Playing Cyber Defense in the Age of Digital Innovation

00:00:00:23 - 00:00:37:27
Tom Haederle
The good news is digital innovation - in the form of artificial intelligence, machine learning and other methods - is alive and well in the field of health care. The bad news: cyber criminals show every sign of keeping pace with and taking advantage of these advances. Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications.

00:00:38:00 - 00:01:02:10
Tom Haederle
There are some records you hope are never broken, but it happens anyway. During the first six months of 2023, the number of cyber theft breaches exceeded that of the entire previous year. 48 million individuals were impacted by 250 data breaches as reported to the HHS Office of Civil Rights through June of this year. About a quarter of them were high impact ransomware attacks.

00:01:02:12 - 00:01:21:26
Tom Haederle
So the question is how should the conversation around digital innovation and health care evolve in the face of so much cybercrime? In this podcast, hosted by John Riggi, AHA's National Advisor for Cybersecurity and Risk, we explore some answers. This was recorded live at this year's AHA Leadership Summit.

00:01:21:28 - 00:01:50:16
John Riggi
Hey, everybody. John Riggi, your national advisor for Cybersecurity and Risk at the AHA and with me today is Troy Ament, Healthcare CSO of Fortinet. Fortinet is an AHA preferred cybersecurity provider. Troy is joining us today to discuss how imperative it is that health care organizations prioritize cybersecurity defenses while exploring digital innovation. Troy, thanks for joining the podcast today.

00:01:50:18 - 00:01:52:23
Troy Ament
Hey, thanks for having me, John. It's a pleasure to be here.

00:01:52:24 - 00:02:23:14
John Riggi
Always great to have a conversation with you, Troy. So, Troy, you watch the news, you respond to the attacks as I do, and you probably well aware that this year is the most significant year in terms of cyber data theft breaches. I tracked the data thefts of the data breaches very, very closely. And unfortunately here we are halfway through the year and we have already smashed through last year's record number of hacks and record number of individuals impacted.

00:02:23:16 - 00:03:06:03
John Riggi
As of June, the number of data breaches as reported to HHS Office of Civil Rights, stands at about 250, impacting 48 million individuals. And very concerning is the fact that about 25% of those breaches reported are high impact ransomware attacks, which continue to disrupt and delay health care delivery and risk patient safety. Geopolitics contributing to cyber risks that allow and create a permissive environment for these foreign-based groups to launch these high impact ransomware attacks against the West.

00:03:06:05 - 00:03:16:12
John Riggi
Troy, given our current cybersecurity landscape, how should conversations around digital innovation evolve for hospitals and health systems?

00:03:16:15 - 00:03:40:06
Troy Ament
Yeah, well, that's a great question and I couldn't agree more with the stats that you show, and I often share those same stats from the OCR. I think they give a great summary of the threat landscape. And you know, I think the advice after spending a decade, almost two decades in the provider space, protecting hospitals as an organization, really embedding cybersecurity governance into their operational needs, right?

00:03:40:06 - 00:04:03:09
Troy Ament
So if we're looking at digital transformation, mergers and acquisitions or next generation technologies, you know, in 2023, as we sit here and some of the next generation things that are happening. The advice I give health systems is really to embed security, governance into everything they do. What does that mean? That can mean mergers and acquisitions, right? As you know, my former role...

00:04:03:09 - 00:04:36:12
Troy Ament
anytime we did an acquisition, I did 23 acquisitions over the course of a decade. We doubled the size, tripled the size of our organization, and each time we did a major acquisition, it changed the portfolio or the posture security posture of our organization. So I think embedding that into that governance program, some of the latest technologies that we're seeing that organizations need to think about is AI and machine learning and how are they using that to better understand what do we need to be thinking about from a cyber perspective so that we don't end up being another statistic that the OCR produces.

00:04:36:13 - 00:05:02:12
John Riggi
On the OCR wall of shame. Unfortunately, it is. I make some commentary, as I always do in these podcasts, that ultimately these hospitals are victims. They're victims of cyber attacks. Not only are they victims, the patients they care for are victims as their health care is disrupted. But the entire community that is serviced by that hospital that depends on that emergency room to be available is also a victim.

00:05:02:14 - 00:05:43:05
John Riggi
When that emergency room gets shut down by a Russian based ransomware attack. So you touched on a couple of issues here, and we'll just go into a little bit. Governance, governance, right? Cyber risk must be the largest health care breaches and some of the ransomware attacks, high impact attacks start as a result of the bad guys understanding where the seams are when these mergers and acquisitions occur, when one less secure system is attempted to be merged or given access to a more secure system. The bad guys

00:05:43:05 - 00:06:15:12
John Riggi
always find those seams and exploit them. AI, I mean, we can't stop talking about AI. It's everywhere. My concern is, I'm sure yours is, we have to stop, pause and really pay attention. When the innovators in developers of AI are saying we need to stop and we need government regulation. Given all this that's going on, where AI is being touted and attempted to be embedded in every digital transformation project, what would you consider some of the higher risk digital projects?

00:06:15:15 - 00:06:43:04
Troy Ament
Yeah, so we talked about a big digital project that isn't fancy, but it's a merger and acquisition, right? It's combining those electronic medical records. It's combining those payroll systems. Another one, though, is a lot of organizations are moving to cloud or they're moving to third party SAS. And if I go back to earlier in my career when I was in financial services 15, 20 years ago, we did significant third party risk assessments of anybody that we did business with.

00:06:43:04 - 00:07:09:19
Troy Ament
Those were boots on the ground audits, assessing the the data flows, assessing data centers, those types of things. And we're not quite there yet in health care. I think we need to be a little bit more mature and proactive on those cloud initiatives, thinking about what are our core operations within our organization that we've moved to a SAS based application just because an organization is based in the cloud and they're doing it for.

00:07:09:19 - 00:07:11:02
John Riggi
You mean they're not 100% secure.

00:07:11:02 - 00:07:24:06
Troy Ament
They're not 100% secure all the time. And sometimes our teams are doing it as well or better within the health system. So never assuming. Right. You know, I think, you know, trust but verify. Right. So something that I always advocate for as well.

00:07:24:13 - 00:07:56:00
John Riggi
That's a great point. I think in a very timely point here. Speaking of cloud vulnerabilities from some of the best known brands. Microsoft recently announced their Microsoft Exchange Server vulnerability that they had cloud based. And once again, CISA, cybersecurity infrastructure security agency, FBI, all warning that basic cloud procedures, security controls need to be in place. All entities need to understand what their business associate agreement is with that third party provider when it comes to cloud services.

00:07:56:03 - 00:08:21:00
John Riggi
So given all this, how can health care organizations really invest in embedding security into these transformational initiatives which are really needed to improve patient outcomes? That's job one. We have to improve patient outcomes and we have to save money. They do produce these digital transformation initiatives do produce clinical and business efficiencies. So given all that, how do we handle security?

00:08:21:01 - 00:08:42:18
Troy Ament
Yeah, So when I was in health care before I got into cyber, I led all of our epic EMR initiatives, oversaw device integration and the smiles that we would see on nurses faces when we connect those connected medical devices and they no longer had to have a notepad or Post-it note and take the vitals from the patient's bedside and then go to the nurse's station and enter them.

00:08:42:20 - 00:09:21:28
Troy Ament
How much time we relieve them from of automating that they're able to accept the vitals right at the patient's bedside. It was obvious it was safer. The data was more real and it was quicker. Right. Those have been all great things and we continue to do significant digital transformation there. However, we need to look at embedding security into all those workflows of when we implement those technologies at the time we implement them, because it's so much more difficult to bolt on that security after the fact. When I look at a lot of health care organizations, when I talk to CSOs within the provider space, it's about 7% of operations that it spends on digital transformation.

00:09:22:00 - 00:09:50:22
Troy Ament
But might not sound like a lot, but those are some very significant projects. The biggest thing, the biggest takeaway that I have is on average, if you look at studies, only 6% of that IT 7% is cybersecurity. For an organization so very small within the provider space. However, if you look over our financial services, three times the number almost 20%, 6% versus almost 20% that financial services, that's one of the reasons they're staying one step ahead.

00:09:50:22 - 00:09:59:13
Troy Ament
They've got more resources. They're working harder, deeper into the security, maturity scale, and they do a lot more consolidation and convergence.

00:09:59:16 - 00:10:25:11
John Riggi
Totally agree. Just for background in the sense that health care did not fall behind on security issues, digital transformation on their own reality is we didn't even have the mandate to digitize healthcare records till until 2009, 2010. So financial services certainly far more mature with deep pockets, but they've been handling security since 1972 for when the first computer went into a bank.

00:10:25:14 - 00:10:52:18
John Riggi
And I think you mentioned another great point in terms of planning for security out the outset of the project. Far too often, as you said, there's bolt-on security. What we need I advocate for very loudly and publicly, is that our third party technology must be secure by design and secure by default. We are really in a situation we've become accustomed to that all technology provided to us is insecure by default.

00:10:52:20 - 00:11:05:23
John Riggi
That's why we patch all the time. All the time. So look, Troy, again, given all that, how can simplification and consolidation of projects within I.T benefit organization's security posture? How do we do that?

00:11:05:23 - 00:11:36:02
Troy Ament
Yeah. So as a CSO, one of my biggest friends was our chief application officer and his mission was to simplify. And if he's simplifying all the applications and consolidating all the applications that we have within our environment, that reduces that threat landscape that I have to defend. So if I'm a health system that's done a lot of acquisitions or growing through acquisitions and I've got six or seven EMRs, I haven't totally turned those down and I've got millions of patient records duplicated throughout multiple EMRs

00:11:36:04 - 00:12:06:09
Troy Ament
that's a bigger challenge to defend new vulnerabilities, systems that are getting stale and not being used. So if you can consolidate those, that is a big benefit for the organization that follow suit, not just within applications like payroll systems, but it's also networks, security platforms, that type of thing. So keeping it simple and keeping it easy is sometimes not the sexiest thing or the sexiest project to do, but it's definitely, in my opinion, one of the most beneficial for an organization.

00:12:06:13 - 00:12:33:21
John Riggi
Fundamentally reducing cyber risk by consolidation and consistency of technology, provisioning of old technology, centralizing all your data, really mapping your data is not one of those stats. I look at very frequently on the Office of Civil Rights. I understand. I look at where was the data actually stolen from. And when you look at it really in a strategic way, very, very few data breach thefts are actually reported as occurring from the electronic medical record.

00:12:33:27 - 00:12:46:07
John Riggi
Yeah, the data is everywhere in our networks. And so in the last hour or so they said only 8%, 8% of all these millions and millions of health care records are being stolen from the electronic medical record.

00:12:46:13 - 00:13:07:09
Troy Ament
You're absolutely right. So is the CSO being in the space, running a security operation center teams and now my former guard labs team? Well, we do investigations. You say 8%, I would totally agree with that. Percentage might even be less. Usually when we see that that's an insider threat, maybe somebody looking at patient records of a family member or something inappropriate in that type of.

00:13:07:12 - 00:13:20:15
Troy Ament
But we don't see the ransomware actors going after the records in that situation. We see them going after underlying infrastructure, trying to shut down domains so that they can make the health system become non-operational.

00:13:20:19 - 00:13:46:11
John Riggi
All right. The trend, as I'm sure you're aware, is that the latest ransomware actors engage in the double extortion method, deploying malware ransomware that encrypts networks, forces the shut down, but also stealing data and then holding that for ransom. Then basically telling the victim that did some of this, you could restore independently from backup. They then extort the victim for non publication of the stolen records.

00:13:46:11 - 00:14:04:20
John Riggi
It's like the bad guys cyber insurance: you can restore. We still have your records. So you talked a little bit about AI in all of this digital transformation, cloud migration. Looking ahead, what security implications should hospitals and health systems consider as they adopt new technology?

00:14:04:23 - 00:14:27:05
Troy Ament
Yeah, so kind of just doubling down on the investment of being proactive, right? Building that governance into all of your changes within the organization so that you're not having to do it after. You know, one example of that is within a AI right now a simple physician finding, okay, it's really easy to build a patient letter within chatGBT.

00:14:27:08 - 00:14:43:24
Troy Ament
They're better at it than I am, but they're just doing the right thing by the patient. They want to get them the data, but they might not be thinking, Oh, I just sent that patient to encounter to the cloud. Do we have business associate an agreement with them? Is that information available to someone it wouldn't be appropriate for?

00:14:43:24 - 00:14:52:23
Troy Ament
So some of it's education and that's just getting a little bit ahead of it from a security perspective, appropriately before we begin to use it within our daily workflows.

00:14:52:25 - 00:15:14:28
John Riggi
Again, totally agreed. The advent of AI, we don't even know what questions to ask, right? Like, where are they pulling the data? How are they arriving? Generative AI in particular, their conclusions. Where's the audit trail? Where does the data go? Just as you said, are we creating new risks, new exposures as we progress and adopt this technology? Personally, Personally, I believe a pause is well warranted.

00:15:15:00 - 00:15:32:27
John Riggi
And I'm certainly not alone in that crowd. When the heads of Google, Amazon and Apple, Microsoft, they're all voicing for a moratorium on the advancement of AI while great to be here with you today, Troy, thanks for joining us today at the 2023 Leadership Summit. Thanks for listening.