The healthcare industry is a prime target of organized cyberattacks, as has been shown near daily for the past decade-plus. The urgency of contingency planning has finally been made clear, from the boardroom to the situation room, exam rooms and administrative back rooms. 

Health system chief information security officers are at the forefront of one of the health sector's greatest challenges – to provide patient care in the face of regular attempts at network intrusions and total system shutdowns.

Like the role of the CIO, the CISO's job description has been evolving steadily in recent years – and has changed dramatically as hackers added the ability to monetize business disruptions through ransomware attacks.

"It had started as 'data security' or 'information security,' with a heavy focus on ensuring the confidentiality, accuracy or integrity and availability of the data," explains Erik Decker, CISO at Intermountain Health.

While "data was always the center of the conversation," bad actors have now created marketplaces where data, access and privileges have been bought and sold, attracting organized crime to the digital ecosystem – forcing CISOs to take the adversary approach. 

In the age of ransomware, negotiation with hackers is akin to combat.

Decker will moderate a panel on personal liability, budgetary pressures and challenging business climates at the upcoming HIMSS 2024 Healthcare Cybersecurity Forum, scheduled for October 31-November 1 in Washington, D.C.

The panel will address how the role of the CISO is evolving as organizations expect to be interrupted by cyberattacks, but must find ways to maintain patient safety and care operations despite disruption.

Reconsidering reaction to intrusions

Smash-and-grab exploits will likely continue to vex healthcare systems, according to Darren Lacey, CISO at Johns Hopkins University and John Hopkins Medicine for more than 18 years.

"It's not hard to steal a spreadsheet, and a spreadsheet could have 100,000 names on it," he noted.

Lacey, who will join Decker, Kate Pierce, senior  Virtual CISO and executive director of government affairs at Fortified Health Security, and Dee Young, CISO at UNC Healthcare, for the discussion, said the greater challenge is system-halting attacks – like the Change Healthcare ransomware attack in February that affected healthcare operations nationwide for months.

The magnitude of that attack attracted the attention of many lawmakers this year, who want to see more effort to prevent debilitating disruption across the critical sector.

"Governments and industry will continue to step up their efforts to thwart these attacks, which hopefully include a stimulus to help the needs-based organizations as well as mandating minimum cybersecurity standards in healthcare," Decker said.

Lacey said he believes that the way healthcare systems react can exacerbate the problem in certain instances.

"I think we have to start rethinking about how we do systems trust," he said.

The typical reaction to system intrusion is that "all chaos" is assumed, explained Lacey. "Assuming breach, we plan as if breach is a tornado." 

However, in that posture, "we don't actually assume breach," the industry veteran said.

What health IT teams assume is that somewhere in the network a computer or an account has been compromised, and so no systems on the network can be trusted and must be shut down.

"So the blast radius, even though the attack may be fairly low, is huge," said Lacey.

"It's understandable because what we've done over the last 20 years is consolidate administrative credentials into a much smaller number that makes them more secure."

"But, we need to come up with ways where our self-imposed blast radius is significantly less harmful and more resilient than the current model."

When health IT teams think about cybersecurity events, incidents and breaches, "we think about them as these extraordinary events – a comet hit us, a tornado," he said. "But the tornadoes flying through the data center are much more common than people allow themselves to believe."

Reducing downstream damage

Lacey suggested that organizations start to tabletop "assuming breach" to reduce "downstream damage."

"It may be how we set up administrative accounts," he said. "It may be how we do logging; it may be a recalibration of our risk analysis and those types of things where we don't have a simple binary trusted system-untrusted system."

His point is that changing how trust is managed may preserve resilience and assure better care continuity, according to this line of thinking. 

"We'd devise different strategies if our main goal was to preserve resilience," he said.

"How many systems at Change Healthcare were actually compromised?" Lacey asked rhetorically.

In that attack, which had a seismic effect on healthcare operations nationally, the number of systems affected was not excessive – it was the complex web of dependencies on administrative accounts, he explained.

"It became super difficult to unpack the whole thing and solve it," said Lacey.

If it's impossible to have any idea about how the adversary is behaving at the time of data transactions, then shutting down systems broadly probably makes sense, Lacey acknowledged, but understanding data integrity at the time of an attack could help improve healthcare's resilience. 

What's unclear in an attack is the likelihood that the integrity of the data has been changed – "not that the data's been lost."

Relying on data that may have been stolen does not necessarily put the patient in danger of a bad medical outcome at the time of an encounter, though it may endanger some kind of identity theft later on, said Lacey.

"If you had a better understanding, what [incident response] behaviors might then be appropriate?" 

"It really is the integrity of the data – and it's not difficult to imagine how you could trace back the integrity of the data in such a way that you can feel 99.99% certain that this hasn't been tampered with," he said.

AI's role in healthcare cyber-warfare

Artificial intelligence is a cyber weapon that anyone can now use – cyber adversaries or cyber defenders.

"AI will be used both offensively and defensively; it is yet to be determined which side will have the advantage," said Decker.

Which group will have the advantage is split, Lacey said.

Healthcare cybersecurity teams will be better off than the attackers at what he called "the first level" where there is a cribbed understanding of cybersecurity.

"It gives us more tooling than it gives them because our data will be able to figure out more complicated relationships of data than we would otherwise," he said.

But AI technology means "we're going to be buried in disinformation," he said, putting CISOs in the business of disinformation prevention. The ability to navigate those risks in the current state of cybersecurity "we are in no way prepared for," he said.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

The panel session, "Panel: Personal Liability, Budgetary Pressures and Challenging Business Climates: A Day in the Life of a Healthcare CISO," is scheduled for 2:45 p.m. on Thursday, October 31, at the HIMSS Healthcare Cybersecurity Forum in Washington, D.C.