This audio is auto-generated. Please let us know if you have feedback.
Cyber leaders at a panel hosted by Google Cloud on Tuesday said supply chain vulnerabilities are top of mind for healthcare organizations after the attack on technology firm and claims processor Change Healthcare earlier this year, which disrupted the healthcare sector for weeks.
Chief information security officers from Novant Health, Highmark Health, Northwell Health and ChristianaCare joined the event to discuss increasing cyber threats against the industry, including among health systems’ chief suppliers.
Although cyber criminals have hit hospitals directly, health systems are also vulnerable if their vendors experience a cyberattack, and outages at some suppliers could directly impact patient care, said Greg Barnes, CISO at Pittsburgh-based Highmark.
The CISOs argued that healthcare organizations need to share information to tackle cyber threats, especially with small and low-resource health systems that struggle to invest in cybersecurity.
“This is not something that an individual company can solve,” Barnes said. “It’s not something that the government can solve by itself. But it’s something we need to very rapidly understand and begin to collectively respond to.”
Mitigating risk with hospital vendors
The healthcare industry has become a ripe target for cybercriminals, panelists said. The sector has a wealth of valuable patient data that cybercriminals know is key to hospital operations.
Health systems also rely on plenty of third parties, from cloud service providers to electronic health record vendors and lab services companies. In one example, a blood center that serves hundreds of hospitals in the southeastern U.S. was targeted by a ransomware attack this summer, impacting patient care and pushing some hospitals to use blood conservation protocols.
Many health systems want use fewer vendors to simplify their operations, said Sanjeev Sah, CISO at Winston-Salem, North Carolina-based Novant. But having back-ups could be beneficial if a cyberattack affects one of their key suppliers.
“We are learning that we need to employ complementary services from multiple partners in case one is disrupted,” he said. “It’s about, essentially, business continuity.”
Hospitals should have their cyber teams at the table when partnering with vendors, said Kathy Hughes, CISO at New York’s Northwell Health. Cyber experts can help ensure contracts with suppliers have provisions about cyber preparedness as well as disaster and recovery plans in case of an attack.
Health systems can do a risk evaluation based on the vendor’s role, Sah said. For example, will vendors be responsible for handling protected health information? Will they be working with sensitive systems?
Partners are often willing to work with health systems to find fixes for security gaps, he said. But if they can’t, systems may need to look at other options.
“We cannot, given all of the risks that we have experienced in the recent months and years, create a gap in security for our organization,” Sah said. “A single failure can translate into a massive impact.”
Sharing information to boost limited cyber funds, personnel
Having a robust and competent cybersecurity team is a major factor for improving healthcare organizations’ defense against attack, panelists said. But attracting that talent to the healthcare sector is easier said than done, especially since the cybersecurity workforce is already experiencing a global shortage.
Health systems tend to operate at lower margins, which makes it even harder to hire and retain top cybersecurity personnel, Barnes said.
“I think this problem is even more greatly magnified when we’re talking about those that live below what some of us refer to as the cybersecurity poverty line,” he said. “Organizations like small and rural and even inner city hospitals. It’s difficult enough to attract and retain when you have the means, and healthcare arguably sits at the bottom of that escalator.”
Joining the Health Information Sharing and Analysis Center, or Health-ISAC, could be one step to help smaller healthcare organizations band together with others to share resources and threat intelligence, panelists said.
The Health Sector Coordinating Council, an advisory group that includes healthcare organizations, industry groups and government agencies, is a helpful resource too, said Anahi Santiago, CISO at Wilmington, Delaware-based ChristianaCare.
The group has created guidance on how to build cyber defenses, create industry response plans and model contract language for third parties.
“What I think has come out of the Change Healthcare incident is a recognition by our organization that just having a cybersecurity program inside the organization isn’t enough to protect us,” Santiago said. “It really is an ecosystem, and we have to truly partner with our clinical and business leaders to understand the organizational risks of cybersecurity as a whole.”
Paul Schmeltzer 
Rebecca Pifer