Why health care cybersecurity is in ‘critical condition’

SAN FRANCISCO—Between the destructive cyberattacks WannaCry and NotPetya, which wreaked havoc across health care and beyond, the U.S. government-sponsored Health Care Industry Cybersecurity Task Force delivered more than 100 recommendations to the Department of Homeland Security to make medical technology more resistant to hackers. But in the 15 months since the report was published, only one recommendation has been adopted, according to two task force members.

Jacki Monson, vice president and chief privacy and information security officer at Sutter Health, and Josh Corman, co-founder of the volunteer cybersecurity organization I Am The Cavalry, said at the Context Conversations event on Thursday, co-sponsored by The Parallax, that the report—which both of them worked on—hasn’t yet sparked much progress, to the detriment of health care organizations and patients alike.

“Almost every month, I have an issue with a vendor who’s suffered a cyberattack,” Monson told the audience.

“It’s almost a miracle that we haven’t had more WannaCrys,” Corman said.

For the report’s conclusion, 21 health care professionals, clinicians, policy experts, and cybersecurity experts had signed off on using the word “critical” to describe the condition of health care cybersecurity.

A bipartisan letter from Congress in June signed by Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee, Lamar Alexander (R-Tenn.), chairman of the Senate Committee on Health, Education, Labor, and Pensions, Frank Pallone, Jr. (D-N.J.), and Patty Murray (D-Wash.), demanded explanations on the status of implementing the task force’s recommendations.

Yet without regulatory pressure to take the situation seriously, Monson and Corman said, their cybersecurity guidance will likely continue to go unheeded.

The Task Force’s recommendations are designed to heal several sore spots: a lack of cybersecurity experts working in health care, outdated equipment, incentives to connect medical devices to the Internet that lack proper security precautions, and an epidemic of unpatched vulnerabilities.

Monson and Corman emphasized that hackers need only one exploited vulnerability to essentially take down a health care system, as WannaCry did with the United Kingdom’s National Health Service and a ransomware attack did with Los Angeles’ Hollywood Presbyterian Hospital. Both cyberattacks, Corman said, hit health care systems by accident.

One of the report’s recommendations—that medical devices have a published ingredients list of tech components, called a software bill of materials—is well under way, albeit slowly.



READ MORE FROM ‘NO PANACEA FOR MEDICAL CYBERSECURITY’

Triaging modern medicine’s cybersecurity issues
How to recover from a health care data breach
To prevent EHR breaches, stop using them (Q&A)
Ransomware attacks against hospitals: A timeline
How weak IoT gadgets can sicken a hospital’s network
Opinion: Who foots the bill for medical IoT security?


In a November 2017 letter, House Energy and Commerce Committee Chairman Greg Walden (R-Ore.) requested a medical SBOM from the Department of Health and Human Services. Ten months later, HHS responded with confirmation that it is working on one. And since then, Allan Friedman, director of cybersecurity initiatives at the U.S. Department of Commerce’s National Telecommunications and Information Administration, has been coordinating stakeholder groups to agree on the right kind of SBOM recipe.

As we noted last week, the Food and Drug Administration has also been taking steps to improve medical-device cybersecurity, including putting together a go-team to rapidly respond to cyberattacks, and implementing premarket cybersecurity guidance for device manufacturers.

Dr. Suzanne Schwartz, associate director of science and strategic partnerships at the FDA, and a participant in discussions that led to the report, says the FDA has been working to implement task force recommendations for medical devices beyond the SBOM.

“We are considering seeking additional authorities,” she told The Parallax, to use an SBOM “to review premarket submissions. There’s information that we evaluate, and may not allow a device based on that.”

It’s not surprising that one of the task force’s recommendations—hiring more cybersecurity professionals in health care—has seen little, if any, traction. Eighty-five percent of American hospitals and clinics do not have a single cybersecurity professional working to protect their computer systems, they said, a symptom of the larger cybersecurity employment crisis: By 2022, experts expect nearly 2 million open cybersecurity positions to languish unfilled.

While Corman said each health care organization needs at least five cybersecurity employees, Monson countered that a smaller team could work with remote assistance, if it had the right kind of training and background. Either way, Monson said, the challenge is getting organizations “to buy into it.”

One key unfilled position today is head of cybersecurity at HHS. To date, the federal government has yet to establish a consistent and consensus-based health care-specific cybersecurity framework. There has been no comprehensive effort to secure legacy health care computer systems. (Among perceived stumbling blocks, Microsoft recently announced plans to charge health care organizations for security patches to its legacy Windows 7 operating system). There hasn’t even been a concerted government effort to develop internship programs to help small and rural health care organizations acquire cybersecurity personnel.

Monson reiterated on Thursday evening another recommendation from the report: the need for a cybersecurity exemption from the Stark Law, which restricts self-referrals in order to stop doctors from ginning up health care costs. Her argument is that current interpretations of the law prevent larger health care organizations like Sutter Health, which can afford costlier cybersecurity tools, from donating tools to smaller organizations and doctor’s offices that might not otherwise be able to afford them. It would take an act of Congress to carve out such an exemption.

She also said larger health care organizations like Sutter Health could offer more cybersecurity guidance, if not materials, to smaller organizations that have very few cybersecurity resources. (She leads a team of more than 100 people tasked with protecting the systems of 24 hospitals and 36 surgery centers.)

Along with the FDA’s Schwartz, Greg Garcia, the executive director of cybersecurity at the Healthcare and Public Health Sector Coordinating Council Cyber Security Working Group, disagrees with Monson and Corman’s assessment of the response thus far to the task force report. Garcia says his privately funded group, which partners with the government, is working on efforts to implement its recommendations.

“There’s a broad recognition that there’s not enough [cybersecurity] talent. But the biggest threat is the insider threat: doctors, nurses, technicians who are not practicing the best cyber hygiene,” he says. “They never receive any basic cybersecurity training in medical school.”

To that end, Garcia’s organization is working on a curriculum of cybersecurity basics to be taught in a handful of medical schools, as an online, at-home class—similar to many corporate cybersecurity training sessions. “By fall of 2019,” he says, he hopes to have a pilot program of schools trying out this kind of cybersecurity lesson plan, “but medical-school bureaucracy and politics are quite impregnable.”

Garcia also calls his team’s efforts to improve medical devices a success and expects it to release a medical-device security plan “by November.”

“We are considering seeking additional authorities.”—Dr. Suzanne Schwartz, associate director of science and strategic partnerships, FDA

“Our successes are not measurable until we get best practices into place. Cybersecurity has really only been a concern for health care in the past five years,” he says. “It’s caught a lot of the health care sector by surprise.”

Under the working group’s medical-device security plan, Garcia says, “vendors will know what hospitals will be expecting of them, [and] hospitals will know what to expect from vendors. Up until now, there has been some level of tension between them.”

Garcia says the plan will also include a statement of commitment laying out what medical-device makers will be held accountable for on their devices, including designing and managing security measures, as well as giving adequate device security guidance to hospitals.

Until accountability is truly enforced, however, “success” might be a rather strong descriptor. Pacemaker manufacturer Medtronic just spent 18 months choosing not to fix a $20,000 problem; it remains unresolved. And Garcia, the first full-time executive director for the working group, concedes that progress toward implementing the task force’s recommendations has been “slow.”

“I don’t think there is ‘low-hanging fruit.’ It’s a sprawling morass of an ecosystem that I’m still learning about. It’s as much a matter of culture shift, investment priorities, and technology,” he says. “A lot of health care organizations still think ‘cyber’ is a distraction.”

Correction on October 6 at 2:30 a.m. PDT: The Healthcare and Public Health Sector Coordinating Council Cyber Security Working Group receives its funding from private organizations.