Being one of the largest pediatric care systems in the U.S. means that the cybersecurity challenges come just as big. Theresa Meadows sees it all as senior vice president and chief information officer at Cook Children’s Medical Center in Fort Worth, Texas, where she’s in charge of the organization’s IT infrastructure, including security.
Meadows co-chaired a public and private sector task force on how health care cybersecurity needs to improve, and she says it is yielding tangible progress. She describes what exactly makes cybersecurity in the health care industry so unique — including the complex regulatory environment and the fact that it’s ultimately about protecting the patient. Having to deal with medical devices adds complications, and Meadows explains what might need to happen in order for organizations to keep them secure in the long term.
CyberScoop: Cybersecurity obviously is a very prevalent issue across industries that deal with sensitive data. What challenges do you think the health care community uniquely faces in cybersecurity?
Theresa Meadows: The unique challenge in health care is just the different types of organizations that would be included under the health care umbrella. For example, health plans, hospitals, doctors’ offices, laboratories, pharmaceutical companies. So the vastness of issues is very different. But we’re all connected so we’re all relying on each other. And so with any one of those components, if security is not in the right state, others are impacted. The second is just our overall regulatory environment. We have a very sophisticated regulatory environment that we are held accountable to. The third thing is that we have the patient component, which really drives a lot of our thinking in health care, which is: “How do we protect the patient?” And because we have technology that is so close to patient care, cybersecurity could really impact the care of or the livelihood of a patient. I think that makes us different than other industries. You know, if my credit card gets compromised, yeah, I’m upset and there’s issues, but that’s a lot different than if, you know, the IV pump that’s delivering medication to a patient gets compromised. I think that adds a level of complexity to our security infrastructures that most industries don’t have to be concerned with.
CS: One thing that I hear and read often about health care networks is that the CIOs or the CISOs in charge of securing the networks are just overrun. There are just too many devices and systems to keep an eye on. What do you think needs to be done to fix the problem of the overwhelmed security chief or security staff?
TM: I think there’s a couple things that overall need to happen. One is we have need to have a mechanism to train more people. I think if we had security controls built into those devices when they’re purchased, then that would save us a lot of time and energy. Today, most of those devices don’t have appropriate security controls built in, so we have to do workarounds to protect ourselves.
I also think it’s an opportunity for us to look at shared services models where we maybe outsource the labor to companies that can actually help us do it, versus us trying to employ everyone. I don’t think it’s realistic to assume that every health care organization is going to be able to employ all of their security resources. I think we’re going to have to use some of those shared services, application service providers to do some of that.
CS: Medical technology is constantly changing, but I get the impression that there’s so much legacy tech that people in health care settings are struggling to keep secure. Do you think it’s possible to reach a point where devices are secure by design and stay secure for years into their use?
TM: I do. I think we’ve gotten great response from the device manufacturers about working to make new products that go in the market and be secure. But it’s not a fast fix, unfortunately, because some devices within the organization we may not replace for 15 or 20 years. So I think it’s going to be a while before we can go buy something off the shelf and then put it in practice. One of the things we’ve been working with the device manufacturers on is how can we work to secure the legacy devices knowing that every organization can’t go out and replace all of their IV pumps at once, or they can’t go out and replace their MRI machine because it’s built into a room that has to be redesigned. There’s lots of factors that impact that.
CS: Is there significant action that you think lawmakers and policymakers need to take for health care security?
TM: There’s a couple things that we’re working on. One is related to Stark regulations, which is the anti-kickback statute — if we provide services to a physician, we have to ensure that we’re not getting referrals from providing that service. They did some exceptions back when electronic medical records came out and that could be an acceptable exception to be able to extend our electronic medical records out to physician practices. We’re working currently on a letter that will ask for exceptions for security personnel, security services and security hardware and software, so that if our hospital is connected to a very small physician practice who cannot afford security technology, that through that exception I could provide that service to them because it helps him and it helps us if we’re connected together.
The second is that would like to see physicians receive incentives through CMS and Medicare reporting. If they do cybersecurity activities, doctors’ offices and doctors would receive incentives for being good stewards and doing cybersecurity activity. So we’re working closely and submitting comment letters to possibly have those two things changed so that we can start to get things out to the smaller practices or hospitals or places that don’t have a ton of money. So maybe the government can incentivize them through one of those programs that’s already out there or through an exception where bigger providers could provide that service to them.
CS: You co-chaired the Health Care Industry Cybersecurity Task Force and it laid out a lot of challenges for Congress last year. Has there been significant progress since then?
TM: There actually has. Probably, to the average person you wouldn’t recognize it, but what actually ended up happening is that the Sector Coordinating Council took on the recommendations from the report and they have a working group that’s working on each recommendation. This year, we have started doing report-outs on progress or where we are in moving the industry forward towards some of the recommendations that were made in the report.
Each team is starting to have a good progress and leg work happening in each of those meetings. There several subgroups that are meeting to try to address issues and make recommendations to the appropriate party. It could be a recommendation to the government, it could be a recommendation to the hospitals themselves, or it could be a recommendation to a software or hardware providers who provide to the industry. Those groups are working really hard to began to push some of those things out and I think it’s getting real traction. So I would suspect in the next year or 18 months you’ll start seeing communications from the group.
The policy working group — which is the one that I’m on — we’re are the ones that are addressing some of those things with the federal government: answering those comment letters and those types of things to begin to get traction and some of the federal programs that are out there. But there’s groups working on everything. It’s pretty exciting to see the groups working and actually taking the recommendations seriously and trying to find ways now to implement them.