• Aligning Leadership in the Era of Ransomware

    Rich Daly Jul 28, 2016

    Amid an increasing number of cyberattacks that hold hospitals' data hostage until a ransom is paid, key components of the response by healthcare organizations are a focus on leadership communication and support for budding organizational IT security apparatuses.

    2016 will go down as the year in which the existential threat that healthcare providers face from ransomware became crystal clear.

    But a silver lining of the growing number of highly publicized attacks is that hospital leaders are fully on board with marshaling the necessary resources to respond to the threat.

    For many provider organizations, in fact, effective, ongoing relationships among their senior leaders may represent the line between success and high-profile failure in combating ransomware.

    "This is an issue that has to be understood across the entire C-suite," says Russell Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME). "It doesn't just have IT or financial ramifications like a lot of background IT functions that might exist. This is really about patient care, daily operations, and for some organizations it could even be an organizational killer."

    Lee Kim, HIMSS North America

    “We’re certainly seeing [ransomware] as a real threat to the healthcare sector and not just something that is sensationalized,” says Lee Kim, director of privacy and security, HIMSS North America. (Photo: HIMSS)

    The Scope of the Threat

    A February malware attack at Hollywood Presbyterian Medical Center in Los Angeles was the first of a series of cyber assaults on hospitals this year in which attackers encrypted the hospital's patient data and demanded a ransom to release it.

    Such assaults have become common, according to emerging research. For instance, 52 percent of the 30 midsized U.S. hospitals contacted by researchers from the Health Information Trust Alliance revealed they had been infected with malicious software.

    Hospitals also have been individually reporting an uptick in malware attacks. For instance, Metro Health Hospital in Wyoming, Mich., has seen a noticeable increase in attempted malware attacks over the last 12 months, including one per month since the Hollywood Presbyterian attack, says John Weller, chief information security officer (CISO) at the hospital.

    The assaults led the U.S. Department of Homeland Security's Computer Emergency Readiness Team to issue a ransomware alert, which described the main characteristics and prevalence of such attacks and ways to prevent and mitigate the threat.

    "We're certainly seeing it as a real threat to the healthcare sector and not just something that is sensationalized," says Lee Kim, director of privacy and security for HIMSS North America, a business unit of the Healthcare Information and Management Systems Society.

    Executive Support Needed

    For a healthcare organization to effectively respond to the ransomware threat, Branzell says, executive support is needed on both a programmatic and a behavioral level. That means that in addition to prioritizing scarce hospital resources to bolster information security budgets, hospital executives and boards need to make security a priority throughout the organization.

    "That support needs to be ubiquitous at every level—whether it is patient care, administration, financial billing, or human resources, it needs to be cross-ordered across the entire organization," Branzell says.

    Hospital data security leaders say both the awareness and support of executives and hospitals boards have increased.

    "It's been relatively easy to translate what these threats mean for non-IT people, given what may have happened to them personally as a consumer or what is happening in the news," Myra Davis, senior vice president of information services and CIO at Texas Children's Hospital, says about the recent hospital malware attacks. "That has made it pretty easy for the adoption of behavioral changes that we have instituted. I'm pretty optimistic that while it may be painful, I don't think we will meet a lot of resistance."

    The need for a robust response is apparent across the industry, with 67 percent of healthcare IT leaders stating that these highly publicized data breaches have affected their security practices, according to a Ponemon Institute survey released in May.

    "In years past I would have to try to get people's attention about cybersecurity, and now they are coming to me asking for advice," says Mike Yamamoto, CISO for Beth Israel Deaconess Medical Center, Boston. "The board is asking about cybersecurity and quite focused on it. They want to get to the bottom of what's happening. And it definitely helps having that increased focus."

    How Healthcare Organizations Are Focusing on Data Security
    How healthcare organizations are focusing on data security

    The Impact of Leadership Support

    The support of executives and hospital boards has proven critical to boosting both security resources and rank-and-file compliance with security adjustments in the wake of the malware attacks, according to hospital security leaders.

    "Otherwise people don't take an e-mail from the CIO too seriously," says David Chou, CIO at Children's Mercy Hospital, Kansas City, Mo. "They think the CIO or compliance officer is so risk-averse that that is all they care about and they are ruining our experience utilizing information technology. That has changed and will continue to evolve. It's a lot easier when the organization has your back."

    Organizational support has allowed Chou's office to enlist the help of departments such as education, communication, and marketing in sharing knowledge and spreading information. The practical effect of such cooperation cannot be overstated given the key role of education in preventing individual employee actions from devastating an entire organization.

    Coming from the IT department, such communications may not even be opened by employees. "Whereas, if it is coming from marketing, it may be something fun and they may have a different reaction," Chou says.

    Prioritization has given IT leaders direct access to the board at Texas Children's Hospital, which allowed Sanjeev Sah, director of information security, the opportunity to justify a three-year ramp-up in health IT security spending. His pitch followed a board member's discussion of a news story about IT security spending by healthcare organizations.

    "So that drove the direction of how we wanted to respond," Sah says. "It does allow us to have a pretty rapid response if we're able to get these tools and make the investments we were asking to be made."

    Davis agrees that the board and executives have set the tone for the organizational response at Texas Children's.

    "That doesn't mean that we should abuse that to get everything we need, but we have received the endorsement that's been needed so far to make the right investments and to close the gaps," Davis says.

    The practical impact of that leadership support includes faster acceptance by staff of the changes that some security technologies inject into an organization.

    "The time that it takes to get to an agreement among different departments is nowhere near the time it would take if you didn't have that sense of urgency at the top," Davis says.

    Regular interactions with senior executives about the evolving health IT security threat are key, Kim says, because different executives can bring different insights to addressing cyber risks. But a recent HIMSS Analytics survey of 115 hospital IT and security personnel found many security leaders have only occasional interactions with top-level leadership.

    Kim encourages regular face-to-face meetings with executives or, at least, frequent virtual meetings that allow for interaction.

    "Security leaders need to translate the risks they are seeing from technical lingo to describing the big impact on other areas of the organization," Kim says.

    Relating how the malware threat could impact other departments, such as legal, may not only focus other departmental leaders on the danger but also encourage them to look for vulnerabilities and find solutions.

    Sanjeev Sah, Texas Children’s Hospital

    “It does allow us to have a pretty rapid response if we’re able to get these tools and make the investments we were asking to be made,” says Sanjeev Sah, director of information security, Texas Children’s Hospital. (Photo: Texas Children’s Hospital)

    Maintaining Focus Over the Long Term

    The threat from ransomware and other IT security challenges is expected only to increase as hospitals become repositories of ever-larger quantities of valuable patient electronic health records. Additionally, the nature of the IT security threat changes so rapidly that ongoing education of hospital leaders is critical.

    "CIOs and CISOs need to be spending time with their boards to make sure they understand the risks and responsibilities and the oversight that's needed at the board level with something like this," Branzell says.

    Hospitals have looked for effective ways to keep their leaders engaged on an issue that, while critical, is not directly focused on the central organizational mission of providing patient care.

    Steven Smith, CIO for NorthShore University HealthSystem in Evanston, Ill., finds the threat of malware can be effectively communicated to executives and board members through the use of data—such as the relative black-market value of electronic health record information compared with a credit card number, or the number of emails his security systems manage (the health system receives about 250,000 e-mails each day and blocks all but about 25,000 for various reasons).

    "Information like that helps them understand what we're doing in this area," Smith says.

    When Sah last updated the Texas Children's board on the malware threat the hospital was facing, he was surprised at the level of detail they wanted. The presentation, which included a simulation of a common way in which such attacks occur, was generally high-level, but the board wanted to know more about the details of the threat. The board's relatively sophisticated knowledge may stem from the inclusion of senior executives from other sectors, whose organizations generally have more advanced IT security systems.

    "They were very familiar with what is going on, so they wanted to know what we were doing about it," Sah says.

    Sidebar: Hospitals’ Anti-Ransomware Steps

    Organizational Structure Changes

    Some organizations have implemented changes to their structure and to the interactions among key leaders to better respond to evolving information security threats.

    Beth Israel Deaconess Medical Center established a board subcommittee to review security issues and another subcommittee on overall compliance and risk, through which the CIO communicates with the board. Such meetings occur "a few times each year or more if needed," Yamamoto says.

    Metro Health Hospital's board recently created a cybersecurity subcommittee, and the hospital's CIO agrees on the need to increase efforts in this area, Weller says.

    "We're an innovation-oriented hospital that tries to leverage technology to benefit patient care," Weller says. "It is sometimes harder for a smaller hospital like ours, and we have to be very strategic with which technology we buy because you can't have everything."

    Among the unanswered questions regarding structural responses to the growing health IT security threat is how a hospital should organize its leadership. Slightly more than 50 percent of hospitals have a full-time CISO, while others assign the security executive's role to another officer, such as a CIO or chief technical officer, according to CHIME.

    "As we move forward," Branzell says, "can a portion of a person maintain enough expertise to keep their organization as secure as they should?"

    Hospitals are split on where the CISO fits in an organizational chart. Many healthcare organizations have the CISO report to the CIO, while in other cases the CISO is a peer of the CIO and reports directly to the CEO or board.

    The organizational question is far from academic. "A CISO with an equal voice may lend a hand to being able to more quickly report what is happening with cybersecurity instead of having another layer in the chain," Kim says.

    Additionally, higher-ranked CISOs can have more autonomy in hiring and technical asset allocations and greater ability to deviate from the typical three-year lifecycle of technology assets if a cyber threat changes.

    But some CISOs say the issue is not so clear-cut. For instance, Sah, who reports to his CIO, says he has independence and receives support for his role and for the information security program from executive leadership at Texas Children's.

    "The support and the structure have resulted in positive outcomes more often than not," he says.

    His CIO, Davis, says Sah has the authority to communicate with leadership directly, including through one-on-one meetings with the CFO and the hospital's general counsel, privacy group, and legal team.

    "I am not in those meetings, and that is intentional," Davis says. "He is a resource to the entire organization. Just like I have the benefit of understanding our risk, it is very important that the rest of the organization has the benefit of understanding that risk."

    Similarly, Yamamoto, who also reports to a CIO, says the structure has worked at Beth Israel Deaconess Medical Center because the organization's security initiatives are strongly aligned with the overall initiatives of the CIO.

    "We haven't run into an issue where there is a complete butting of heads between what security thinks versus what we're trying to do across the board in health IT," Yamamoto says.

    However, he notes that in some industries the common practice is for CISOs to report directly to the CEO or the board.

    "It's an evolution, and health care is where it is in its maturity model in terms of security," Yamamoto says. "You can look to other industries to see, perhaps, how that may go."

    John Weller, Metro Health Hospital

    “It is sometimes a lot harder for a smaller hospital like ours, and we have to be very strategic with which technology we buy because you can’t have everything,” says John Weller, chief information security officer, Metro Health Hospital. (Photo: Metro Health)

    Ongoing Struggle for Resources

    Although most say they have positive and productive relationships with their boards, healthcare IT security leaders report ongoing budgetary struggles. Part of the funding challenge is the nature of the demand for IT security, which is not directly related to patient care. Additionally, the growing need for resources in IT security comes amid an industrywide push to reduce healthcare spending and to do more with less.

    "There is always more that I want than we will be able to deliver on, in terms of acceptance throughout the organization," says Weller of Metro Health.

    But the funding challenge is less steep at some organizations than at others.

    For instance, Texas Children's has ramped up its security spending in recent years to 10 percent of the total IT budget. That makes the organization one of the biggest security spenders among providers, according to the HIMSS Analytics survey, which found only 10 percent of provider respondents spent larger shares of their IT budgets on security. Most reported spending between 0 and 3 percent of their budget.

    Davis said the relatively large spending commitment at Texas Children's is a testament to what the issue means to the CEO and the board and how vital it is to patients and the organization.

    "It wasn't a hard sell or a great deal of negotiating; it was just the honest truth of what was needed," Davis says.

    Kim was optimistic that the emerging threats may bolster hospital funding for security.

    "We've seen the security spend at healthcare organizations be generally less than in other sectors—but in the last few years there has been more of a business priority toward cybersecurity, so some organizations are allocating more resources, personnel, and updated technology to address what is going on," Kim says.

    Frequency of Cyberattacks Against Healthcare Organizations
    The frequency of cyberattacks against healthcare organizations

    Biggest Bang for the Buck

    Part of the challenge of obtaining more funding for the growing IT security threat is the lack of cost-effective and proven investments that will significantly bolster security, according to industry officials.

    Metro Health has focused on procuring a "silver bullet" software package expected to provide 80 to 90 percent of the help the organization needs to prevent malware attacks. The package focuses on so-called end-users, or individual computer users, to prevent them from unknowingly opening malware attachments in an e-mail—the most common way in which such attacks are initiated. Malware also can enter through ads that are clicked or even just viewed while browsing the Internet.

    A separate communication challenge for healthcare IT security leaders is how to learn from hospitals that have been attacked.

    NorthShore's Smith frequently has behind-the-scenes discussions with organizations that have been attacked by malware to learn about the nature of the attacks and effective ways to stop them. However, at times it can be difficult to get information from those publicly identified as under attack, with the affected organizations citing an ongoing investigation or other issues.

    Myra Davis, Texas Children’s Hospital

    “It’s been relatively easy to translate what these threats mean for non-IT people, given what may have happened to them personally as a consumer or what is happening in the news. That has made it pretty easy for the adoption of behavioral changes that we have instituted,” says Myra Davis, senior vice president of information services and CIP, Texas Children’s Hospital. (Photo: Texas Children’s Hospital)

    Branzell of CHIME urges hospital security leaders to contact his organization to be put in touch with the IT security leaders of affected hospitals.

    "Obviously that helps when we're talking about organizations of similar complexity trying to learn lessons across the board," Branzell says.

    Smith said an effective step for his organization has entailed spending a full day with IT security leaders of other health systems or vendors to discuss differences in their responses, the latest vulnerabilities, and different ways to prevent attacks. State hospital associations, HIMSS, and security organizations also provide useful feedback.

    Weller of Metro Health obtains security updates from four organizations, including the West Michigan Cyber Security Consortium, which holds quarterly events such as seminars. "Just having that dialogue, that extra conversation, gives you more context about what is going on and what they are spending their money on," Weller says.

    Additionally, Metro Health compares its cybersecurity effort to those of 18 other hospitals in Michigan through the Michigan Healthcare Cybersecurity Council, a public-private partnership between the state government and hospitals. Comparisons include the number of staff on security teams, the number responding to incidents, and details of incident response plans.

    "We know that we are pretty much in alignment, compared to comparable-size institutions," Weller says. "We don't want to have double the security team because that is another person who is not providing patient care."

    Rich Daly is a senior writer/editor for HFMA based in Washington, D.C.

    Interviewed for this article: Russell Branzell, president and CEO, College of Healthcare Information Management Executives.

    John Weller, chief information security officer, Metro Health Hospital, Wyoming, Mich.

    Lee Kim,  director of privacy and security, HIMSS North America.

    Myra Davis, senior vice president of information services and CIO, Texas Children's Hospital, Houston.

    Mike Yamamoto, chief information security officer, Beth Israel Deaconess Medical Center, Boston.

    David Chou, CIO, Children’s Mercy Hospital, Kansas City, Mo.

    Sanjeev Sah, director of information security, Texas Children's Hospital, Houston.

    Steven Smith, CIO, NorthShore University HealthSystem, Evanston, Ill.