HIStalk Interviews Steve Cagle, CEO, Clearwater
Steve Cagle, MBA is CEO of Clearwater of Nashville, TN.
Tell me about yourself and the company.
I’m the CEO of Clearwater Security and Compliance. We are a national, healthcare-focused cybersecurity compliance and privacy services and software company. We work with healthcare organizations – hospitals, health systems, physician practice management groups, and digital health companies. Really any type of organization that serves healthcare. I’ve been CEO for five years. I have a 20-year background in healthcare.
How do you distinguish between security and compliance?
Compliance and security are very much intertwined, especially in healthcare. Certain regulations, including HIPAA, require organizations to meet certain specifications and standards in order to adhere to those regulations. Some of those of course involve security and privacy. We have other standards and frameworks that we use in those domains to build and execute programs that protect the organization — its data, its patient data, or third-party data — to ensure that it is kept private and secure.
There is some overlap. In healthcare today, compliance is extremely important. But from a security and privacy perspective, we need to go beyond what we see in some of those regulations, and most importantly, build programs that are ensuring that we are taking the appropriate actions that are relevant for the specific organization based on its size and complexity and its contractual agreements with third parties based on other requirements it may have from insurance providers and so on. Most importantly, based on its level of risk and its risk tolerance.
We see organizations getting better at at understanding risk, although not always going as far as they should — understanding risk, evaluating that risk, and then making decisions that are risk-based to secure and protect private information and to protect their organization’s operations from a cyber incident or other type of security incident.
Is ransomware still the predominant risk for providers?
It certainly is a top concern. We see in the headlines repeated ransomware attacks against healthcare. According to the FBI, healthcare is the most targeted industry out of all critical infrastructure industries for ransomware attacks. This year alone, there have been at least 19 attacks on hospitals versus 25 ransomware attacks in all of last year.
Ransomware is extremely disruptive and dangerous when it comes to healthcare. Organizations aren’t able to deliver services at the same level of quality. It may be that backup systems are ensuring that patient care is of high quality, but we know there’s an impact when you can’t get test results, you have to reschedule procedures, or you have to wait longer to get care..
A good amount of data has come out recently that unfortunately shows that outcomes were impacted and the mortality rate increased following a ransomware attack. Even hospitals that are adjacent to a hospital that was affected by an attack have had overflow, increased wait times, and increased morbidity. There’s real data out there that shows that it is not only an extreme business risk, but also a patient safety risk. It’s a business risk because revenue is impacted. For smaller organizations, a ransomware attack can cause the loss of up to 30% of their total revenue. So from both a patient safety perspective and a business perspective, ransomware is a top concern.
Is email the primary vector of ransomware attacks?
I would clarify that a bit and say that people are the top vector. That could be email business compromise or other types of social engineering attacks. A lot of those attacks are coming through text messaging. Also phone calls, where the person on the other end purports to be somebody that they are not to try to get someone to give them information to further infiltrate the organization. Phishing and other types of social engineering are top concerns.
We have to continue to make sure that people are aware of all those tactics and techniques. We also want to have other types of security controls that limit the impact of a breach. If somebody were to be able to get those credentials, what can they do with them? Do we have controls in place, such as multi-factor authentication? Do we have controls in place that limit the amount of access that individual can get to? We want to have environments that provide for a zero trust approach, that they have to have repeated authentication to access certain applications even if they are able to get into through to a certain point. There has been a lot of focus on that area.
That’s not the only vector. We’ve seen a lot of attacks, especially over the past couple of months, involving zero-day vulnerabilities or other vulnerabilities that have been exploited by bad actors. We have also seen that with third-party breaches, such as the recent MOVEit vulnerability. That has been a huge source of breaches for the healthcare industry over the past couple of months.
Will AI be better for hackers to launch cyberattacks, or will be be of greater benefit for defending organizations from them?
The AI wars have really begun. Artificial intelligence is not necessarily a new thing when it comes to security tools and techniques. There have been advances in applications being able to use those in a security operations center to assist an analyst in diagnosing or responding to a attack, certainly in identifying some sort of incident or potential incident that should be investigated.
But it’s being now used by bad actors to do all sorts of things, such as crafting more convincing email messages to learn about an organization’s defenses and to adjust the way that it is executing those attacks. From a social engineering perspective, it also allows creating deep fakes using video, photographs, and voice to trick people into giving credentials. The ability to detect an attack is getting better, but being able to execute those attacks is also getting more sophisticated. There will be continued advances and an ongoing battle in the world of AI and security.
How well do health systems evaluate the risks that are introduced by their business associates and vendors?
A lot of organizations are aware of the risk. There is more risk in third parties since we are using more third-party applications in healthcare, especially with digital transformation. We’re moving more to the cloud in healthcare. We are sharing information with more third parties, and it’s not just third parties — it’s fourth parties, fifth parties. It’s the whole supply chain. Understanding risk begins with understanding where your data is and where it’s going. Who are your business associates contracting with and how good are their security programs? How good are they assessing risk?
Healthcare is getting better, but the risk and the sophistication are growing also. We are probably not catching up as fast as we want to consistently across the industry. Many organizations are assessing by sending out a spreadsheet or a questionnaire. Are they asking the right questions? Are they asking those questions at the right level of depth or depth when they are assessing the impact that particular business associate could have? How frequently are they doing it? What are they doing with those responses and how are they tracking?
That’s hard for a lot of organizations. They don’t have the time, resources, or money to do all those things. Some of the clients we’ve worked with get better at by helping to build better programs that optimize the resources. That’s a lot of what risk management is about, especially in healthcare, where there aren’t endless budgets. How do you become more effective at deploying those resources in a way that give you the most bang for your buck? There’s definitely opportunity there and those challenges can be improved or solved by being a bit more optimal in how you assess risk.
Do you see the Federal Trade Commission becoming more aggressive in the non-HIPAA security and privacy aspects of healthcare given its recent activities in consumer privacy and application practices?
Absolutely. The FTC has recently come down with settlements or resolution agreements with healthcare companies that have shared sensitive personal information in violation of FTC regulations. They have also been focused on the health breach notification requirement. They have been very clear that they are looking closely at health apps that might not fall under HIPAA regulations, but certainly could fall potentially under multiple FTC and other privacy regulations. Several fines have been executed this year. They have also asked for comments on updating some of the rules that are in place already.
Recently there was the joint notice that was sent out to about 130 hospitals between the HHS Office for Civil Rights and FTC, warning those hospitals and also telehealth providers about privacy and security risks from online tracking technologies. Office for Civil Rights had also issued guidance in December. There’s a lot of attention on on how information is being shared through the pixel and other tracking technologies with organizations like Google, Facebook, and other advertisers and marketers, how that information is being used internally and to ensure that it isn’t being used in an inappropriate way. I think we are likely to see additional action taking place from FTC and potentially from OCR as well.
What are the challenges for health systems in recruiting or retaining cybersecurity expertise?
It’s definitely a challenge, and has been for a long time. There are only so many people qualified for these roles, and healthcare has been challenged with having the resources and the dollars available to be competitive in many cases. Some organizations are in areas where there just isn’t that talent available at all to begin with.
Healthcare is also unusual in terms of the environment that we are working with from a security perspective. It requires a good understanding of a clinical environment and the technologies, compliance, regulations, and the business of healthcare. It is different when you’re working with patients. A lot of unusual attributes go into making somebody successful in that role. That’s probably why we are seeing a lot of healthcare organizations outsource services that don’t make sense to do directly.
We hope to see more support from the federal government in providing some of the resources that are needed to train professionals in cybersecurity. There have certainly been some talk about that in the national cybersecurity strategy and some of the legislation that was recently proposed, specifically for rural hospitals. But it’s a huge challenge, and the need for security professionals is only growing. We will continue to see some gaps over the next decade, even as we hopefully begin to bring more talent into cybersecurity.
What will be important in the company’s strategy over the next few years?
Our vision has been to be a market leader in healthcare, cybersecurity, and compliance. For us to continue to do that, going back to the talent question, we have to have the best possible people. We also have to have a good understanding of what the needs are for our clients going into the future. Being a partner and continuing to innovate.
We always want to be thinking ahead about what our clients are going to need going forward. We spend a lot of time there, developing people, retaining people, and giving back to the industry. We hope that through our work, we can continue to provide insight, information, and sense of community that can help healthcare to work together to solve its cybersecurity challenges.
Giving a patient medications in the ER, having them pop positive on a test, and then withholding further medications because…