Todd and Nate sat down to break down the Healthcare Cybersecurity act in this week’s episode. They discuss how this is new legislation and how it won’t be the last, what it is, and what it means.

[podcast_subscribe id=”9409″]

Have a question for Kyle or Rob? Email info@cit-net.com.

Episode Transcription

---

Tara Klocke: [00:00:00] Welcome to today’s CIT at tech for business podcasts. Today, we’re sitting down with Todd and Nate to discuss the 2022 Healthcare Cybersecurity Act. Let’s kick it off with you guys introducing yourselves today.

Todd Sorg: Sure. Thanks Tara. Good morning. I am Todd. I am Chief Operations Officer. I’m also our CSO and

Nate Schmitt: I’m Nate.

I’m our Director of Cybersecurity.

Todd Sorg: Uh, today, as, as Tara had mentioned, we’re going to talk about, uh, an act that was introduced back in March. Um, and it is referred to as the healthcare cybersecurity act of 22, as Tara mentioned, um, as you may or may not know there’s a lot going on in the world, I’m pretty sure everybody feels it at this point.

The way that they act opens up as it, it says, and I’m going to read this directly, just so you have context for it is in the light of the threat of Russian cyber attacks. We may, we must take proactive steps to enhance the [00:01:00] cybersecurity of our healthcare, public health entities. Um, this was entered by Senator Rosen and as.

It’s no surprise. The increase in cyber attacks has been significant and it’s just been increasing year over year in the context of what we’ve seen over just recently in the last two years is a focus on health care industry specifically. Um, so for example, I think they said last year there was, um, a fairly significant increase about 50 million, uh, PII.

Records were disclosed and they were attributing that directly to the rapid move in the industry to digital. Um, part of that came as part of the pandemic. There’s just been this move to get more and more digitized. Um, one of the statistics that showed up for last year was that IBM came back and said that each data breach for the cost in healthcare specific is roughly around 9.2, $3 million in 21.

[00:02:00] Significantly higher than any other industry. Um, and it’s probably the reason behind that is the data that’s. There is just a lot more valuable than a lot of other industries. There’s a lot more PII that’s available for the bad guys to take. Um, and of course, when there are attacks, it’s also a lot more.

Pervasive and it can have a much larger impact. And I think Nate had a few things that he wanted to add on, on the possible impacts of attacks on healthcare in particular. Yeah.

Nate Schmitt: So as Todd mentioned, the healthcare cost for a data breach has just continued to skyrocket. Um, there is. Studies out there that, you know, will scour the dark web analyzing how much some of this data will actually cost to acquire.

Um, after the data has been exfiltrated or stolen from the network and being sold to other, uh, threat actors or, you know, other nefarious individuals, healthcare is at [00:03:00] least. Um, any on third industry per record, uh, that’s stolen. So this is something that was provided by HHS itself, uh, in their study. Uh, they said that the healthcare per record or a per capita, uh, record is about 400 or technically it’s $408 per record.

The next lowest is financial that’s 206. So. Health records are significantly more valuable to a threat actor. Um, simply just because of the sensitivity, as Todd had mentioned, um, one of the really important things that I did want to highlight here, just because so many studies out there do discuss how much a data breach cause and in the healthcare industry, I really do believe that’s completely missing the mark.

The entire intent of healthcare is to protect [00:04:00] individuals and their livelihood. Um, that’s why every healthcare person is in the industry. They’re there to help serve and protect and support others. So the one thing that I did want to mention is there’s actually over the last couple of years now, Ben, a couple of different cases of individuals, um, who didn’t make it, you know, they passed away.

Directly related to cyber threats. Um, one of the first ones that came out was in June of 2020. Uh, this one was, uh, there’s a kind of a whole lawsuit that’s going on. So there’s, it’s not completely founded in a basis quite yet, but it was an Alabama woman that lost an infant. Um, the umbilical cord got wrapped around the child’s neck and, uh, the whole monitoring and alerting system at that hospital was impacted from the cyber.

So it didn’t support, uh, allegedly didn’t notify the staff in [00:05:00] time to be able to save that child. Uh, so that was one of the first ones. And then in September of 2020, uh, there was a woman in Germany who was, uh, being rushed to a hospital and then due to a cyber incident had to be, will be routed about 30 kilometers in other direction.

Uh, didn’t make it again. So that’s where I think. Really the impact of cybersecurity comes on healthcare. The finances are really, really important, but as a health care facility and, uh, the business leaders and healthcare leaders, we have to take it a step further and going, this actually impacts human lives today.

Todd Sorg: Yeah, I think that’s a great point. It does. I mean, I just, in general cyber security impacts everybody, right? Unfortunately, um, it has a significant and potentially a much more. Impacts and the healthcare industry. And [00:06:00] as you mentioned, I think it’s a absolutely fantastic point is the individuals that work there, they do that for a reason, and there is a lot of intrinsic values and reasons they do that.

And so it can be considerably more dramatic, the impact from these kinds of things. Um, one thing that I kind of wanted to add on here was, uh, this is not necessarily new to healthcare. HIPAA has been around for, I don’t even know. I didn’t look it up because, and I don’t remember. But HIPAA has been around forever.

So the fact that there’s compliance out there, it’s not new. Um, I, I am going to give you just a quick snippet overview of what’s in this particular act and how they’re trying to move the industry forward. But one of the things that I kind of wanted to highlight, particularly in particular is that.

Compliance is here to stay. It’s not going away while we’re today. We’re talking specifically about healthcare. We’re starting to see it everywhere. And I think in a few other podcasts, we’ve alluded to it or even talk to it to some degree it’s coming. There’s a reason for it. Unfortunately, it hasn’t been something that’s been easy to address or [00:07:00] solve on a case-by-case basis.

And therefore that’s where you’re seeing the compliance come in. Um, so really, really briefly on a super high level. What this particular act is trying to do in summary is they’re saying that this particular act is designed to make sure to address as the cybersecurity staffing shortage. I’m going to circle back on this.

So Nate and I are going to talk about this a little bit more, but it’s really, really quick headlines. If you will. Required SISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sectors, as defined by SISA authorized cybersecurity training to health care and public health sectors and the last, but not least require CSO to conduct a study on specific cyber risks facing the healthcare and public health sector.

Backing up. I wanted to go to that very first piece, which is addressing the cybersecurity staffing shortage. [00:08:00] I pulled some statistics before we got on the podcast today and just running through them really, really briefly. The shortage in cybersecurity is not going away. Um, I want to say two years ago, we were at roughly about 500,000 open racks today, looking at it from a report from Bloomberg.

It was over 600,000 security roles that were open as of March of this year. Uh, Diving a little bit deeper. What does that look like? One of the main certifications that the industry is looking for to prove that security individuals know what they’re doing and all that. They’re what they’re talking about.

Helping move the industry forward as it’s referred to as CISSP. Um, and it is a requirement or a certification that has years of experience as well as knowledge. Of those 600,000 openings over 106 of them are requiring the cer the CISSP certification itself, uh, to kind of give you a little more context of that.

There’s only [00:09:00] 90,000 Cisco certified security professionals today. So there’s more job openings than there are existing certified individuals.

Nate Schmitt: Yeah. The one other thing that, um, And this is even a challenge for CIT. We, we find it every single day is how you also keep security individuals, uh, motivated, engaged, and, um, compensated well enough to be able to, um, ensure the success of your organization, uh, right.

And help protect to the levels that they need to be protected at the. A couple of things. I, for just some basic statistics, cause Todd was mentioning the, um, this has been being in such demand. Um, for those that aren’t familiar with assess it’s the certified information system security professional. Um, it is one of the defacto certs for a security individual.

[00:10:00] Um, and it is also one of the most, um, Highly compensated certifications out there because it is specifically tied to a requirements you need to have so many years of experience in the industry to be able to obtain it and to have authorization for it. Just from a couple of simple numbers, you’re looking at at least a six figure income for an individual that has the test.

Um, so the reason why we bring that up is. There are entry-level roles, but you also still do need those industry leaders to be able to help guide and develop the security program within the organization. Um, what that means is the salaries need to be budgeted for, right. And then additionally cybersecurity, because it’s in such a demand right now, there is a lot of competitiveness on the market.

So you may even be able to, or may be required to have to pay a premium for that individual and for that retention, [00:11:00] um, in terms of additional, uh, retail. Continual training, helping a security professionals fight a mission. Right? So I kind of called this out a little bit earlier about the protecting human lives is saying, please just protect the systems and our finances isn’t enough to retain a security individual.

It may, for many of them, but at the core of many security professionals, They’re fighting for mission. They want to protect something, right? And so you have to align that strategy and vision, uh, directly to their roles. And then the other thing would be adapting rapidly to their growth. So if a security professional is growing rapidly, you have to adapt with them.

Um, for example, many organizations do annual reviews. That may not be enough to retain that individual. Uh, it’s really, really [00:12:00] hard. I’ve seen some people do quarterly reviews. Some people even do monthly reviews and adjustments on salary simply to stay competitive in the market. Right. So, um, just from a straight, a finance perspective, you have to budget have to adapt.

You have to train and you have to provide some type of vision to properly. Uh, Sustain these employees and retain these employees in the area.

Todd Sorg: Yeah, I think you’ve made a lot of really good points there. I mean, there’s a, there’s a lot of stuff that’s going on in that, that summary, which is a, it’s hard to find the individuals as we kind of talked about, right.

It’s also very difficult to train them, retain them, et cetera, et cetera. Uh, with that in mind, there is help to be had. Obviously, this is a little self-serving for me, and I apologize for doing this, but there are organizations like CIT that are doing this already. Right? We’re out there looking for tools.

We’re looking for individuals. We’re trying to find a way to full force multiply. [00:13:00] Because it’s difficult to find them. It’s difficult to pull them away. When the individual finds the right fit, they tend to stick. Uh, Nate touched on that a lot and that’s something that we’re, we’re trying to instill, but what that means to a lot of the people that we work with is in a lot of cases, they don’t have the opening, or they’re not large enough to afford that six figure salary that they’re going to go, Hey, how do I get that expertise?

And there are partners out there for you to find that will help you get in supplement where you need it. Um, the last piece that I wanted to touch on before we move on to the next piece is the intent of this really is finding and growing talent. There are schools and, and there’s been a significant increase in the training of cybersecurity individuals.

There are, uh, internships that are out there, et cetera. So some of that’s already happening, but this is the intent of this particular piece of the legislation is designed to say, It’s a big deal. We really need to address this on a national [00:14:00] scale. So that’s where that’s coming from. Um, what the details look like to be determined, but it’s coming.

It’s great news for the industry and it’s great news for companies and especially for healthcare. Um, the next item that was listed on here was required SISA and HSH to collaborate, including entering into an agreement to improve cybersecurity in the. Um, so one of the questions I was going to ask Nate is what, what do the people that potentially are listening to this podcast or watching on YouTube?

What can they do now, if anything, to, to get going on this particular piece? Or should they even worry about it at the moment?

Nate Schmitt: Yeah, it’s a good question. The, the, one of the main takeaways that. While reading this article, uh, or, you know, a bill was it’s very high level, right? It’s, it’s hard to take that and conceptualize, what does this mean for my day to day activities?

Um, because none of us necessarily work directly with HHS and then none of us [00:15:00] are directly working with Seesaw. So breaking that down a little bit further, um, in terms of. Information security collaboration between the federal government and the public sector and of critical infrastructure for healthcare individual.

Uh, there is the H I SAC, which is the information sharing platform. Uh, Isaac is the information sharing and analysis center. Um, there’s many different ice acts out there. There’s ones for, uh, financial. Uh, public schools, healthcare, right? Um, so the dedicated H Isaak is where these organizations can be connected to other healthcare facilities.

If one health care facility. Has indicators of compromise or some type of other upcoming threat information that may impact other hospitals, they’ll share that information out. [00:16:00] Um, so from a day-to-day perspective, if you’re not already part of the HIV, Zack be connected to it. Um, the other really critical component of that is if you’re not actively monitoring.

That’s an issue. Uh, you have to stay up to date on the latest threats. And then if we’re talking about maturing up like a security model, uh, for that organization, the last component I’d say is if your organization or your healthcare facility is experiencing some type of threats, shared back to the HII sec, protect the other health care facilities.

We’re all in this together. Um, we don’t operate in a vacuum anymore. Uh, we, we have to. Work together to protect the entire industry,

Todd Sorg: right? Yeah. It’s great. One of the things that I wanted to add, I was waiting for you to do we’re all in it together. Cause we are, um, one of the things I wanted to add onto it was the, the ice ax, just in general, they tend to be in [00:17:00] significant amount of information.

There were ways to automate that. Do they exist today? Uh, obviously you and I know the answer, but, but everybody listening may not. Um, but it’s not terribly reasonable for every organization to be able to, to get that kind of information digest it, apply it, et cetera. So what should they do in those particular instance?

Nate Schmitt: Yeah, there’s this was one of the requirements I’m not here to necessarily pitch a product, but one of the requirements of the healthcare industry is you have a SIM, which is a security information and event management tool. It’s essentially, what’s collecting all of the logs in the network. You have to retain the data for like seven years and everything.

With that being said, though, there are ways to ingest the HII SAC data into that SIM tool to parse through it. Identify if there was any threats discovered from your network logs and then raise an alert if something [00:18:00] is discovered. Um, that’s one of the quickest ways to be able to do that. Um, many, many security tools have these integrations, uh, today.

There are still healthcare facilities out there that do not have a SIM in place. It is a requirement. And then the other thing is you can integrate that threat feed into it.

Todd Sorg: Yeah. So, so just to kind of add that on there, I know we talked about it already, but the intent of that integration is that it’s there to automate the process for you.

You’re still using that enriched data to help you make decisions and, and detect things that are threatening to your organization in general. Um, I kind of did this earlier too, but what what’s the good news in this? And the good news is, is the healthcare industry is not on its own. We are getting support from the government, which we do need.

And so that is going to help push this forward. So in my opinion, while this hasn’t been approved and passed into law or anything we are, in my opinion is really going in the correct direction. So. Really excited about [00:19:00] that piece. The next piece that popped on here was authorized cybersecurity training to healthcare and public health sector, asset owners, operators on cybersecurity, risks and ways to mitigate them, looking at statistics again.

And I know I’ve been a little heavy on that in this particular instance, but just to kind of give you that additional context that’s out there is over the last several years, there has been a significant improvement in. Whether that’s tools or the frequency at which they happen. So, uh, looking at stats from 2018, where it was over 55% of organizations had not provided any type of mandatory training, uh, as of last year that has, is down to 44%.

So that’s, that’s great. We’re going in the correct direction. However, 44% is just shy of half of organizations nationwide that don’t have any type of training in place. And so, uh, well, I’ll pause. I’ll let me expand on [00:20:00] that. Why is it a big deal that the training is in place? What if I’ve got all these other security tools in place, whether it’s the feed from HII SAC or having a SIM solution in place?

Why do I need to train as well?

Nate Schmitt: Uh, I really hate this saying, um, is employees are the weakest link, uh, to, uh, security? Um, the reason why I hate that is it just almost tells you that no matter what you do, someone’s going to make a mistake. Right? Uh, that’s why training is so important because I truly do believe that your employees can be the greatest strength as well.

When the technology fails, the people can still alert and notify you of misconfigurations of suspicious activity. Something that if the tool misses it, they’re still there. Right. So empowering them to have a voice. Um, To even jump straight to the executive, there [00:21:00] should be a direct line of communication.

And I know this is a little bit off of the, um, the training component, but it does go to, uh, you know, if the business leaders that are listening to this or watching this right, is in addition to the training, make sure that there is a direct communication all the way to the top of if there’s a security.

Have a voice. And then the reason why I say that is, uh, egress insider. They had a survey, a data breach survey back in 2021. Um, these are some, I would say pretty somber stats for a security individual, and a business is 55% of it. Leaders rely on employees to alert them of cybersecurity incidents. And then.

So that means, you know, whatever tools or whatever were in place fit the employees still we’re 50% of those notifications. Um, here’s where it becomes a little bit more somber, 89% of those lead to some type of repercussion. Um, that is appalling. Uh, that’s [00:22:00] why I said empower the employees to be able to have the trust that if they do report something, even if they’re missing.

There’s not necessarily going to be re repercussions. Um, it only helps protect the long term. And again, taking this a little bit further, it’s not just that one incident, it’s maybe all the patient data behind that or on the extreme human life tied to that. Right. So it all starts with training the employees to identify different threats.

That may it’s suspicious. Pop-ups on their computer. Maybe it’s safe, internet browsing, uh, practices, um, using a password manager, right? Uh, don’t use the same password, uh, that again, we could go many, many different directions on what to train on, but the big thing is people can be the greatest strength.

And as the industry is still trying to adopt the technology you still need do.

Todd Sorg: Yeah, excellent [00:23:00] points. I agree. A hundred percent on the, the, the management style of if something were to go forward and there was a report going back and punishing and, or be impunitive as, is not a productive way of, of helping to continue to get that feedback because the, the workforce is.

Much larger slice than just the it department. They are the ones that you’re going to look to and say, please help us with this. When it comes to training itself, there are great tools out there. Um, there is, you know, we saw a very significant decrease in in-person training over the pandemic for obvious reasons, but you’ve seen a very good uptick in automated trainings that are out there as well, and they do make a difference.

And that includes doing simulated phishing SIM. Attack. So kind of giving you again, statistics, and I, hopefully I’m not boring you today with statistics, but I’ll use CIT as an example is when we first started doing cybersecurity training, our, our failure rate was pretty high. We were over 60% failure rate [00:24:00] and over the years we’ve been improving it and refining it to the point where we do our training and phishing every single week, we are down to less than 1% of people clicking on links.

Um, even less than that, of, of actually catching them in. And so just that sheer volume of training and repetition has a major impact. So if your employees now know what to look for, they can alert us a lot quickly, whether we’re in the security field, the it field, or however your organization is set up.

So it is a big deal. Again, getting the government behind this and pushing it forward, telling you, you need to be doing this. You need to be thinking about this and we’ll help you get the tools in place. Nothing, but great news from my perspective. And then the last item that we came up on here was requires SISA to conduct a study, to specify security risks facing the healthcare in public health sector specifically.

What does that mean to you? Why is it good news? What, where does it go from [00:25:00] here? Uh, it’s really, really vague at the moment. Again, Nate mentioned a while back that there’s not a lot of meat on the bone on this particular item, but it does give a lot of good going forward steps. It, it makes the government say, okay, we’re going to focus on healthcare because it is one of the major issues.

As I mentioned at the beginning, we were talking about 9 million. Breaches or some type of incident that’s significant. And it, it definitely requires the attention of the security industry, but then kicking it up to the government is great too. Um, so I’ll pause there and I’ll let Nate expand on that if he needs to.

Nate Schmitt: Yeah, I don’t, I don’t have much just because it is truly a very vague statement. I do believe a lot of this one is directly tied to more government action. Just like. Do something about it. If that’s the quickest way I could summarize it is there’s an issue. Do something about it. Right. And so, [00:26:00] um, there’s no more turning a blind eye to, Hey, you know, that hospital had ransomware, that hospital had ransomware, that one had it too.

Um, there’s more of a strategy starting to be put into place. Uh, and this really isn’t anything new. Um, if you go take a look at things like, um, you know, the. HIPAA long time ago. I think that was actually in the nineties. And then you had, high-tech kind of roll around with that, with the whole breach notification and, uh, actual penalties tied to that.

So it’s a very slow transition. We’re starting to see that rapid acceleration now. Um, this is where even in the last 10 years, we’ve started to see things like, uh, NIST and SISA and IC three, all these things. Government agencies dedicated to helping with, um, the cybersecurity posture of these organizations start to roll our own.

This is now just saying government, go do additional studies to help [00:27:00] feed the pipeline and making those form decisions. It doesn’t call this out. What this may indicate as you might have some, um, agencies that are going to maybe seek some information from the, the facility, uh, try and say, how are you doing it today?

What challenges are you facing? It, doesn’t call it out. Um, might come down the pipeline. But, uh, the government typically doesn’t like to call or anything. It’s usually larger studies than that.

Todd Sorg: Cool. Thanks, Nate. Yeah. So wrapping this all up, I mean, long story short from. I kind of started the, the conversation out there is legislation out there.

There’s new acts coming. We anticipate it continuing for the most part, we see nothing but good news coming from this. And it is really trying to get to the heart of the matter. And it is starting to get to the point where you, we should see very good guidance. Will there be a little bit of a burden placed on organizations to move?[00:28:00]

Yes, they are. They’re absolutely well, but don’t be intimidated by it. There’s help out there, whether it’s us or somebody else. There’s a lot of really smart people that can help you through the process. It is their job to understand it. It’s our job to make sure that we’re giving you the tools and the guidance you need to move forward.

Tara Klocke: I wanted to say a big, thank you both to. Todd and Nate today for this discussion that I think of as a really great and valuable way to kind of talk about this act that has been out there, but we know that these guys love to talk and they can tangent at times, but it’s always a great discussion. So thanks again.

Um, let us know if you guys have any sort of feedback about these podcasts. You can visit our website@cit-net.com/ podcast, or by emailing info@ cit-net.com and we look forward to chatting with you more next week. Thanks so much.