Modern Healthcare recently talked with Theresa Meadows, chief information officer for Cook Children’s Health Care System, about the state of cybersecurity in the healthcare industry. She co-chaired the Health Care Industry Cybersecurity Task Force.
On how much progress the industry has made on cybersecurity since the task force’s 2017 report:
Theresa Meadows: I think a significant amount of progress is being made. The issue is just so large that it’s going to take a lot of consistent effort to resolve it.
On how the Health Care Industry Cybersecurity Task Force’s 2017 report changed how the industry deals with cybersecurity issues:
Meadows: The biggest thing that we have is a partnership with federal, state and local government. There are 15 working groups with different activities. … What these groups have done is really put together actionable leading practices that organizations can use to improve their cybersecurity posture.
There’s probably about 40 or so best practice documents that have been developed, readily available for people to either assess their environment, ideas about how to handle medical devices, just different topics, how to handle the workforce, where can you find workforce members and what’s the best way to do that. So I think a lot of progress has been made, but of course there’s always more to do.
On the real-world impact of the partnership between the federal government and the healthcare industry:
Meadows: The communication between the federal government and the private sector—the hospitals and doctor’s offices—that communication has gotten so much better. You probably recall back in November, we actually, for the first time ever, got an alert from the federal government about healthcare being under attack from a cybersecurity perspective. And that really has not occurred in that broad of a scale until then.
On the changing nature of cybersecurity threats:
Meadows: We’ve evolved really over the last couple years where these attacks are really about shutting down our ability to provide healthcare and requiring us to pay money to get that ability back. That’s way different than what we’ve ever prepared for in the past. And I think that the attacks are just more frequent. It’s beginning to be pretty commonplace that people are falling for either malware, ransomware, phishing attacks, and you see that pretty frequently reported in the news.
The reasons for these attacks are way different. A lot of them are to make money. It’s very different than what we traditionally have been taught in IT security in the past.
On the vulnerability of older medical devices:
Meadows: When those things were developed, cybersecurity wasn’t a real issue so they don’t have capacity to do some of the cybersecurity things that need to be done. I think there’s a new frontier now that we’re connecting all these medical devices to our electronic health records or to other entities. That’s a new potential attack vector for someone to hack a medical device and maybe change the IV flow rate or different things.
We’ve been working very hard with the (Food and Drug Administration) on getting guidelines, principles and other things in place to really shore up our medical devices and make sure that we’re protecting not only our EHRs and looking for phishing and ransomware, but also having tools in place so we can tell if the medical devices are acting differently than in the past. So I think those are some of the areas that you’ll see evolve over the next year.
On planning for cybersecurity risk:
Meadows: Cybersecurity is everyone’s job. Get your plans documented because a lot of people think they know what they would do but they’ve never really written it down. So having those plans documented and communicated out to the organization is really important. There are lots of resources out there, so take advantage of those because I think people don’t do that enough and they feel like they have to figure this out on their own.
Gloss