A Global Perspective on the Growing Cyber Threats Facing Health Care
Cybersecurity is a central part of every nation’s infrastructure – especially when it comes to health care.
The availability and free flow of health information is critical to providing care. Unfortunately, patient information isn’t just valuable to caregivers, it’s also becoming a primary target for criminals across the globe.
In this special episode, Chip Kahn moderates a panel of cybersecurity experts, with significant experience in the health care sector, from around the world.
The discussion, entitled ‘Navigating Today’s Cyber Threats for Tomorrow’s Healthcare,’ was organized by Future of Health, a group made up of thought leaders from hospital systems, academia, policymaking, payers and patient advocacy.
Topics discussed include:
- Current state of cyber defenses today – vulnerabilities, variabilities across the world
- Goals of cybercriminals targeting health care entities – money, data, or mayhem
- Paying ransom – views from different countries
- Political implications – how to react when cyber breaches become geopolitical events
- Proper role of governments in cyber defense and attack mitigation – the role of mandates and the threat of penalties
- Lasting advice – the one thing health care entities must do to protect themselves.
The virtual panel:
- US: Meredith Griffanti, Senior Managing Director, Global Head of Cybersecurity & Data Privacy Communications, FTI Consulting
- UK: Dr. Saif Abed, Director of Cybersecurity Advisory Services, The AbedGraham Group and Cybersecurity Consultant, World Health Organization
- Singapore: Kim Chuan, Group Chief Information Security Officer, SingHealth
- Israel: Alon Rozen, CEO of Elements Group, and former Chief of Staff at the Israeli Ministry of Defense and Director General of the Israeli Homefront Defense Ministry
More:
Established in 2018, Future of Health’s diverse membership represents the foremost health organizations and thought leaders from hospital systems, academia, policymaking, payers, industry, and patient advocacy. Each year, FOH members address, through discussion and research process, pivotal issues facing health care across the world. From this process FOH develops insights and recommendations disseminating findings through published papers which serve as a blueprint for a common vision for the future of health.
Dr. Saif Abed (00:04):
Cybersecurity is a patient safety issue, cybersecurity is a public health issue. View it through that lens, and plan, and to prepare from that perspective.
(00:14):
Don’t look at it as a tech issue. And then, you’ll be making the right steps in the right direction.
Speaker 2 (00:24):
Welcome to Hospitals in Focus from the Federation of American Hospitals. Here’s your host, Chip Kahn.
Chip Kahn (00:34):
Welcome to a special episode of Hospitals in Focus. I recently moderated a webinar on one of the most pressing issues facing healthcare today, cybersecurity, and felt that the discussion was so important, that I wanted to include it in our series.
(00:50):
The discussion features experts from around the world, and is entitled Navigating Today’s Cyber Threats for Tomorrow’s Healthcare. The webinar was organized by The Future of Health, a group I co-founded in 2018, and co-chair today.
(01:06):
Our diverse global membership includes thought leaders from hospital systems, academe, policymakers, payers, and patient advocates. Each year, FOH focuses on pivotal issues facing healthcare across the world, through discussion and research.
(01:25):
This webinar was a first for FOH, and on our virtual panel from the United States is Meredith Griffanti, a cyber expert from FTI Consulting, from the UK, Dr. Saif Abed, who is a medical doctor and healthcare cybersecurity leader, Kim Chuan, group chief Information security officer at Singh Health, in Singapore, and Alon Rozen, CEO of Elements Group, and a former chief of staff of the Israeli Ministry of Defense. I thought it was an eye-opening discussion, so I hope you do too. It starts now.
(02:02):
Cyber is a central part of every nation’s infrastructure, and no one knows that better than those of in healthcare. The availability and free flow of health information is mission critical to providing care today. Health information exists in our medical records, and between multiple settings.
(02:25):
Many people have, and need access to it, and the increases exponentially every day. The information is critical path for both receiving and providing care, but unfortunately, it is also a valuable commodity for bad actors. That makes health information a primary target across the globe.
(02:48):
I recently visited with the COO of one of my largest health systems and was not at all surprised to hear him say that cyber was the number one issue that kept them up at night. I’m happy to be joined today by this esteemed panel of experts from around the world.
(03:06):
In the next 45 minutes, our distinguished panelists are going to tell us about how we can protect the information of what the dangers and threats are, and share their experiences and expertise at the frontline of fighting cyber attacks.
(03:25):
So let’s get started. And I’m going to do a round-robin, and ask Meredith, Saif and Kim, and then Alon, in that order, to answer this question.
(03:35):
So I’ll start with Meredith, with this question for all four of you. Can you describe the worst breach you’ve seen, and what the significance of that breach was to you?
Meredith Griffanti (03:50):
So that’s to me first, right, Chip?
Chip Kahn (03:51):
Right, yes. Meredith first.
Meredith Griffanti (03:55):
I’ll kick this off here. So, as a outside consultant, I think it’s difficult for me to name names when it comes to certain companies. I can tell you that there are a couple pivotal moments, I feel like, where government and industry really woke up to the need to prepare for these attacks.
(04:18):
It’s not healthcare-related, but it is critical infrastructure-related. I think back to the colonial pipeline attack where, for the first time, I feel like in US history, there were truly physical, tangible implications from a cyber attack.
(04:38):
For those of you around the world who are listening, that aren’t familiar with the Colonial Pipeline incident, it was a ransomware attack on a crude oil pipeline that transported gasoline up and down the East Coast of the United States. And because of the need to shut down the pipeline, there was a fuel shortage to hospitals, to airports, to the pump.
(05:05):
So you really saw people running to gas stations and filling up trash bags full of gasoline, very safe. But for me, that was kind of a moment in which government really started paying attention, and I feel like critical infrastructure of all sorts, including the healthcare industry, really thought about, “Wow, how and why, and what are we doing to prepare for these types of incidents?” So I think about that one.
(05:36):
I really think about, we saw a case in particular, in Australia, with MediBank, where there were some blunders, I would say, in the response, in terms of trying to walk the line of being transparent, but getting out ahead of the forensic investigation, and making promises about data impact, saying that certain patient data wasn’t affected, and then, having to walk that back, and getting it wrong.
(06:08):
So I think there have been a number of lessons learned for the healthcare industry over the past few years, and a lot of my job, in particular, is helping with that work stream, and helping around communications, and making sure that when a company is hit by one of these attacks, they are doing everything they can to get to their front lines, to equip them with messaging and talking points to interact with patients, doctors, associates, payers, providers, all of the healthcare ecosystem.
(06:47):
So that’s a little bit about my role, a little bit about what I’ve seen over the past couple of years, and now, looking forward to talking more about this.
Chip Kahn (06:56):
Great. Saif?
Dr. Saif Abed (06:58):
So I have to say, the attack that I would describe is a moment in history. It really set off the whole subject of cybersecurity in healthcare. It’s an old one, but it’s a goody or a bad, in depending on how you we’re going to phrase it.
(07:11):
It’s the WannaCry attack that affected, well, it was opportunistic in the whole world, but it affected the national health system in England. What’s so devastating about it is that remember, I’m a clinician by background, but somehow, I’ve ended up in the dark heart of cybersecurity for the last 12 years. For me, it’s all about patient safety and patient outcomes.
(07:36):
So you had five major emergency departments shut down during that cyber attack. You had ambulances being diverted. Now imagine this, if you were a patient suspected of having had a stroke. And you have a three-hour, three and a half hour window for treatment, and your ambulance gets diverted, that’s half an hour, an hour diversion, then you enter a queue for another hospital?
(07:57):
That could be the difference between making a full recovery, or being paralyzed for the rest of your life. You had cancer appointments canceled at scale. You had operating theaters, not able to do operations, let alone primary care, was completely messed up during that period.
(08:17):
And ever since then, I’ve worked with government agencies all around the world, whether they’re on the defense side, or on the healthcare side, and also at the global government agency level. These are public health crises, and I think, Chip, I was mentioning to you before, I view this the same way the opioid epidemic is being viewed as a public health crisis.
(08:37):
This is how damaging these attacks are. We saw, during COVID, so many cyber attacks on healthcare infrastructure, healthcare organizations. We saw a national level cyber attack against the Irish health system, that’s shut down five major cancer centers.
(08:51):
Really, I’d say the WannaCry attack was the progenitor for healthcare really being on the hit list for ransomware gangs. And it also, entering that target, that gray space between the interest of cyber criminals, but also, the interests of entities involved in cyber warfare, as well, and how they could mask their behavior through criminal gangs.
(09:14):
So yeah, I’d really say the WannaCry attack was the seed, and the most significant moment that kicked off unfortunate events for the last decade.
Chip Kahn (09:25):
Kim?
Kim Chuan (09:27):
I got to agree with Dr. Saif. WannaCry was quite a major event. I remember being woken up by my wife at 10:00 p.m. at night, and she said, “There’s a BBC report that you got to see,” and when I read, saw the news, I had to make that dreaded phone call to my boss to wake him up, and tell him that “I think this thing is going to come to us, and we got to get ready.”
(09:52):
And fortunately, we got everyone asked at midnight, and prepared for the wave of attack, which fortunately didn’t arrive. But for me, the cyber attack which is most memorable, is the one that is most personal, and the one that affects the organization, and your customers.
(10:13):
Back in 2018, I was working in a shared IT services organization that supports all the public hospice laws in Singapore, including SingHealth, where I am now. And we experienced a relatively obfuscated attack on our EMR systems in 2018.
(10:32):
The threat actor was detected on our network sometime in July of 2018, and by the time we took a few days to confirm it, and closed down the attack, we were just a few days too late. The threat actors were able to exfiltrate over a million patient records from our system, and a very humbling experience, taught us a lot.
(10:59):
Although we didn’t suffer any systems outages or disruption to our services, we took a lot of lessons from the incident, including never to underestimate an adversary who was highly skilled, very patient, specialized, and there were teams of them working together to pull off the attack. It was a hard lesson to learn, and we hope that we never have to go through the same experience to get around.
(11:30):
So first of all, like Meredith, I’m in a problem to open things that happens in our customer side, but I will talk in very high level in general about things that already published. So I agree with Dr. Saif regarding the WannaCry. This is one of the craziest attacks ever, in the history of cyber, until now.
(11:59):
When I saw this question, when I heard this question. I debated between the WannaCry, or the Stuxnet attack, because the Stuxnet attack angle created a new area of different attacks in OT areas. In the end, we have a lot of data running into hospitals, running into data centers, and so on, and so on.
(12:31):
But we are leaning on operational technology, cybersecurity infrastructures, from generators to cooling towers, via the electricity, the healthcare equipment, and so on, and so on, everything based on ICSs, on industrial control systems.
(12:53):
And I think that it’s a huge gap, it’s a worldwide gap, you can say, regarding this matter, or issue. And it can be open for different vectors of taking on our most critical and crucial infrastructures worldwide.
(13:14):
I can tell you that one thing that we were part of, in some matters, is the attack against the water infrastructures in Israel on April 2020, when Iran tried war. According to the media, Iran tried to attack different entities dealing with water in different areas in Israel, it’s an OT, by the way, an OT attack, as well, tried to mix some measurements of different materials that go in through the water, in order to clean them, and so on. Those kind of attacks are extremely terror.
(14:11):
It’s attacks to create a biological terror. This is one of the things that in my personal I saw, that really frightens me, and by the way, it’s connected directly to the areas of healthcare. The same terror attacks can be hold in healthcare facilities, or different companies, that dealing with drugs, and those kind of things.
Chip Kahn (14:43):
So I’m going to address this to Saif and Kim. So from your experiences with these events, did they change behavior on the ground, in terms of what the facilities, the institutions, those working in the institutions do? Was there a sufficient sort of response in terms of, and here, I’m not talking about the mitigation, but in terms of moving forward, did it change behavior? Or did the vulnerabilities continue?
Dr. Saif Abed (15:16):
I’m happy to take it.
Chip Kahn (15:18):
Yeah, Saif? Why don’t you start, and then, Kim, make some comments?
Dr. Saif Abed (15:22):
For a national health system, definitely, there was a huge investment that came after that voice had bolted, if you will. You would see the equivalent of the team responsible for cybersecurity, from my understanding, within a few months grew from six to 60, the levels of investment that were involved, the development of a national cybersecurity operations center, perimeter security investments.
(15:48):
Really, from a standing start, really huge investments went in. Does that mean that the UK, or any other country in the world, for that matter, that has experienced these kinds of cyber attacks, are at the level of cyber maturity that they should be? The answer is no. Because healthcare is complex. Each individual hospital, clinic, arm’s length, body that’s involved in healthcare, or public health facility, it’s so difficult for most of them just to understand what assets they have in their environments, let alone to identify the vulnerabilities and the threats.
(16:22):
It’s really difficult. So yes, again, these events were a catalyst, have things kept pace as much as they should? Is it easy to forget? I think it is easy to forget, once a little bit of time has evolved. It’s human nature, unfortunately. So you really need strong regulators, strong government to stay on top of this.
(16:45):
And you really need executive leadership in healthcare organizations, to not just buy in, but to buy in through action. And we can get to the supply chain, I’m sure, at a later part of this conversation.
(16:57):
So yes, some change is being driven, not necessarily enough. I’ll just add one point. I think, in healthcare, there’s an obsession with digital transformation. We’re excited about new technologies, and often, we adopt new technology without any safeguards, whatsoever. And that’s what makes healthcare so attractive to attack.
Chip Kahn (17:17):
Great. Kim?
Kim Chuan (17:20):
Well, no question, after that incident, we had to rethink our entire security posture. We ramped up the awareness across the whole, not just in SingHealth, of course, but across the whole country, all the public healthcare institutions. Internet access was severely curtailed, at that time, to help us pick stock of where attacks came in, and where we needed to strengthen. And life has been quite different from the clinician colleagues of mine.
(17:57):
For many people in the public healthcare institution in Singapore, access to the internet was a lot more complicated than previously, as you would expect, because that’s where the main router attack was. And we needed some time to shore up our defenses.
(18:16):
Five years from now, since, we have gradually reviewed some of the security and measures. And we have, in some cases, where we think the risk tradeoffs are sufficient, we have gradually loosened up the security to, I wouldn’t say loosen up, we adjusted the security measures a little bit. But all that was necessary, because we didn’t want to have with another cyber attack again.
Chip Kahn (18:45):
Alon, what do you consider the state of the art here? I mean, obviously, Saif has made the point that this is a 24-7 ongoing issue. It evolves over time.
(19:01):
Unfortunately, it involves human beings, as well as technology. So what is the state of the art of cyber defense today?
Alon Rozen (19:11):
It’s a tough question, because I think there is not state of the art. The cyber is like the technology, is all the time involved, meaning that all the time, things been changed dramatically. Take, for example, AI. It’s a black hole, it’s a huge black hole that nobody know how to take care of it.
(19:32):
But okay, mix AI with cyber. Do you have, today, state of the art, or different tools, that you can implement in some organization, in order to protect you? I’m not sure, because the AI is providing different arenas and mixing different arenas from different vectors, and those kind of things. So it’s a little bit problematic, to put and say, there is something that is state of the art.
(20:06):
There is a lot of advanced things and the cyber defense is extremely advanced every and each year on every team of attackers. There is 100 million teams that create defense for those kind of attacks, and thinking out of the box, how to create the next level of defense, from out of bend level, or level zero, as you can say, until the highest level of packet of information.
(20:39):
But I think that we need to remember three main things. First of all, there is no foolproof. There is no 100% ability to defend ourself. The second thing is the technology’s creating more and more challenges all the time, moving forward. And as Dr. Saif said, we are bricks of bringing into the healthcare systems, bring new technology, innovation, new systems, new softwares that can be created, huge gaps in our systems.
(21:24):
And we talked about AI, see the issue with the different municipalities globally, with the area of smart city. The smart city create a huge options, or a lot of options for legacy systems, to being hit on by hackers. So I think the best one is to think that there is a lot of different components in order to create defense, but it’s defense. It’s not give us the full capability, or 100% ability, to control or to eliminate events.
(22:08):
And this is why, basically, you must have a kind of mitigation plan, in order to tackle those events, and to know how to recover from them. I think this is the best way, if you do a tabletop exercises, or technology exercises in one side, and the other side, put a very tight and lean mitigation plan, and on top of it, of course, put a lot of technologies, in order to protect yourself, in different levels, you will receive the state of the art for today.
Chip Kahn (22:46):
Meredith, Alon, in his intro, mentioned a terrorism motivation for the attack that he referred to. Obviously, the Change Healthcare attack on United that just occurred, probably had to do mostly with money, but a little bit with mayhem, and a little bit, we’ll find out eventually, with use of the data that was stolen.
(23:14):
What are the implications of these motivations, in terms of how facilities and institutions should think about preparing themselves for attacks? And, in a sense, also, Alon’s last point, thinking about how they would mitigate, assuming that you can’t stop everything?
Meredith Griffanti (23:36):
Sure. It’s a great question. Let me start by talking about motivations. What we tend to see with ransomware threat actor groups is, they’re primarily financially motivated.
(23:50):
Their end goal is to secure a payment, as usually as large of a payment as possible. In the old days, we saw straight encryption of systems, then extortion of organizations for AT, to unlock those systems.
(24:09):
And then, we sort of moved into double extortion, which is encryption of systems, which causes the disruption and mayhem, and then, stealing data as a second form of extortion. So now, the threat actor has two legs to stand on when it comes to extorting, both for the key, and for the return of data.
(24:31):
Now what we’re seeing is, because less organizations, I would say, over the past year or so have really been paying, they’re trying to make the disruption and the extortion process as crazy as possible and as painful as possible, whether that’s also sending harassment e-mails to employees, or calling executives phones directly, or using AI to distort images of executives, and sending those around to employees death threats. We’ve really seen it all, in terms of the desperation, with these attackers trying to secure payment.
(25:16):
But I would say the overall motivation is financial. And then, of course, if they can’t monetize the attack itself, and they don’t secure a payment, oftentimes we’ll see them turn to the dark web, for trying to sell the data for some sort of financial gain, or publicly embarrass the company to make sure that their next victims are more inclined to pay. So, as big of a show as they can put on, the better.
(25:48):
Now, of course, that motivation, that modus operandi, pretty much changes when we’re talking about a nation state, or a country, in particular. For various nation states, obviously, the motivation is more on the intelligence gathering side. “What can we learn about this company from an IP standpoint? What can we learn about their customers, the data that they manage?” So that’s a real shift.
(26:18):
It’s less about publicly embarrassing the company. It’s more about, “Can we steal their source code, their IP? Or can we learn something from the data that they manage or process?”
(26:31):
In terms of mitigating these attacks, I think the best form of mitigation is truly preparedness. It’s not what shiny tool or technology can you put in place. It is, how complete, how comprehensive, are your preparedness plans? And I’m not talking about putting templates, and media holding statements down on paper, that are fill in the blank. It’s really about roles and responsibilities, and who’s going to be in charge of what, who the ultimate decision maker is.
(27:09):
How organized are work streams in an incident response scenario? And how does information flow back and forth between work streams, so everyone’s on the same page? I think the biggest disruption we tend to see, and the biggest pain point for organizations, is around their communications.
(27:28):
And when you think about healthcare systems, let’s take hospital systems in general, you’ve got local hospitals to communicate with. You’ve got frontline doctors, patients, you’ve got big vendors that provide services to you, that may or may not disconnect from your network. You’ve got insurers to deal with.
(27:48):
That’s a lot at regulators’ media. It’s just a lot of influx that you have to triage. So the more that you can put a plan down on paper for how you’re going to proactively manage that set of communications and practice it, drill, tabletop, simulate, the better off you may be in the end, when it comes to responding and mitigating.
Chip Kahn (28:13):
Let me go around, and we mentioned ransom. Should you pay, or shouldn’t you pay?
(28:20):
Obviously, there’s always a context, but what are the views? Alon, Saif, Kim, whoever.
Dr. Saif Abed (28:31):
So I think it’s then … You want me to start? Yeah. No, go ahead.
Chip Kahn (28:36):
Yeah, why don’t you start?
Dr. Saif Abed (28:36):
Go, go for it.
Chip Kahn (28:37):
Go, go for it.
Dr. Saif Abed (28:38):
Okay. I think you have to look at the facts of the situation.
(28:43):
This has been happening long enough that we know, that the majority of occasions, if you pay, you’re not going to get your data or system access back, in a lot of situations. I think the last study that I saw, was something around 55 to 45% chance whether you’d get your system access or [inaudible 00:29:05] access back, number one.
(29:06):
Number two, if you pay a ransom, there’s no guarantee that they haven’t incentivized the other ransomware group not to come after you and say, “Hey look guys, we’ll sell you the data. You can go and try and extort them again.” So it’s not protecting you in any way, shape or form, in that regard. And the third, I would say, the payment of ransoms has encouraged the tax on healthcare generally.
(29:30):
Now, I’m going to be a clinician. Now I’m going to be a medical doctor. If I was chief medical officer in a hospital, and you told me, “We can’t get access to our IOT system that we’re using in the intensive care lab, or the cardiac cath lab, or in the operating room, because we don’t want to pay these bad guys over here,” me as a clinician, I’m just thinking, “Do whatever it takes, so I can look after my patients, who are at risk right now.”
(29:58):
So there is this challenge in the boardroom, to understand their environment, and as Meredith said, to have preparedness addressed in such a way, that the clinicians don’t feel that pressure and dependency on their technology. They know what systems to move to.
(30:15):
Whether that’s pen and paper, or other communications systems, they have a well drilled, well-planned way of addressing the risk, to maintain patient safety, so that they don’t feel that pressure that makes the boardroom then say, “Do we need to pay the strength somewhere?”
(30:28):
But that’s the challenge. I say, don’t pay, but you really need to be prepared, that you don’t face that pressure in the first place.
Chip Kahn (30:36):
Kim, and then I’ll go to Alon. Alon, Alon.
Alon Rozen (30:38):
All right, sorry, Chip.
Chip Kahn (30:40):
No, Go ahead. Go ahead, Alon.
Alon Rozen (30:41):
So I totally agree with Dr. Saif. I think it’s a $1 million question, literally, and it’s very complex, because I think you need to put on the scale a lot of different angles.
(31:00):
Because first of all, you need to ask yourself a lot of questions. For example, can you recover without paying the ransom? This is one question.
(31:15):
The other question is that the attacker will come back and will attack you again, if he will pay him. What would be the part, or if he will fulfill part of the agreement after you will pay him, that he will give you what you expected to get. Of course it’s a issue of legal in different countries. It’s illegal to pay different attackers. The biggest question, I think, is, who is attacking you? It’s a hacker independently? It’s a group of hackers that works for themselves, works for competition, work for government?
(32:05):
If it’s a government entity, I think it’s a huge question mark. You need to put all the time above your head in order to find the right decision, if you’re paying or not. This is why you cannot say, if yes or no to pay. It’s a lot of different dependents.
(32:27):
And I think that, in the end, you cannot create guidelines to put a clear answer. You need to put different questions that you need to ask yourself. Of course, it’s connecting directly to the preparedness matter.
(32:47):
If you will put under the light of the nails above my head, I will put the right questions when attack will happen, I will know to ask myself those questions, and give myself the answer.
Chip Kahn (33:03):
Kim?
Kim Chuan (33:04):
Hi. In Singapore, we have a national policy not to negotiate with the cyber threat actors. So, no ransoms to be paid, and our strategy is not to assume that they will give in, and give us the key back now. So we’ll just have to prepare accordingly.
Chip Kahn (33:25):
Let me ask, I guess Alon might be the, I’ll ask you, we had an audience question about, how good is quantum encryption? Do you have a view on that, or …
Alon Rozen (33:37):
Not a clear view?
Dr. Saif Abed (33:38):
I have a view.
Chip Kahn (33:42):
Anybody else? Saif?
Dr. Saif Abed (33:43):
Yeah, I have a view. Okay, so homomorphic encryption, quantum computing, all of this, sounds very exciting, unbreakable encryption. Let’s just put it this way. Social engineering is the way to break any encryption. So if I can call you or send you a spreadsheet and say, “Hey look, here’s the nursing routes for the next week. Click on it and open it.” Or, “Here’s your pay slip for your last medical shift,” and you click on that, doesn’t matter how good your encryption is, we’re into the system.
(34:12):
So I think, let’s not get, again, excited by the bright and shiny technology, when there are so many easy ways to get around it. That would just be a really important point to raise on that.
Chip Kahn (34:25):
So the dilemma that I’m hearing is, and really, Saif, you just referred to it, which is, the chain is, each link in a chain is only as strong as the weakest link. And the problem here is, regardless of the technology, we have the humans involved.
(34:42):
And so, as we’ve said, I think, bad things are going to happen, no matter how good the walls are that you build. That being recognized, let me ask Meredith, what is generally happening with the data when it gets out there? How is it being used when it is stolen, generally? Or is there a generalization here?
Meredith Griffanti (35:13):
I think it’s hard to say, in terms of a generalization. We see a number of things happen. We see threat actors post massive amounts of files to their shame sites. Then you see other groups try to download it, sift through it, and glean if there are any personal details that could be used for identity theft.
(35:41):
We also see threat actors try to monetize data they’ve stolen by selling it on the dark web, if the company doesn’t pay to get it back. So, a number of things could happen, it’s really tough to kind of have a blanket statement on what they do with it. Not sure if any of the other panelists have different views, from a technical point of view there.
Chip Kahn (36:04):
Does anyone else have a view of … Well, because I think part of what you need to worry about is, if your data is going to get out there. I mean, is there anything you can do to prepare with it?
(36:17):
Or what is the worst case that you’re going to have to think about, if you’re handling data that you have to handle, to provide healthcare services and also do the financing side of healthcare? Anyone else have a view? This is a tough one.
Alon Rozen (36:31):
I think, the combination between data that have been stolen, to implementation. I think that in the end, when somebody have my data, and with AI today, it can do an avatar that talks like me, that looks like me, that have all my data, it’s a, start to be a problematic situation.
(36:59):
I think this is the worst nightmare that we can go through, using data that have been stolen, in cyber. This is why I told you earlier that AI, it’s a huge, huge, huge black hole regarding cybersecurity.
Chip Kahn (37:18):
What do you think the proper role is, and I’ll throw it out to whoever wants to grab, for government in this case? Obviously, we’re dealing with various sizes of nation states here represented around our table.
(37:35):
But the United States has the NSA, and FBI and other entities, that are supposedly having their own walls. What should government be doing, or can we depend on it?
(37:49):
Now, obviously, with NHS, they’re synonymous, but in a sense, the institutions are still somewhat separate from the government itself.
Dr. Saif Abed (37:58):
So if I can pick up on that? Yes, so having advised a lot of government agencies, I’m going to say the same thing that all of them can do, from the smallest nation state, to the largest nation states in the world, I think there needs to be an acceptance that the IT supply chain is broken.
(38:18):
We haven’t touched on this, but I really want to. We have some of the biggest IT suppliers in the world operating in healthcare environments, and they’re doing the absolute minimum they can to tick cybersecurity check boxes, just to get through procurement. And then they hope no one ever checks on them again.
(38:35):
They might have an ISO 27,001 certificate, and they just hope they can breeze on by with that. No one’s auditing them or anything like that, let alone the tens of thousands of startups that are in healthcare environments, without any cyber checklists. So government has a really critical role in regulating the suppliers that are essentially operators of essential services now. They’re part of the national critical infrastructure.
(38:59):
We need to regulate them. We need to make sure they are checked on constantly, they are audited, and we need to make sure that the executives of healthcare organizations understand that they have a responsibility to make sure that not only at procurement, are the checks happening, but throughout the life cycle of technology being in your environment, that patients are dependent on, and clinicians are dependent on, that the same suppliers, doesn’t matter how big they are, or how small they are, they’re being checked on, and there are appropriate penalties, for not compliance with what is protecting public health. So I have a very strong [inaudible 00:39:32].
Alon Rozen (39:33):
Healthcare, in my point of view of health, and again, I agree with Dr. Saif, healthcare is a strategic and national, or even federal, sometimes, asset. This is why, basically, the different governments need to put, first of all, regulation.
(39:52):
I think that, more than regulation, they need to take a role in creating intelligence capabilities for the public sector, or the critical infrastructure sector. The third thing that they need to do is to create the IR teams in order to help manage attacks that have been hitting those kind of, let’s say, critical assets, or national or federal assets that are private-owned.And we have those kind of things. Healthcare is one of the symbols in this case.
(40:29):
And two more things that I think that, all the time, we are miss them. One thing is to create awareness. Government need to create awareness for the population, for the citizens. And this is one thing.
(40:45):
The other thing, it’s the most important on, and we need to put the light on that. We need to educate. We need to educate our next generation, how to understand the threat, how to tackle this threat, how to manage our life. That depends today on a lot of different technology things, how to manage and shrink dramatically our exposure, for those kind of threats.
(41:19):
So this is in my point of view, and I served in the government a few days, this is the role of the government worldwide, especially in Israel, by the way. This is my two shekels, as we say in Israel, on these points.
Chip Kahn (41:39):
Other views? Anybody else? Kim?
Kim Chuan (41:42):
Yeah, I think government has a big role to play in cyber, because cyber is a global issue. And then, no single country, no single company can deal with it on its own. And government agencies are the best at international cooperation and coordination. So in the areas where government can help and reach, the Cyber Security Agency in Singapore is doing quite well. We get funding for special areas, innovation, AI research, threat intelligence, coordination, skilling, upsizing of the cybersecurity manpower, workforce in the country.
(42:21):
And then, of course, the regulation to enhance and strengthen areas, which are a little bit deficient, and specific sectors that need more help than others, yeah. So, a big role, as far as I’m concerned. I think it’s indispensable, actually.
Chip Kahn (42:38):
Meredith, do you have any other comments about …
Meredith Griffanti (42:42):
No, I don’t think so. I think the team has covered it quite well.
Chip Kahn (42:46):
I’d like to drill down on something, Saif, that was implied by your comments. Let’s take the Change Healthcare, and for those that don’t know, Change Healthcare is a huge clearinghouse, that much of the financial going between providers and insurers in the United States, about 40 or 50% of it went through this clearinghouse.
(43:09):
It seems to me, it points to a problem, and you implied it, in talking about government role is, if you’re a hospital system, or even a physician or physician’s office in the United States, you have all these third parties you have to deal with, and you’re dependent on the certifications that they come to you and say, “Well, we’re certified, don’t worry about us.”
(43:34):
Well, let me ask two questions. One, how good are those certifications right now? And it was implied that maybe they’re not good enough.
(43:43):
And second, if you’re a provider and have to deal with third parties, what do you need to know about the third party? And how should you think about how you send your information around, which you have to do?
Dr. Saif Abed (43:58):
Yeah, so let me give you two heads of the spectrum here. The one that everyone knows, ISO 27001 and 27002, classic for cybersecurity assurance and risk management. But then we have, just this December, ISO 42001, risk management for AI, and came out.
(44:16):
And that’s going to be, trust me, that’s going to be the big thing. We’re doing a lot of work there. The challenge here is, it’s become a checkbox for procurement, in my opinion, ISO is good, ISO is really good. And in the moment when you get audited, and a real auditor steps in and goes, “We’ve checked everything, and it’s legit,” that’s fantastic.
(44:36):
What happens in the two- or three-year intervening period between audits, if other audits happen at all. And let’s say, a huge roster, let’s say, a physician’s office, is still dependent on 15, 20, 50, 100 different suppliers of IT systems. That physician’s office does not have the capability to review all the audits and request all the audits. So there’s a real challenge here.
(45:00):
And that’s where having a strong regulator that’s asking for, “Okay, give us your annual audit, or give us your biannual, your six monthly audit. We’re going to review it, we’re going to check it, and then we’re going to report to all your customers that everything is still assured to a level that it should be, based on these international standards that we use, or based on these national standards that we used.”
(45:21):
Is that a get out of jail free card? Does that mean you’re not going to experience cyber attacks through these suppliers? No, but you’re in a plausible position today. We’ve attempted to assure ourselves and our customers who are patients and other partners, that we take the security of our supply chain, and therefore, patient data and clinical systems seriously. But we really need strong regulators. Maybe, like Alon suggested, a collaborative entity between the healthcare agencies and the intelligence agencies, to come together and form its own regulatory body, or assurance body, that just deals with the supply chain.
(45:55):
But for me, it’s really quite a big step that needs to be taken, and very few nations have taken that step. Maybe it’s just because it’s a maybe slightly controversial way to end the session, maybe there is some lobbying that happens from some of these suppliers, that makes it difficult to reach that kind of equitable position. But I think it’s good for everyone if the supply chain works, and it’s secure, and we can provide [inaudible 00:46:22]. It really is.
Chip Kahn (46:22):
So we’re getting to the end of the hour, and why don’t I go around again? And I’ll do it in reverse of where I started, and just said.
(46:33):
Considering all the discussion we’ve had, what for our audience is the main takeaway that you think they should have, regarding protecting themselves? And I’ll start with Alon, and then, go to Kim and Saif, and Meredith to close out. Alon?
Alon Rozen (46:52):
That cyber attack, it’s not a matter of if, it’s a matter of when. And you need to prepare yourself, not less than you need to protect yourself with different systems.
Chip Kahn (47:05):
Kim?
Kim Chuan (47:06):
I think it’s important to remind ourselves that no one can never prevent or guarantee that a cyber attack won’t happen. We need to be ready, we need to do all that we can to make it as difficult as possible, and we need to have a certain mindset that when it does happen, or when it happens, we know how to respond, and as quickly as we can.
Chip Kahn (47:34):
Saif?
Dr. Saif Abed (47:36):
Yeah. So, a cyber attack, whether it’s against a healthcare facility, or a chemical, biological, radio, nuclear facility, or at a utility like water, like Alon mentioned before, cybersecurity is a patient safety issue. Cybersecurity is a public health issue.
(47:52):
View it through that lens, and plan and prepare from that perspective. Don’t look at it as a tech issue, and then you’ll be making the right steps in the right direction.
Chip Kahn (48:02):
Great. Meredith?
Meredith Griffanti (48:04):
I think it’s a little bit of a reiteration, what I said before on preparedness planning, and really putting value and importance on communications in that preparedness planning. Responding to a breach is difficult, but if it’s handled correctly, that’s what people really remember about an incident, is the way in which you responded and communicated to all of your stakeholder groups. So I would just encourage the audience to really place emphasis on that, and think through it, as you’re hearing.
Chip Kahn (48:43):
What an insightful discussion. So appreciate the experts taking the time to share their thoughts and experiences. Hearing perspectives from around the world clearly shows that cyber vulnerability in healthcare doesn’t stop at the border of any one country.
(49:00):
This is going to be an issue we unfortunately will all have to grapple with, far into the future. Thanks for taking the time to join us today for this special episode.
Speaker 2 (49:15):
Thanks for listening to Hospitals in Focus, from the Federation of American Hospitals. Learn more at fah.org. Follow the Federation on social media at FAH Hospitals, and follow Chip @chipkahn.
(49:29):
Please rate, review, and subscribe to Hospitals in focus. Join us next time for more in-depth conversations with healthcare leaders.
- US: Meredith Griffanti, Senior Managing Director, Global Head of Cybersecurity & Data Privacy Communications, FTI Consulting
- UK: Dr. Saif Abed, Director of Cybersecurity Advisory Services, The AbedGraham Group and Cybersecurity Consultant, World Health Organization
- Singapore: Kim Chuan, Group Chief Information Security Officer, SingHealth
- Israel: Alon Rozen, CEO of Elements Group, and former Chief of Staff at the Israeli Ministry of Defense and Director General of the Israeli Homefront Defense Ministry