Steve Cagle, MBA is CEO of Clearwater of Nashville, TN.
Tell me about yourself and the company.
I’ve been with Clearwater for about three and a half years. My background is all healthcare, over 20 years working in a number of healthcare-related firms building businesses. At Clearwater, our mission is to help our healthcare customers protect their patients and their data to help them be compliant and to develop capabilities that allow them to be more effective and efficient at the business of cybersecurity, which is becoming extremely difficult in today’s age.
We talk about pandemic fatigue. Are we experiencing cybersecurity fatigue?
We as an industry had to pivot quickly to work-from-home for employees and in patient care and patient delivery. That involved a lot of new technologies and deploying those quickly. At the same time, threat actors recognized the enormous opportunity to target the healthcare industry. The data is so valuable, and the historic underinvestment in cybersecurity, more so through the pandemic, made it a juicy target.
There may be a bit of fatigue with regard to what we’re seeing with ransomware, unfortunately. We will have to continue to understand that, because we are probably still at the beginning of where we need from a maturity perspective in healthcare.
Has the cybersecurity significance of employee behavior changed, especially with regard to ransomware?
It’s very significant. Cybersecurity is not just about the tools that we have in place. It’s really about the people and the organization. It’s about establishing a culture where everybody in the organization understands they have a role in keeping their information safe and being vigilant. We have to continue to remind people through training and not just rely on tools. Security processes become important as well.
The top healthcare cyberattack threats remain centered around ransomware and email phishing. That’s an important part of how we need to deal with the problem.
What is the maturity level of tools that can prevent that single employee click from bringing down the enterprise?
Unfortunately, there is no silver bullet. There are some important controls that all organizations should put in place from a baseline perspective. We hear a lot about multi-factor authentication, encryption, having good protection on endpoints, and identity access management. A number of security practices should be employed. But every organization needs to have a thorough assessment and analysis of their specific risks.
When we talk about risks, we’re talking about vulnerabilities based on the specific information systems that they use in their organization and threats and the threat actors that could exploit those vulnerabilities. We have to assess the effectiveness of those tools and other types of controls, administrative controls, physical controls. How effective are those controls in preventing that threat from exploiting that vulnerability?
We also have to think about not only the likelihood of an event being successful, but also what the impact would be to our organization. That’s a risk discussion, because when you think about what you’re going to do in your organization to optimize security, it’s about your risk tolerance. Everybody’s risk tolerance is going to be a little bit different. There’s no way that we are ever going to eliminate risk completely, but we can make better decisions about where we’re spending our limited resources and our limited time by understanding, through a risk analysis, where those risks are and what we can do about them.
Health systems have recently reported some huge costs from ransomware attacks. How do they tailor what they can afford versus the possibility of huge losses due to downtime?
University of Vermont is a great example and Scripps Health incurred about $112 million in lost revenue and other expenses. What stood out there was that their insurance covered only covered a fraction of that. That was the same for University of Vermont, if I’m not mistaken. There was a time where we would hear, “We have insurance and we can cover that if we need to.” But it’s not just about the financial aspects — it’s about patient safety, it’s about brand and reputation, it’s about mission to provide safe and effective care. When you hear about health systems diverting ambulances to other hospitals, you’re talking about precious minutes where those patients who need emergent care aren’t getting that care as quickly as they could be.
There is a cost perspective. Those costs are getting to be more expensive. Insurance premiums are going up – we are hearing more than 50%. We are hearing from CFOs about limits on what will actually be covered in terms of their insurance policies and needing potentially to buy multiple insurance policies. Insurers are becoming more prescriptive when it comes to specific security controls that are in place, and the security questionnaires are getting to be more extensive.
Certainly we need to look at all those implications. For many healthcare organizations, there has been historically an under-investment relative to what we see in other industries. At the same time, healthcare is going through this digital transformation. We are deploying all these new technologies. We will need the appropriate amount of investment in security as well to ensure that we can keep our applications secure and keep patients and patient data safe.
What can health systems do about the risk introduced by their business associates and vendors?
Through the first half of the year, somewhere around 40-plus percent of healthcare breaches resulted from business associates, third-party vendors, or other third parties that have electronic protected health information that was entrusted to them by a covered entity, a provider or a payer. Healthcare is shifting to cloud, using third-party service providers, generating a lot more data, and sharing and accessing that data from many more endpoints. As we continue on that journey, the threat landscape and the vulnerabilities that are created through that type of model are going to increase.
Every covered entity under HIPAA needs to ensure that they have a business associate agreement with their third parties, but that’s really not enough. We are seeing healthcare providers and healthcare payers turn up the dial in terms of what they expect from third parties, from their vendors, and from anybody that wants to do business with them who is going to receive that electronic protected health information or other sensitive data. It is still the covered entity’s responsibility to ensure that data is being protected.
What role will the federal government play in health system cybersecurity?
There have been some good efforts, public and private partnerships. The Cybersecurity Act of 2015 resulted in the establishment of the 405(d), the cybersecurity working group and task force. They recently came out with a good best practices guide that has, for small, medium and large organizations, the top 10 cybersecurity practices that can be used as a baseline. That’s been a great effort that is supported by 150 or 200 members. In January of this past year, there was legislation H.R. 7898, which basically said that healthcare organizations that are implementing or have implemented best practices — which include the NIST Cybersecurity Framework or 405(d) best practices — should not necessarily have a safe harbor, but should be looked at a little bit differently from regulators when it comes to audits or potential fines and penalties after a breach.
We have had some good momentum coming into the year. We’ve seen some good activity from the Biden Administration to work with private industry and to some communication that we’ve seen suggests that there will be more support. The recent executive order that required additional security practices and controls to be in place from government contractors hopefully will also transcend to the healthcare industry. Obviously there’s a lot of technology providers out there that support the VA, for example.
There’s some good movement there. We would like to see more. The healthcare industry just lacks resources, dollars, and people. Those are things that the government can do to support healthcare, as a critical infrastructure industry, to respond to the challenge.
What developments will see in healthcare cybersecurity over the next few years?
The challenge of cybersecurity will continue to be more complex. That’s a result of the increased adoption of new technology and the vulnerabilities that come along with that. For the future, organizations have to develop core competencies in cybersecurity and in risk management in particular as part of cybersecurity. They have to get good at identifying, prioritizing, and responding to risk, and doing that in a methodical way and a programmatic way.
We are already seeing a lot of movement at the board and leadership levels, conversations that weren’t there before, when cybersecurity was considered to be an IT problem. It’s not an IT problem, it’s a business problem, and it could potentially be one of the largest risks to the overall organization.