Protecting hospitals to ensure patient safety, data confidentiality and business continuity

In this Help Net Security podcast, we’re joined by Leon Lerman, CEO of Cynerio, and Dr. John Halamka, emergency medicine physician and President of the Mayo Clinic Platform. They illustrate how insecure devices increase the cyber attack surface and pose a significant risk to the operational continuity of hospitals and patient safety.

protecting hospitals




Here’s a transcript of the podcast for your convenience.

Leon Lerman: So John, thank you very much for joining. It’s great hosting you today on the podcast.

Dr. John Halamka: Well, I’m happy to be here and talk about this experience of COVID and everything that has meant for healthcare.

Leon Lerman: Yes, it’s been really crazy times. What we’ve been seeing is really that, since the start of the COVID pandemic, there was a huge increase of about 300% in targeted cyber-attacks. Obviously, in your role, you’re kind of like at the heart of this crisis and the madness. What are you with the saying in terms of shift of priorities in hospitals and in cybersecurity specifically?

Dr. John Halamka: This is of course a very complex question. I’ve always described COVID as five stages. There’s the isolation stage: we all are retreating to flatten the curve. And then there’s the testing stage, and then there’s the pre-vaccine return to work, post-vaccine return to work, and the new normal.

Along all five of those phases, you’re going to see much more Internet of Things activity. So, think about it – even as we move from isolation to testing phase, we’re going to have such things as contact tracing, Bluetooth low energy devices that are looking at proximity and it’s going to require us to give more permissions for more Bluetooth interaction. We’ll see more and more virtual visits.

Just looking at Mayo Clinic and others, they’ve seen their virtual visits go up over a thousand percent in the last eight weeks. So, that means many more remote patient monitoring activities than ever before. As of course we head into that new normal, you’re going to imagine that people are going to now want care at a distance in all kinds of settings. Everything from advanced care in the home, like “why do I need to go to a hospital where I could get COVID?” to eICU.

So, what does all this mean? Remember IoT stands for Internet of Targets. So, if we’re saying thousand percent gains and our virtual connectivity to healthcare, what that means is the attack surface area is bigger than ever before. And even worse, it’s going to be this interesting combination of, sure, devices provided by an enterprise, but a vast explosion in the use of consumer devices. And of course, again, that’s everything from apps on your phone to the thing you bought on Amazon that measures your blood pressure or pulse.

What we’re seeing of course is a huge increase in fraud, a huge increase in cyberattacks. And so, I think our challenge over this next couple of years, and I say years, will be moving to the new normal of increasingly virtualizied healthcare delivery, while at the same time dealing with that expanded attack surface.

Leon Lerman: For sure. And one of the concerning things that we’ve been seeing as well is that the sophistication that is required by attackers, because the healthcare industry is so much underserved from a security perspective, the sophistication level is very low. It’s easy to attack hospitals, especially now we’re having more and more vulnerable devices, as you mentioned. And it doesn’t have to be this super sophisticated nation sponsored attack and that’s really worrying indeed.

You talk a lot in your lectures about adopting machine learning and AI in dealing with a lot of those situations, especially cybersecurity, remote patient monitoring, do you think it will be even more adopted and more common right now in healthcare?

Dr. John Halamka: So here’s a challenge again, as we’ve shifted in literally eight weeks to this highly virtualized care system. What are the rules by which an intrusion can be detected? That’s pretty hard to say, right? I mean, if you’re dealing with thousands of different kinds of devices with all kinds of different signatures and provenance, writing a discrete set of rules and keeping that set of rules updated, I would argue is nearly impossible. You have to look at it as variation. “Oh, we’ve never seen before a phone that has a GPS in San Francisco with an IP address in China!”

It’s looking for the patterns that have to be multifactorial, and I could even argue, are probably beyond the human mind to even detect and comprehend because there’s such subtle variations. I think of machine learning as a statistical technique that enables a computer to do what a computer does best, and that is churn through massive numbers of possibilities and identify variation. And that’s a kind of technique we’re not only going to be using for healthcare delivery, but in cybersecurity.

Leon Lerman: Yeah, for sure. And this aspect of also automating a lot of things, especially where people are, their time span is limited, and they have to focus on so many things. I think that’s a huge benefit for healthcare as well. So, say, in terms of regulations post-COVID, are you seeing any government movement in that direction? Making sure hospitals are better prepared for the day after COVID? Do you see hospitals actually better prepared for the next pandemic following this crisis?

Dr. John Halamka: Here’s the fascinating issue. We have HIPAA, GDPR, CCPA, all the rest of these. I would argue that more potent than all those regulations, is reputation. Recently a very large healthcare system, and I won’t mention which one, said “oh, we’re going to partner with a very large tech company and we’re going to do large transfers of data, and don’t worry, it’s all HIPAA compliant”. And of course, the public responded “wait a minute, I don’t really care about the esoteric of HIPAA. Did you really send patient identified data from a hospital to a tech company?”

You’re going to see all these waivers and rollbacks of regulatory constraints, but at the same time, you’re going to see culture demand privacy and security. So, I would say that CIOs, CTOs, CSOs should look at more reputational loss than necessarily the regulatory variants at the moment.

Leon Lerman: That makes a lot of sense. I guess that with all those, with that impact of COVID people will be terrified of what will happen the next time. You mentioned these virtual hospitals going more virtually and telemedicine obviously being on the rise and being more used. Do you see hospitals staying this way long-term? Do you really see people not going into the hospitals in the next few years? Not coming in?

Dr. John Halamka: Well, let’s say it’ll be mixed, of course, but the American Telemedicine Association, hashtag of the day is “don’t roll back”. Because the assumption is if, you heard me say this before, that we have issues of technology, policy and psychiatry, of which the psychiatry is the hardest one. You could argue that COVID completely changed hospital executives’ perception of care at a distance.

People are now saying “well, gee, I didn’t have to drive and park and all that time loss and expense. I really liked this virtual care stuff. In fact, what I need is not just virtual visits or placing, what was it in person visit with video. I now need in-home diagnostics, in-home remote patient monitoring”.

The patient is going to be pretty frustrated if you say “we can do a virtual visit. Oh, now you need to come into the hospital to get this monitor or this test or whatever”. They’re going to demand more and more care at a distance, and hospitals that are going to survive and thrive are going to need to provide that. Sure, some on-prem stuff will happen again, but the notion of us moving to a very virtual capable hospital is forever.

Leon Lerman: Yeah. That would be almost unthinkable of thinking that a hospital has always been considered such a place you’d go to where you feel bad and it’s a place in the minds of the people. That will be a very interesting change.

What would you say would be your advice for startups who are focused, obviously on innovation of new solutions and digital health? What should they focus on right now and how should they approach hospitals and CIOs in being relevant to them during this time?

Dr. John Halamka: It needs to be a total package. What I mean by that is just saying “I’m going to take what was an on prem visit and now make it video”. That’s a tiny part of the whole experience. So, sort of ask yourself end to end, what are the suite of services, some of which will be for very complex patients.

Mayo has termed one of its offerings “advanced care in the home”. Cause it’s more than the virtual visit. It’s the telemetry, it’s the diagnostic testing, it’s the supply chain. In fact, what we’ve had to do is partner with a large national firm that is capable of putting all these IoT devices into your home. In fact, we can’t even rely on your home having reasonable wireless. So, they’re even having to put in LTE, 4G, 5G connections in the home. If you start thinking about that, if you’re offering the whole package, then you better wrap that with security capabilities as well. Because this nature of the boundaries of your hospital were the four walls of your address, are gone forever.

Leon Lerman: Fascinating. I think it will be also very interesting to understand from a security standpoint, once we’re getting out of the boundaries of the hospital, then you have all this third-party apps that they’re developing, different software you have, you mentioned all those devices, bring your own devices. Those device vendors will also have to take part in the security of that. So, I guess it will be a shared responsibility of the various parties to really make sure that all this new ecosystem is secure. That will be a main challenge.

Dr. John Halamka: Well, so here’s an example, as you are starting to see work, not just healthcare delivery about work, go more virtual, are we going to see employers getting employer issued highly constrained devices to every single employee in every single setting? Or better, should they be able to outfit their home workspace in a way that works for them ergonomically and productively, but then be able to create a wrapper around that?

So, you can say “even though today I’m talking to you on a Google Pixelbook Go, and it works for me. I like the keyboard”. If I was told “Oh no, no, no, you can’t run a Google Pixelbook Go, you have to go run this Windows-based device or whatever”. Could I? Sure. Do I really want the employer to buy something that I don’t really like? Not really. I would rather be able to say “here are the security constraints and monitors around the device that you’ve brought”. And am I willing to give or see to the organization the security monitoring of my environment? Sure. That’s okay. But I still am going to have a diversity of devices of my choosing within my work environment

Leon Lerman: For sure. I think another challenge around that would be, we’ve seen a lot of, obviously as you mentioned, companies like Twitter who just basically said some of the employees, but it’s a big portion, are now allowed to work from home forever. Other companies allowing employees to work, until the end of the year, to work from home.
Do you think that hospitals, especially IT teams, will they be joining this trend as well? From an employee perspective? And do you think they can do that today from a technology standpoint?

Dr. John Halamka: Let me answer this in a couple of ways. First, I think, and I’ve worked in many, many hospitals across the U.S. and of course visited hospitals throughout the world, and do you know that every one of them has a problem with real estate? They have ORs and ICUs and ambulatory clinics. Great! But then as soon as you start saying “I want to have a thousand administrative staff”, those people are now competing for that valuable healthcare delivery real estate. So, this idea that you could decant the hospital and move all these not direct patient care people somewhere else is a huge win. Do I believe that you’re going to see the administrative components of hospitals stay virtual long-term? Absolutely.

Leon Lerman: Interesting. Last question to you, John, and then a personal one in that sense. You published your predictions for 2020 around changes, and digital health, and where the healthcare industry is going. That was before COVID happened. How did your predictions change following what you’ve witnessed in the last couple of months, if at all?

Dr. John Halamka: What a fascinating question! I have been writing in my new role at Mayo all of these strategic and operating plans and it was a 2030. That was the goal. What is the world going to look like in 2030? Do you know what the world is going to look like in 2030? 2021, right? Because COVID has so rapidly moved the healthcare system from a technology and policy and psychiatry perspective into a virtual care delivery. We’re using AI and ML, and remote patient monitoring, and all these new technologies far faster than anyone could have ever predicted. So literally, I did take my 2030 plan and recast it as six quarters.

Leon Lerman: That’s amazing! How a timeline can be accelerated by a virus! That’s unbelievable! John, thank you very much. It’s been a pleasure talking to you. Thank you very much for your time and insights. Hope we can all look at a more optimistic future in the next couple of months, but at least for the economy to start reopening and obviously so all of us can stay healthy and well. Thank you very much.

Dr. John Halamka: Well, thank you. And I would just close by saying what I hope is we use this as an opportunity. As we’ve moved forward to adopt technology faster than ever, thought about security, talk about the patient, that I think we have an opportunity to create a new normal in economies throughout the world that is actually far better than our legacy. So, I’m optimistic!

Leon Lerman: We all are, for sure. Thank you very much John.

Don't miss