Healthcare data is incredibly valuable, as it contains extremely sensitive information ranging from social security numbers to private medical records. Unfortunately, hackers know this and are targeting the industry, with a recent study finding that healthcare data breaches are at an all-time high, affecting over 26 million people in 2020, an increase of 55% from the previous year.
The reality is that security systems in the healthcare industry are immature and unable to protect valuable patient data. So what does the sector need to do to keep up with rising cybersecurity threats?
To help share more insight, Security spoke to Joey Johnson, Chief Information Security Officer of Premise Health, a direct healthcare provider, who has led the charge in data protection for the organization and the over 2,200 companies it supports.
Security: What is your background, current role and responsibilities?
Johnson: I have over 20 years of experience in IT and started my career building IT networks for Reagan National Airport and Dulles International Airport after getting my degree in network engineering. From there, I pivoted to a career in cybersecurity and healthcare.
Presently, I am the Chief Information Security Officer at Premise Health and have been serving in this capacity for 11 years. Premise Health is the world’s leading direct healthcare provider and one of the largest digital providers in the country, serving over 11 million eligible lives across more than 2,500 of the largest commercial and municipal employers in the U.S. In my role, I am responsible for leading all organizational efforts related to security operations and engineering; information technology and security compliance; identity access management; policy development; security audit; and vendor risk management to meet challenging security and compliance demands. A crucial part of my job is helping businesses understand gaps they have in cybersecurity and how these align to the broader business.
Additionally, I work in an advisory capacity with a number of organizations, including CardinalOps, CyberTheory, CISO Executive Network, Global Cyber Institute, CyberMDX, and the Journal of Law & Cyber Warfare, and also work with several security technology investment groups to help evaluate their portfolio companies and their immersion solutions.
Security: Malicious hackers have been targeting sensitive healthcare data at an increasingly alarming rate. How can healthcare security leaders keep up with rising cybersecurity threats?
Johnson: One major challenge in the healthcare industry is the rapidly evolving cybersecurity threat landscape. In theory, that should mean the defense-in-depth architecture for healthcare organizations is evolving just as rapidly, but that's not the case, leading to blind spots and vulnerability for many.
Thinking about traditional cybercrime, oftentimes it's opportunistic and capitalizes on a lack of security hygiene. Basic hygiene is the best practice in addressing rising cybersecurity threats; when a business doesn’t perform basic hygiene, that is almost always the entry vector.
To mitigate and keep up with these rising threats, healthcare security leaders should establish and implement processes and procedures that are collectively beneficial to the organization’s stakeholders and all facets of the business. This includes evaluating third-party vendors, training employees on phishing and security for the organization, patching properly, and establishing multi-factor authentication protecting email. Ultimately, a major aspect of strong cybersecurity comes down to meeting businesses where they are, and mitigation processes should reflect that.
Security: What are some of the challenges the healthcare industry currently faces when it comes to data protection and why is just being compliant not enough?
Johnson: A major challenge the healthcare provider industry faces is that a great deal of growth has happened through acquisition, which means disparate organizations’ IT architectures are heterogeneous and it’s hard to have a singular cohesive enterprise security posture. When you think about how provider healthcare grows, it’s typically through merger and acquisition activity, so within a hospital group, there may be 30 little independent technology stacks and teams. This results in what I call independent “fiefdoms” that now exist under one system; these independent stacks or fiefdoms make it difficult to have continuity under one group. At Premise Health, we have a certain advantage in that controlling all of our wellness centers under a common team and technology footprint allows us to achieve enterprise-level security.
Looking at the impact COVID-19 has had on the healthcare industry, it’s been a perfect storm of risk. The pandemic forced the rapid adoption of technology, and anytime this acceleration happens, it’s going to come with a degree of risk. Plus, if you think about the emergence of telehealth for example, this wasn’t a new technology that emerged during the pandemic but rather was one that was rapidly adopted across organizations that hadn’t used it before. Additionally, the pandemic shifting workers to a remote environment posed new challenges and introduced a learning curve for the workforce as employees adapted to changing processes and technology in a non-workplace environment. This opened up risk for more personal attacks, like phishing scams, to take place.
Ultimately, today's cyber tornado is not the same as tomorrow's cyber tsunami. The adversarial threat landscape is dynamic, and the rate at which organizations are adopting new technology is too. Solely being security compliant isn’t enough to prepare for new concerns, and only focusing on compliance will lead the healthcare industry to fall behind. It’s also not enough because a lot of the organizations being breached are compliant; in fact, compliance represents the baseline of controls and procedures that need to be in place but it’s not true proactive risk management. It can take years for risk management practices to make their way into a compliance framework, and by the time it’s in a compliance framework, security mature organizations have already addressed those concerns and have moved on pressing risk challenges.
We see this at Premise Health constantly because we work with businesses that are leading their industries and navigating risks where there is no blueprint. Because of this, we are held to the standard these companies set. For example, with highly regulated organizations, like financial services, Premise is held to that standard across our business, ensuring we’re at the forefront of cybersecurity and well ahead of compliance standards.
Security: What are best practices and policies the healthcare industry/security leaders need to adopt in order to protect patient data and mitigate cyber threats?
Johnson: Businesses need to start by understanding the fundamentals of a good security model, beginning with what data is being accessed and who is accessing it. A lot of organizations find this challenging, and in healthcare it gets even more complex because all of the data doesn’t live in one place. To better secure data, all areas of an organization need to be strategically aligned on what they are doing with that data, who needs access to it, and whether it needs to be shared outside of the organization.
Beyond understanding where data exists, many different parts of an organization need to work collectively in adopting practices and policies that protect patient data and mitigate cyber threats. There sometimes is a misconception in the healthcare industry that the response to cyber aggression is cyber-defense tools. While this is part of the solution, training and setting cultural expectations internally are also required to mitigate cyber threats. As organizations engage and expand their technology footprint, security teams must address how quickly they can move at some degree of tolerable risk, as well as identifying where the guardrails need to be, and where the places are that they can’t take on that risk.
In a remote work environment, security teams should also examine the work-from-home models and what this looks like. With employees working remotely or in a hybrid environment, it’s important to retrain tools and contemplate what other kinds of security risks remote work poses. For example, when patient providers began working at home, one threat that emerged was Echos or Siri-type devices in the home. This group had to adjust to ensure these devices wouldn’t pick up secure conversations, like telehealth sessions.
Security: Why is healthcare data so valuable, and what can patients do to help security leaders and the health industry ultimately protect their information?
Johnson: From a threat profile perspective, healthcare data is incredibly valuable because it can’t be cancelled or turned off — it’s a social security number or a healthcare record, not a credit card. It’s a permanently viable high value data asset. What’s more, it may exist in various copies across multiple organizations. There is no one single place an individual can go to in order to get their ‘whole health record’. This complex dynamic makes it more valuable monetarily and more vulnerable to attack. Plus, when healthcare data is breached, patients don’t even know where to go and find it, and it can be months or years before someone even knows it’s been stolen.
On an individual level, we are now more responsible for our data than ever before. Take a moment to pause and think about the data you’re entering, where you’re entering it, where it might be going and who has access to it. All data is sensitive, whether it’s healthcare related or otherwise, and patients need to take ownership over it. Patients can take steps to do this by being judicious about who information is being given to and why certain information is being shared. They shouldn’t be afraid to ask a healthcare provider or organization how healthcare information is being used and who besides your provider may have access to it. With a plethora of healthcare devices and apps that many patients are now using that all take in sensitive data we care about, it is important to read terms of agreement closely to understand how your data will be collected and with whom it can be shared. Individuals don’t often think of fitness wearable devices as ‘healthcare data devices’, but in reality they’re collecting and often sharing the same sensitive data elements in an unregulated ecosystem.