The Hunters team recently connected with Eric Yablonka, former CIO of University of Chicago Medicine and Stanford Health Care and the School of Medicine. He has served on boards and advisory boards for health tech companies and is a venture advisor for YL Ventures, lead investors for Hunters.
Sarah Granger, Head of Content and Editorial at Hunters, sat down with Eric to discuss the biggest security challenges healthcare organizations face today and how to best address them.
Sarah: What can you tell us about the role of a CIO in a healthcare environment when it comes to security, particularly a larger hospital system like Stanford Healthcare or others where you have worked.
Eric: The CIO’s role in healthcare organizations really focuses around leading by leveraging the technology and data assets available or on the horizon. CIOs in some organizations have other roles that could include digital health, supply chain, revenue cycle, biomedical equipment, medical records, or medical informatics. It really depends on the organization. In most organizations I know, the CISO reports to the CIO, but that’s not exclusively true. In some organizations, they may report into the Head of Risk, Privacy or the General Counsel’s office.
In my experience as a CIO, I’ve had CISOs report to me. And in that role, it’s managing the cyber risk of the enterprise including secure and safe computing, communications and medical equipment wherever the organization provides care. What’s different in a health system is that patients’ lives and the caregivers' ability to provide safe care depends on robust cyber services. The financial services industry may have different imperatives, but of course in hospitals – beyond the normal business imperatives – there’s the issue of safe and effective care for your patients.
Sarah: What are your primary concerns when it comes to security in the healthcare environment?
Eric: Earlier in my career, it used to be in healthcare that your IT systems were pretty narrow – lab systems, registration and billing, that kind of thing. Today, everything is digital. Everything is online. And the organization entirely runs on platforms 24 x 7 x 365 enabling patient care. What’s also changed is healthcare is the Internet of Things (IoT) and in this context medical devices. Cardiac monitors, ventilators, IV Pumps and other medical equipment are all now smart devices. They’re all on the network, so they’re connected, sending data likely to your Electronic Health Record (EHR) which is the other big thing in healthcare that in the last 7-10 years has really changed.
Almost every hospital has an EHR and all those records are online, used in the moment for patient care or patient services. And that moment could be: a patient walks in for an appointment, it could be they’re on the operating table in the middle of a procedure and someone has to access the system to look at images or to reference laboratory information. And in the Operating Room (OR) in particular, they have systems that integrate all these data feeds, so surgeons have a cockpit to conduct the surgery. And as you know, a lot of surgery is now robotic as well – machines that are networked and connected and streaming data. So this idea that everything is digital – and that has changed the game in terms of risks to manage to ensure safe care and continuous organization operations.
There’s now virtual care: video visits and other things that were really scaled up during the pandemic, so now there is more healthcare at home. Remote monitoring is going to become a big thing – devices in the house watching, listening, or monitoring patient activities or health, feeding that data back to their provider using analytics and other technologies, taking that data and using it for treating the patient. The healthcare ecosystem is 100% digitally driven. People’s lives are dependent upon it working all the time or very well. And safe care is generally the highest priority in healthcare organizations. These new and emerging digital care technologies impact the cyber risk of the organization.
And of course as it relates to security, business continuity becomes a big issue as well. It’s not just worrying about getting hacked. It's that you need to run the healthcare organization no matter what. So we’ve seen implications like ransomware attacks at hospitals where their systems weren’t available for days, weeks or over a month. The hospitals never shut down, but they went to paper processes and were challenged to provide safety for the patients and enable their staff to do their jobs. So the idea that maintaining system integrity is critical for a CIO and for a CISO in the hospital system.
Sarah: And what are the current challenges in addressing those concerns?
Eric: Healthcare systems are software package shops, so they’re more implementers and integrators vs. developers. So those third party vendor relationships – in many ways, there’s a reliance and interdependency with those third party systems to not be vulnerable, to be up to date, and the relationships with those vendors has to be in such a place that you’re assured that they’re meeting security standards and best practices. The whole element of managing risk using third party vendors is critical and their ability to play into your security infrastructure is critical. So that integration into your SOC, that ability to use your SIEM is just very important.
The IoT aspect which I just discussed continues to grow with the proliferation of new medical devices and equipment. All these endpoints are attack vectors, and therefore the game has changed in terms of having to manage those devices. There’s often the story or worry that someone could hack into an IV pump and change the settings and hurt a patient or group of patients. And again, these IoT devices also come from third parties with software.
Also, staffing a leading cyber team is very difficult. It could be that you may want or need to have a third party augment your staff in terms of either numbers of security personnel and expert staff. It is very difficult and in some markets almost impossible to hire, afford, or retain top cyber talent. That’s a big challenge. And then you may need some advanced expertise as well since it is such a rapidly evolving threat landscape.
Not every health system is the same. You can look at large academic medical centers like Cleveland Clinic, Johns Hopkins, Yale, Stanford, Michigan – these are all large places that have a high degree of complexity and have a high degree of capabilities – that doesn’t mean that they’re not vulnerable. But they tend to have larger cyber spends. And then you have community hospitals, rural hospitals, or perhaps inner city hospitals and underserved areas that don’t have the kinds of finances to invest in a super robust security program and scale that as threats change. So the idea of gaining expertise by doing staff augmentation or outsourcing is also very important for healthcare because it’s hard to recruit, retain security professionals with the kinds of expertise that you need.
In such a rapidly changing environment, just being able to keep up with the threats of the day is very challenging. Healthcare is really ramping up to this. We all know that healthcare organizations are considered a priority target for many criminal organizations. We know that the price for an electronic patient record is much higher than the price for your social security number, drivers license number, and personal details. Personally Identifiable Information (PII) is a big risk for everyone but Personal Health Information (PHI) is considered more valuable to criminal organizations so the attractiveness of breaking into hospitals and health systems has become much higher just in the last couple of years.
Sarah: We know if a healthcare network is attacked, critical information can be lost or temporarily inaccessible. What kinds of attacks are potentially the most damaging?
Eric: Ransomware is one of the most prevalent concerns from a risk perspective for healthcare organizations. Most organizations when they do their enterprise risk assessment put cyber as one of their top risks and in today’s world one of the biggest concerns is ransomware 1) because it has the potential to shut down all the systems in your organizations and 2) you're dealing with criminal organizations and even if you were to comply with your demands, it doesn’t mean that you’ll get your data or your systems back and even if you got your data back, it doesn’t mean there aren’t copies somewhere else. Healthcare is a pretty ripe environment for criminals and criminal organizations and criminal activities have really ramped up. So you’ll see a lot of notices from the federal government in healthcare in particular around threat awareness and readiness. The threat level is up and organizations need to be ready with up to date plans and improved defenses.
Sarah: Anything you would rank second to ransomware attacks?
Eric: There are many kinds of attacks that are employed on a regular basis. Denial of Service (DOS) attacks were always very popular in the day. I haven’t seen as much of those lately, but then again, you don’t always hear about these incidents either in the press or through your networks because they’re generally considered significant to an organization’s risk situation and therefore not always in the public domain. Obviously, if it’s a significant attack where patients are impacted significantly – appointments get delayed, they can’t access their records, the hospital cancels their surgery – those things tend to be public, but there are a lot of activities that are not. DOS attacks are another thing that you will see and that could be critically important in a healthcare organization, from the smooth flow of the organization to the supply chain. If you can’t get your orders out or receive your goods, that could affect your patient care and your schedule for your patients.
Any one of these kinds of attacks could cause problems – different levels of a problem or acuity of a problem – but you always have to be prepared. So having modern tooling with the right knowledge, the ability to identify new and emerging attacks or techniques used by hackers, having quick responses to those – whether it’s preventative measures or the need to just monitor – all of these things are really important. Not all healthcare organizations can be at the same level from an investment or expertise perspective, but all healthcare organizations and their boards are concerned about these issues.
Sarah: What can you tell us about security concerns of other healthcare organizations in the ecosystem?
Eric: There are clinics – Fully Qualified Healthcare Corporations (FQHCs) – and there are independent medical practices, physical therapy providers, extended care facilities, rehab facilities… many of the same issues in a hospital also extend to those other parts of the healthcare system and they tend to be smaller, tighter financially, and have many of the same risks as hospitals. They may have your PII and your PHI (on paper or on systems) in these settings.
You can think of the healthcare industry in a stratified way where hospitals are one strata and payers, like the United Healthcares of the world are another. They also have EHRs – they collect data during billing or utilization management activities. They collect a ton of your personal information. They are also involved with your doctor and in pretty much every aspect of your care. Now payers are also buying physician practices. So you look at Optum – they’re buying physician practices. Look at retail. CVS is deploying clinics that provide patient care. WalMart’s getting into clinics. So there are other non-traditional organizations getting into healthcare provider spaces: retailers, insurers/payers, and others.
Then you have life science companies. Often I think the closest parallel is around clinical trials and clinical trial management. You may be on a cancer trial and the Clinical Research Organization (CRO) has all of your electronic healthcare information as well. One recent example is clinical trials for Covid vaccines. There’s a ton of data that had to be gone through to ensure that the trial goes according to plan, meets standards, and that the data is protected. So in the trials, it could be an academic medical center, a pharmaceutical company in partnership with a healthcare organization, or it could be a CRO. Those are a couple of adjacent kinds of parts of the healthcare ecosystem. So you have pharma, payers, and providers.
The other interesting entrants now are the very large tech companies: Google, Microsoft, Apple. Apple watches, for example, collect healthcare information. You can integrate your EMR and integrate it with your watch, Google is doing a lot in healthcare in data and analytics, clinical research, that kind of thing. Hospital systems are moving to the cloud. Amazon, Google, Microsoft, or others are hosting the systems with all that clinical data. So tech companies are another attack vector for those seeking patient information, and it’s obviously very sensitive. So the tech companies are part of that ecosystem but they’re not necessarily healthcare providers.
Sarah: And there are all of these new business models we’re seeing where you don’t ever have to go into a doctor’s office.
Eric: Right. Virtual care has grown exponentially as an adjunct to in person visits. This introduces new cyber concerns as the endpoints or other parts of the technology may not be controlled by the healthcare provider. Also many organizations aspire to leverage that virtual care data, using algorithms in order to improve care and outcomes. So that’s certainly part of it. And we talked about hospital-at-home or remote monitoring capabilities. That’s going to be a very big part of our healthcare environment over the next ten years. We’re going to see a lot of new medical devices invented to allow that to happen. I’ve also started to see interesting companies that use technology to monitor patients – whether it’s their wheelchair / walker use or engage patients in their physical therapy devices or check in on recovery from procedures. Think about your Peloton and apply that to physical therapy and somebody’s looking at your data while you’re exercising or working with you and your data to improve your therapy outcomes. A lot of these organizations didn’t even exist two or three years ago.
Sarah: So going back to the topic of attacks – when it comes to these more dangerous threats like ransomware, time to detect is a big issue. What can you tell me about that?
Eric: Of course, that can mean everything in terms of incident outcomes. Hospitals are open 24 x 7, 365. They never close. If it’s Saturday at six in the morning and the tech staff’s all at home, but they get the signal that there is a possible attack and the mitigation processes are clear, you could prevent the organization from shutting down or from patients from being injured or having their care delayed. Or the organization suffering horrible reputational harm because you had a major ransomware attack and the media makes public your situation creating issues with your patients or the community. Reputational harm is another thing that can be damaging. Healthcare organizations who have earned their reputations as top flight organizations, or are critical community resources could have that reputation severely damaged by a poor response to an attack. Early detection, appropriate escalation, intelligence about those attacks, and as much automation as you can around things (to improve response time or accuracy) are all highly desirable so you don’t get the organization into that position.
Sarah: What else should we be thinking about when it comes to security and healthcare organizations?
Eric: We’ve talked about patient safety, business continuity, the protection of all digital assets, the enablement of hospital at home or remote monitoring through the management of those endpoints. Hospital CISOs understand how hospitals operate. They understand the imperatives around the organization and are able to engage with not only the technical community but the operating staff within the hospital. The operations teams control so much of the attack surface by practice that not having them engaged is really problematic. So the CISO has to understand the organization beyond Cyber and IT. They have to be able to engage appropriately to protect the enterprise.
Keep in mind that most people work in healthcare because they believe in the mission; it’s all about the patients and about doing good.