Agencies are assessing how to bridge the IT, OT, physical and cyber security gaps during a healthcare incident, said government leaders at CyberMed. Pictured: Army Reserve Capt. Tammy Heredia inputs patient vitals into the hospital computer system at Yuma Regional Medical Center in Arizona on Jan. 21, 2021. (Staff Sgt. Cambrin Bassett/Army)

The COVID-19 pandemic confirmed that when a hospital goes down due to a virus or incident, it’s a clear patient-safety and public-health issue, Cybersecurity and Infrastructure Security Agency Deputy Director Nitin Natarajan explained at CyberMed.

The dozens of cyberattacks tied to EHR downtime over the last two years have made risk management all the more critical. As such, CISA, along with the Office of the National Cyber Director, are now building on those lessons to address systemic challenges in a meaningful way.

Specifically, the agencies are assessing how to bridge the IT, OT, physical security and cybersecurity gaps so that when there’s an incident in healthcare, patient safety concerns are at the forefront. In that way, proactive measures then take into account mitigations to reduce patient impacts to maintain care quality and reduce the chance for care diversions.

“When we're talking about cyber preparedness, or preparedness against natural disasters, we're never going to have the money to get there,” said Natarajan. “We're never going to have a large enough bank account in any federal department or agency, or even all of us combined, to fully eliminate and mitigate that risk.” 

“So how do we really bring this down to a local level? How do we understand where communities have already invested money to build upon those investments? And again, slowly raise that bar of resilience,” he added.

As the pandemic focus wanes, Congress, federal agencies and healthcare stakeholders have introduced new legislation and efforts aimed at building stronger resilience and improving threat sharing across the country with an understanding that securing critical infrastructure requires an all-hands-on-deck approach.

“We need to look at this as a joint effort,” Natarajan added. That means, healthcare and government entities must work toward building a comprehensive response outlining the precise measures for protecting patients, staff and the business reputation in an integrated manner because “there’s no longer that clear separation between IT and OT.” 

The role of collaboration in tackling healthcare challenges

The recently passed legislation that would require swift reporting, as well the proposed bill to stand up a collaboration between CISA and the Department of Health and Human Services, could support the needed shift in mindset and priorities within the healthcare space.

Early reporting enables CISA to take that information, combine it with their own data and their partners in the intelligence and law enforcement communities to truly understand the landscape and compromised records, explained Natarajan.

The combined insights and threat intel can inform accurate mitigation steps, which can then be shared with the healthcare entities to determine how to drive impactful guidance to support provider organizations with making these important decisions, based on the current data trends. 

The information-sharing mantra is “how we get the right information to the right people in a timely manner, which results in more informed decision making,” Natarajan explained.

To move that bar, CISA needs to get a feel for what the sector is doing and how it aligns with security leaders across the U.S. to ensure healthcare facilities are connected with the right security bodies.

Some of the past cybersecurity incidents have not always been coordinated in this way, with some people knowing parts of the situation but not other elements, explained Jessica Wilkerson, senior cyber policy advisor for the Office of National Cyber Director.

“In the speed cybersecurity threats are able to manifest and start translating into patient safety harms or healthcare impacts, that [miscommunication] is not good enough,” said Wilkerson. “In figuring out how to coordinate and have a coherent federal response to all of these things, even broader than the news and reporting legislation, we're still working that out.”

“There's room to experiment. There's room to grow here and figure out what works for state, local, tribal, and territorial organizations,” she added. At the end of the day, Office of National Cyber Director is looking to add value to all of its activities and working to improve those much-need coordination efforts.

As seen with the recent ZLoader takedown, it’s these types of government and private-sector partnerships that can begin to chip away at systemic healthcare challenges.

Moving beyond enterprise risk as an IT problem

We sometimes still get into thinking of cybersecurity as an IT problem, said Natarajan. When servers go down or emails cannot be trusted — whatever the issue — it’s tossed off to the CIO to "fix it." Enterprise risk is no longer just an IT term — it’s about risk to the entire organization.

Healthcare must work to identify those risks, including what is deemed an “acceptable level” to then determine what’s needed for mitigation. These processes must then be built on an effective communications strategy that enables clear messaging externally to the public and internally to stakeholders.

Progress has been made on that front in recent years, as an increasing number of people have realized they “just couldn’t do it alone in these isolated packets,” he added.

“As we look at how we address and mitigate risks, how do we look at that across the enterprise, and make sure that we're messaging effectively, not just to technical folks in the cyber arena, but to policy makers as well,” said Natarajan. 

“Speaking both in a technical language and a non-technical language, so we get out of this fight for funding,” he continued. “We all roll the dice… That's not the way to be doing business. We really need to look at this holistically, from an enterprise perspective. And the pandemic has really helped to raise that awareness.”

Although the last two years of the pandemic created a mass amount of strain on all fronts in healthcare, the lessons gleaned from these experiences, including those tied to cybersecurity, have enabled leaders to work toward reducing the potential for cascading impacts and consequences into the community.

At a minimum, the pandemic has highlighted the need for changing ineffective processes, particularly around information and threat sharing, Wilkerson noted. The expectation should not be that small hospitals need to figure out how to improve these challenges on their own.

“As a government, we need to figure out how to make that not the status quo and not leave smaller hospitals and other smaller organizations hung out to dry,” she added.

For instance, the recent proposal to hand software bill of materials (SBOM) to the users. In theory, more information would empower entities to mitigate medical device vulnerabilities. However, Wilkerson echoed concerns expressed by industry stakeholders that “SOMBs are going to mean just inundation of additional information.”

Instead, I-SACs or other security leaders could work on “tool development” that would comb through some of this high-level information to make it meaningful, or contextualized to actually support small to medium providers that may not have the staff or resources to make use of provided intel, she explained.

There’s a need to look at healthcare organizations, as a whole, to get to the next level. Natarajan explained that hackers are indiscriminately targeting all entities, not just large health systems. That means, “it's not about helping one subset of the sector, but helping the sector at large.”

At the end of the day, “we can't keep doing the same thing we've been doing and expect that we're going to get somewhere different,” said Wilkerson. Instead, if federal agencies “change the burden on, not just small organizations but on all organizations, it can make cybersecurity more manageable and responsive.”