HHS Cyber Task Force Member Discusses Top RecommendationsInterview: David Finn Describes Need for a Healthcare Framework, Other Key Steps
In an in-depth interview, David Finn, a member of a task force that advised the Department of Health and Human Services on cybersecurity challenges, describes its recommendations, including the need for a healthcare sector-specific cybersecurity framework.
"We have to change our approach to security, to privacy and to compliance from one of just checking boxes ... to addressing the impacts on the care providers themselves - and that whole interconnected healthcare chain," he says. "And that's a big change for the industry."
The cybersecurity task force that developed the HHS Cyber Security Report was made up of a diverse group of healthcare, security and technology experts. The creation of the task force and the report were called for under the Cyber Security Information Sharing Act of 2015.
In the interview (see edited transcript below), Finn discusses:
- The task force's recommendation for the creation of a healthcare-specific version of the National Institute of Standards and Technology's cybersecurity framework;
- Why smaller healthcare entities should "share" a CISO;
- Ransomware and other threats to medical devices.
Finn is health IT officer at security vendor Symantec. Previously, he was CIO and vice president of information services for Texas Children's Hospital, where he also served as the privacy and security officer. He also spent seven years as a healthcare consultant with Healthlink - formerly IMG - and PricewaterhouseCoopers. He has more than 30 years of experience in the planning, management and control of IT and business processes.
Marianne Kolbasuk McGee: What were some of the biggest cyber challenges that the task force found that were new in terms of what the healthcare sector is facing?
David Finn: What we've seen over the last five years is really a big change in the threat landscape and the fact that healthcare is more targeted than it's ever been. So what we've discovered ... is a disconnect in healthcare, where we were thinking of security as a ... technical issue. [But] because of the nature of the attacks, the aggressiveness of the attacks and what happens when a hospital or a care provider is attacked and may be shut down, is that this is really a patient care issue now. This isn't just about your IT department.
And so we have to change our approach to security, to privacy, and to compliance from one of just checking boxes and making sure IT has antivirus on the systems to addressing the impacts on the care providers themselves and that whole interconnected healthcare chain. And that's a big change for the industry.
Call for Healthcare-Specific Framework
McGee: The cyber task force was also asked to look at other industries, to see what healthcare could learn from other sectors. What were the key lessons that the task force thought were useful?
Finn: I think the main issue for healthcare is, on the clinical side, they talk about interoperability and being able to share information in meaningful ways. And it's a similar issue on the security side. We have to have standards for assessing and evaluating security, so as we begin to interconnect and share data with other providers, with medical device makers, with medical equipment, durable medical equipment manufacturers or suppliers, that we have standards for understanding what we're doing with security.
One of the big [tasks] ... is adopting in the NIST [National Institute of Standards and Technology] cybersecurity framework and literally developing a healthcare-specific version of that framework, so we can all talk the same language, we're using the same taxonomy, we understand when someone says, "I'm doing this or I've got this in my hospital. What are you doing on your side?" And we can begin to share and understand the risks we're entering into or what we need to do to reduce those risks as we begin to share, not only the patient information, but the cybersecurity information.
McGee: In terms of a healthcare-specific cybersecurity framework, were there any suggestions about who would be responsible for developing that?
Finn: A working group has actually now been established within HHS and its goal is to align healthcare industry cybersecurity approaches. So this will be built on the NIST model, but it will be specific to the healthcare industry, starting actually with smaller organizations - the ones who are probably further behind, who don't have the resources, or the expertise in-house. So HHS, under the office of the CIO, has already started this effort. ...
McGee: The report makes more than 100 recommendations that fall under six main imperatives. Based on the discussions of the task force and what you see in the healthcare sector, which of those imperatives are most urgent and why?
Finn: One of the [strengths] of this task force was its diverse composition. We had healthcare CIOs and we had medical device makers and we had privacy and compliance people, and we had security experts. ... To pick a single priority is going to be [dependent] on your perspective and where you are. And that was one of the things that that task force wanted to do. We knew we needed to meet the industry where they were. Some organizations are quite far advanced and some haven't really done much in terms of security, and so this is a collection of recommendations and action items that depending on where you are, you're going to pick different ones.
But from my perspective, I think one that is critical is ... to create a cybersecurity leader role within the department of HHS.
There's numerous reasons for this, but there's a lot of conflicts, there's a lot of ambiguity, there's a lot of blank spaces in filling things in. And I think it's important to have someone who's going to work across HHS and work with the FDA and with the Department of Homeland Security, and with the National Institute of Standards and Technology to begin to get more comprehensive and more conclusive answers, because that will help everyone downstream. We have to start at the top and get those questions answered so we know what level of encryption is required and what we mean by access management and what's preferred and what you might be able to do.
Right now, that's kind of all open to interpretation, and we need to get stronger guidance and a better understanding of what the federal regulators, what the industry needs to do [in] order to protect themselves. I would choose that as my number one item.
McGee: The healthcare sector is made up of diverse providers, ranging from smaller physician practices to large medical centers. What's your advice to healthcare entities in terms of sorting through all these recommendations to assess which ones should be their top priorities for their particular organizations right now?
Finn: I think that comes back to ... developing the healthcare workforce and the capacity necessary to prioritize cybersecurity. And again, it's not accidental that the first recommendation in there is that every organization has to identify a cybersecurity leader. And this was really the intent of the HIPAA Security Rule, which went into effect in 2005, that said you should have a security representative who's responsible for this. And what we found as late as last year in doing surveys with HIMSS Analytics, is there's still about a third of providers that don't have a designated security representative or security officer. Now the term is chief information security officer or information security officer.
But every organization, and it really is regardless of size, needs to have someone focused on cybersecurity. And if you're a small physician practice, the task force understood that this was going to be hard. You're running a business; you're seeing patients; you're doing everything.
And we talk about some different models, where maybe there's a shared CISO - five or six physician practices get together and have the right expertise brought in to look at their individual practice and if they can share the burden of that expense and come up with some common rules. That's going to benefit the entire industry as we begin to move everyone in the same direction and we start to move the industry forward. So it's going to be an issue of focus.
And we understand that there's been issues, particularly with smaller providers. When we look at the workforce and how we bring that up, and how we begin to prioritize, we have to have that expertise in-house. And it isn't just the technical expertise; it's someone who understands healthcare or who can understand the technical expertise to this small practice owner who's going to have to make decisions about what he uses to secure things.
The task force report talks about the cloud being an option for small providers. And while it's a great opportunity from a cost perspective, you do have to make sure that cloud providers are in compliance with the requirements, not only of HIPAA, but other regulations. ... So we're going to have to get more focused on security and more creative about how we solve the issues.
McGee: The healthcare sector and other sectors were recently hit with WannaCry ransomware attacks. Some organizations could still be dealing with that. Is there anything in particular that stands out from the report that you think would be useful for healthcare entities to keep in mind the next time a fast-spreading ransomware hits?
Finn: One of the things we talk about ... is increasing security and resilience of medical devices, which was the initial focus. But it really became a bigger issue. It's all of health IT. It's your EMR, it's your other clinical systems that support and feed into that EMR.
So it comes down to an issue, and we heard it a lot around WannaCry, of what people in the industry call "cyber hygiene." It's issues around patching, which we certainly heard with ransomware. It's keeping machines up to date. We find legacy biomedical devices that are literally over a decade old, some approaching two decades, and those are devices that were probably never intended to go on a network, and now we've put them on a network and ... they were never developed to be protected from what's out there. And while the device itself may not be a target of the attack, the attack may have impacts that caused operational delays or caused errors in the device readings and other things that can impact care and operations in a provider setting.
So we talk a great deal about cyber hygiene and how that's done. And one of the imperatives ... is about increasing readiness and training and education for our healthcare workforce - whether they're involved directly in cybersecurity or not. And so this is another big area because whether they're a security officer or a nurse, they become the front line of defense for a provider or organization ... Doctors and nurses go to medical school or nursing school, but in the world we live in, they're going to have to understand these [cybersecurity] tools, just like they understand there are tools for a clinical diagnosis and intervention. ... They're going to have to understand enough to use those appropriately and securely to protect their patient.
And that was also one of the big findings of the task force report - that this industry is so interconnected in terms of pharmacies and healthcare providers and payers and durable medical equipment makers. And it's so highly distributed on the patient end. We've got doctors and nurses working remotely. We have patients who want 24-by-7 access. And so we're going to have to bring everyone together to help solve these issues around privacy and security.
McGee: The task force is now disbanded. So what comes next?
Finn: The report was released to Congress and I suspect they will begin reviewing it. ... While there's certainly a role for government in this, we recognize that the industry is going to have to step up and lead and take ownership as well. Not everything in the task force report is ... a recommendation to the Congress or the federal government; it's guidance around what the industry should be doing and how government can help the industry or how government can be used to convene multiple industry sectors to start making these decisions - to start pushing things forward. ... Healthcare is more than doctors and nurses; we're all going to have to ... work together, maybe under the guidance of a government agency, maybe under an association such as HIMSS to the American Hospital Association or our National Health Information Sharing and Analysis Center, where we start to convene these stakeholders.
But we're all going to have to work together. And some of that will be governmental, and some of that will be industry-led. But hand-in-hand, we're going to have to move the industry forward and in the same direction to improve security and our cyber posture. And we need to share not only the clinical information, which is certainly the goal, but share the cyber information so we can all protect ourselves appropriately and protect all of our patients.