Healthcare Leaders React to New Cybersecurity Concerns

The Ohio State University Wexner Medical Center hasn’t seen an uptick in cyberattacks as a result of the Russian invasion of Ukraine just yet, but that and other threats are keeping security experts on their toes these days

The Russian invasion of Ukraine has heightened concerns about cyberattacks worldwide, including in the US, where the Cybersecurity & Infrastructure Security Agency issued a Shields Up warning to the private sector, including healthcare organizations.

In this conversation with HealthLeaders, Phyllis Teater, chief information officer at The Ohio State University Wexner Medical Center, discusses best practices and steps that healthcare organizations can take to strengthen their cybersecurity strategies. This interview has been edited lightly for clarity and brevity.

HealthLeaders: What's your assessment of the mood of cybersecurity officers such as yourself, given that we're more than two months into the war and everyone remains on edge about maybe there's a bigger cyber threat just around the corner?

Phyllis Teater: I think that's certainly something that's concerning. We watch. We're fortunate. I'm the CIO here, not the CISO, but our IT security group watches a lot of markers to try to understand if we're seeing more threats, such as, do we see a significant uptake in the number of spam or denial of service attacks? Are we seeing phishing? It's [things] like that, that we are currently blocking. But of course, things can get through. And we have not seen a significant difference in the number of things that are trying to get in. But we are trying to be diligent.

Phyllis Teater, chief information officer at The Ohio State University Wexner Medical Center. Photo courtesy The Ohio State University Wexner Medical Center.

Healthcare has been such a big target through the pandemic. We made a lot of investments to try to really continue to address our risks, knowing that there is no perfect protection. I feel like this is just another thing that is continuing to increase the risk. We've had so many scares and media attention about the attacks on healthcare, particularly because we have been pretty busy the last two years with our business. And folks are distracted and tired, and so their proclivity to fall for an attack of some kind through our user base has certainly been higher. We've continued to be diligent and know that many of the changes in the world mean that the attacks could get more and more, but we have not seen any indication of a major uptick in the threats, in particular, from anywhere.

HL: To what extent do you think the government ought to strengthen security requirements for critical infrastructure such as hospitals and healthcare?

Teater: My opinion of this is probably biased as a CIO who has to oversee all of the investments. I think that the limitation is not the requirements or the regulations we should be following. It is all about resources, both people and monetary resources, to invest in all of the things that we should be doing. I mean, I could have a security department that [comprises] 100 people. I don't. You can invest a limitless amount of money, and you still may have a breach, because there is no perfect protection. I don't know that strengthening the requirements will do anything but feel like an unfunded mandate for any of the critical infrastructure industries.

HealthLeaders: Should the federal government give more cybersecurity support to enterprises such as yourself? For things like training? Should there be a government tax credit?

Teater: I think that that would certainly help. The most important defense is training and helping [employees]. At OSU we call it the human firewall. To be able to make sure that they understand the risks, the linkages between the things that they do, and keeping our organization safe. We think about the hierarchy of technology to be protect -- keeping the bad actors out, of course, detect -- that's making sure that you have mechanisms to understand if they did get a foothold somewhere, contain -- that's making sure if a bad actor should get in that you have protections for them being able to spread and then restore -- when you do have something that's been compromised, how fast can you turn around getting that back in a secure way?

We look at that four-part hierarchy in terms of our security posture and the initiatives that we have. Protect is so important for our humans that work here to help us with, to make sure that they are cognizant about the risks that can approach them, and how their actions can affect the institution. So I do think investing in training and being able to do some of those things and be able to have some help for organizations to build strong training for programs is really important. But of course, a tax credit doesn't help us at all, because we're not for profit.

HL: The other issue you keep hearing about is these breaches where security updates were not applied in a timely fashion. Do you think that that remains one of the big vulnerabilities, just unpatched systems?

Teater: I think so. And again, that comes back to the resources issue and having the resources to do that. [With] most IT departments, and I'll just talk about ours at the medical center, our primary focus is supporting the business of our organization. And when we think about the literally thousands of patch notices and updates, everything from critical to low, that we get every day, it's a pretty formidable thing for any organization of any size. But especially frankly, [with] large organizations, we have thousands and thousands of servers, as does every organization of any size. All different operating systems, different levels, different manufacturers, and frankly, for any organization, to feel like they're keeping up super well is a huge challenge, because of the resources it takes.

And when you think about the work that we need to do, to make our organization secure, and you think about zero trust, those kinds of things, we have to balance our ability to do business and our ability for us to take care of patients in a timely fashion. We could do all sorts of things to make our environment more secure. That would make it difficult for us to take care of patients or to do the business side of our work. There is always a balance between making your environment more secure to reduce risk, and impacting your users in such a way that it makes their job harder. Those almost never go in the same direction.

Now there are some technology advancements that have kind of made it there. Two-factor authentication, which is such a huge piece of any defense against cyberattacks, is now pretty standard. And pretty darn easy to use. When I log into our, say, HR system, every time I log in, I can have my notices go right to my Apple Watch, right? And it buzzes on my wrist. And I say approve and I'm in. And that is a big piece of our protection. So I do think there's opportunity for technology advancements that can help our security posture and not be too intrusive with our users. But that is not everything.

And we have a lot of security mechanisms at the medical center that they do not require at the university here at OSU. And that is because of our patient information and the HIPAA requirements that we have. And we hear from users regularly, why is it so hard over here at the medical center? And because we have much stronger controls that we've had to put in place.

HL: How important are the principles of zero trust, to improving enterprise security and healthcare?

Teater: It provides a very valuable framework to be thinking about, not a utopia, but a vision for how we could operate, knowing again that absolute zero trust would mean, nobody's logging onto your system. So you're sure they're fine. So it comes back to the impact to the users for zero trust environment. Has the technology advanced enough, that we can really do a full zero trust without driving our users crazy?

HL: How is the cyber insurance industry doing? Some say it's just facilitating ransomware payouts.

Teater: I think it's a relative mystery. I'm not sure that the people that need to buy the insurance or the people that are offering insurance have really figured it out. That's my sort of personal opinion. It is helpful to have the insurance if you have a major breach. Not every breach is ransomware. There are other types of breaches that still happen all the time. But I think the ransomware world is very unique, and of course, very prevalent. Many organizations have significant deductibles on their cyber insurance. Thinking about how that plays into it also within the insurance is in many situations, but not all.

HL: The security climate also makes IT leaders consider cloud alternatives to on-premises data centers more than you may have in the past.

Teater: The way I think about it, and encourage our organization to think about it, is simply a different set of security issues, some better and some not better. If you have an application that's in the cloud, that provider can have a security issue or a breach. And if they do, the capability of the organization that is using that service, to impact the restore process is very limited, and you are dependent on somebody else's best practices. You try to do due diligence, of course, when you are obtaining that cloud service and understand the process, but it is just a different set of security issues. And I think it's still quite an impact to any organization, because it's about the business continuity. It's about not having access to that system. And it can happen with a cloud provider the same way it can happen with something on prem.

HL: Are there other best practices that have come to the forefront this year, as you further try to respond to this threat?

Teater: Continuing to up your game with training, which we already talked about, and really having a program to train your organization, a regular ongoing program, about how you do self-phishing to try to identify those users that are perhaps high risk and give them additional training. And so lots of innovation, I think in that space, although that's not really technological.

It's more about social engineering innovation to be able to really hone your practices for the areas that are the highest risks. Many organizations are investing in EDRs - endpoint detection and remediation. And, and I do think that that endpoint protection and detection is so important, because that is often the way that many, many vectors can get in. They're starting to really, I think, advance and mature and be able to help organizations really contain as well as protect their assets.

HL: Any other concerns?

Teater: It is a huge challenge for all industries in their technology space to have the talent, the amount of talent we really need working on these problems. And so, hoping for advancements in degrees that are offered in cybersecurity and protections and in training programs, to be able to really build that talent base, is going to be so important to our future.