Dozens of lively - and sometimes sobering - discussions sprung up among the cadre of healthcare industry CISOs, legal experts and leaders from government agencies and technology vendors who gathered at Information Security Media Group's Healthcare Security Summit in New York on Tuesday and Wednesday. So what are some of the key takeaways?
"We do see a lot of entities hit by ransomware that as a result are unable to provide services to patients."
For one, an online poll we conducted at the opening of our summit on found that 69 percent of respondents rate the state of cybersecurity in healthcare as "failing" or "barely passing." Seventeen percent say the sector is in dire need of regulatory intervention. And only 14 percent say cybersecurity in the healthcare sector isn't any worse than other sectors. That's not exactly a confidence-building assessment of healthcare's state of cybersecurity.
During the event, details unfolded for why the situation appears so dire to so many. The security threats and risks facing healthcare evolving - now including ransomware and other malware attacks that might or might not involve extortion, vulnerable medical devices and sneaky insiders, just to name a few. But also, many organizations lack preparedness and resources to effectively deal with these issues.
An informal show-of-hands poll during a panel discussion about data security action plans found that most attendees do not have such a plan at their organization.
Speaker Iliana Peters, acting deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, told attendees that reports OCR sees of incidents involving ransomware are surging - not only cases involving a breach of protected health information, but situations that potentially put patients at risk of harm.
"This is real," Peters said about the threats. "We do see a lot of entities hit by ransomware that [as a result] are unable to provide services to patients."
Do No Harm
Speaking of potential harm to patients, the issue of medical device cybersecurity was a passionate concern of many attendees, speakers and panelists. Another online poll during the summit found that about 82 percent of respondents say medical device security is a significant issue that needs to be addressed now.
Suzanne Schwartz, M.D. of the Food and Drug Administration once again tried to dispel what she described as a stubborn "myth" - that adherence to the FDA's cybersecurity guidance for device makers is optional.
The lack of adequate cybersecurity in medical devices, which raises patient safety concerns, could potentially impede FDA market approval for new devices, she noted. Plus, recalls of legacy products due to cybersecurity issues posing patient safety concerns are another possibility. In fact, there's already been one such recent voluntary recall by a device maker, and more are likely to come, Schwartz says.
Other panelists contended, however, that the standards for medical device cybersecurity aren't clearly spelled out for manufacturers. And some attendees expressed a desire to see tougher FDA oversight and mandates.
But doctors and patients aren't exactly demanding better security in medical devices even as awareness of potential risks grows, said Jack Lewin, M.D., chairman of the National Coalition on Health Care, who spoke at the summit.
And panelist David Nathans of Siemens Healthcare described a situation when one of the largest healthcare provider organizations - outside the U.S. - demanded that authentication requirements be removed from the company's products sold to them so that clinicians would not be inconvenienced.
But it's not just medical device makers that are under scrutiny. Other technology providers, such as some cloud vendors, still refuse to sign business associate agreements that are customized to the specific needs of covered entities. And some CISOs wonder whether HIPAA enforcement, including issues involving the compliance of business associates, could weaken under the anti-regulation Trump administration, perhaps leading to even more lax practices by some healthcare organizations as well as the vendors whose products they use.
Light at End of Tunnel?
But not all was doom and gloom at our summit. There were also glimmers of hope and the sharing of success stories.
For example, Jennings Aske, CISO of New York Presbyterian, described how his organization mandated and implemented in a matter of weeks multifactor authentication despite pushback from many clinicians and others.
Jim Routh, CISO at Aetna, also described how the insurer is moving from passwords to continuous behavioral authentication in the year ahead as part of the company's ongoing strategy to improve cybersecurity.
If you missed joining us at our 2017 healthcare security summit, you can still benefit from the dozens of one-on-one video interviews we conducted with healthcare security leaders, government officials and technology gurus. Those will be posted in the days ahead. Also available soon will be webinars featuring the complete presentations.