel von Grätz

Managing Editor

Dillan Yogendra

Art Director

Anna Winker

Managing Director,

Executive Vice President for International

Bruce Steinberg

Advertising and Sponsorship

Ivana Stojanoska

[email protected]

+389 78 252 779

Lynne Minion [Australia] is an author and journalist who has worked for Fairfax Media and ABC, and was founding editor of Healthcare IT News Australia. In 2019, she was a finalist for ‘Best Technology Issues Journalist’ in Australia’s Samsung IT Journalism Awards.

Philipp Grätzel von Grätz (Germany) specializes in medicine, health policy and, in particular, eHealth and IT in healthcare. He is one of Europe’s leading journalists in the field and author of the German book Connected Health.

Tammy Lovell (UK) is a freelance journalist and former BMA feature writer, specializing in health policy. Her work was commended in the Guild of Health Writer Awards 2016 online category.

Piers Ford (UK) has been an IT journalist since 1988, unravelling the mysteries of technology for professional readerships in the healthcare, commercial and financial sectors.

Rod Piechowski [US] is Vice President, Thought Advisory at HIMSS, and has a wide variety of interests at the intersection of technology and health, including leadership, ethics, artificial intelligence, cybersecurity, and the practice of strategic foresight.

8.2: DECEMBER 2019CONNECT IT TILL YOU MAKE ITDigital connected care scenarios are high on the agenda in many countries. And this means that both interoperability and cost-effec-tiveness questions have to be addressed and answered. In this issue of HIMSS Insights, we will take a close look at different innovative connected care solutions – with a double focus on interoperability and on money.

8.3: MARCH 2020WEAR IT!Artificial intelligence and machine learning solutions are enter-ing the consumer health sphere, and many of them rely heavily on wearable sensors and measuring devices. What good can these tools do? What kind of care or prevention scenarios do they make possible that have been unthinkable until recently? Based on existing tools and projects, we will try to answer these questions, and we will also discuss the limits of measuring and quantifying. When exactly does more data equal more quality? And when doesn’t it?

GLOBAL NEWS – EDITORIAL – OPINIONS – COMMUNITIES

DIGITAL ONLY

4 ISSUESPER YEAR

GET IN TOUCH TODAY

Do you have an exciting story to tell or an experience to share? Would you like to contribute to our upcoming editions?


PREVIEW

cybersecurity...two years after the ransomware wannacry wreaked havoc, the threat to hospitals from...

Documents