In 2024, an estimated 186 million health care records were breached across the U.S. Jen Waltz and Rob Courtney, both cybersecurity experts, share an update on the state of health care cybersecurity, outline actions being taken by regulators and providers, and offer tips to help protect private health information.
Guests:
Rob Courtney, Healthcare CTO, Carahsoft
Jennifer Waltz, Chief Cybersecurity Officer, IMAJENATIVE
Host/Producer: Carol Vassar
TRANSCRIPT:
Announcer:
Welcome to Well Beyond Medicine, the world’s top-ranked children’s health podcast, produced by Nemours Children’s Health. Subscribe on any platform at nemourswellbeyond.org, or find us on YouTube.
Carol Vassar, host/producer:
Each week we’ll be joined by innovators and experts from around the world, exploring anything and everything related to the 85% of child health impacts that occur outside the doctor’s office. I’m your host, Carol Vassar. And now that you are here, let’s go.
MUSIC:
Let’s go, oh, oh.
Well Beyond Medicine.
Carol Vassar, host/producer:
In 2024, 186 million healthcare records were reported breached by healthcare and public health entities and their business associates here in the U.S. That startling statistic comes to us from the U.S. Health and Human Services Office for Civil Rights, which is responsible for enforcing HIPAA privacy and security rules and is currently looking to modify and strengthen cybersecurity protections for Electronic Protected Health Information, ePHI. All of which got us thinking, what is the state of healthcare cybersecurity in the U.S. right now? How is AI being applied to healthcare cybersecurity? And are children’s health records of particular interest to bad actors? And if so, why? Here to discuss these topics and more are two seasoned healthcare cybersecurity leaders. Jen Waltz is the Chief Cybersecurity Officer for the cybersecurity consulting firm Imajenative. And Rob Courtney, who is the Chief Technology Officer, CTO, for Carahsoft, which provides public sector IT solutions in the healthcare and education spaces. It’s Rob who gets us started with his take on the overall fitness of healthcare cybersecurity right now.
Rob Courtney, Carahsoft:
I would have to say, it’s not in total disarray. But it is very far from where it needs to be. When COVID hit, all the IT people took their eye off the ball on cybersecurity. And the bad guys figured out that the data within the providers is extremely valuable. When I mean valuable, I mean they can get ransom from it. And so that’s when it started to attack. Now the attacks come every day. There’s not one CIO or CISO that I talk to that ever talks about, “If I get attacked, what will I do?” It is, “When it happens, what are we going to do? How do we deal with it? How do we prevent it in the first place? But when it does happen and when the bad guys get in, what do we do?”
I wanted to bring a couple of statistics that are going to blow your mind. The cybercrime industry is now $10 trillion a year. It’s the third-biggest economy, second only to the USA and China. Now, that’s not healthcare-only data, but healthcare is one of the lucrative industries for cybercrime right now. Jen probably has a couple of thoughts as well.
Jennifer Waltz, Imajenative:
Well, thank you so much, Carol. I really appreciate you having Rob, who is a legend in this industry, and myself here just to share some updates. And so what I would add to that is, when you think about it, this healthcare sector is going to continue to face significant cybersecurity challenges, not just this year and beyond. And despite the investments that entities need to make, like Rob was mentioning, this industry is still particularly vulnerable due to legacy systems with inherent security weaknesses that can’t easily be replaced due to cost and operational constraints. And then you’ve got all these complex technical environments with thousands of connected medical devices. And then there’s this chronic under-staffing of cybersecurity roles. Like Rob was mentioning, how in COVID entities didn’t invest the way that they needed to, to stay ahead of things. And so right now there’s an estimated 30 to 40% shortage industry-wide, specifically for these cybersecurity roles. And then there’s this increasing attack surface with telehealth expansion and remote work infrastructure.
And so then what Rob was mentioning, the value of healthcare data on dark markets, it’s commanding 10 to 20 X higher than credit card information. As Rob was so eloquently stating, healthcare organizations are making progress, but the implementation remains uneven across the sector, with smaller providers and rural hospitals particularly vulnerable.
Carol Vassar, host/producer:
There’s money to be had.
Jennifer Waltz, Imajenative:
By bad actors, for sure.
Carol Vassar, host/producer:
By bad actors. That’s a very good point. Jen, who are these bad actors? Do we know who they are and why they’re trying to get this data, other than hold it for ransom, which sounds like the big draw?
Jennifer Waltz, Imajenative:
Yes. When you think about threat actors and how they’re specifically targeting healthcare data, you’ve got all these multiple adversaries, like nation-state actors, particularly Russia, China, and North Korea, and Iran, seeking intellectual property and strategic intelligence. You also have financially motivated criminal groups who are deploying ransomware and using this data extortion attack. And then now you’ve got insider threats, both malicious but more often negligent. And so, that’s why training is super important. And then you’ve got hacktivists that are targeting organizations because of ideological reasons. And so, when you think about their motivation, the motivation is number one: money from ransomware and selling patient data. Then they’re gathering intelligence on high-value individuals. And so, Carol, people need to understand why children’s hospitals are being attacked even more so. And then you’ve got medical research that identifies healthcare specifically, and then these synthetic identities using these comprehensive medical records in fraud schemes. Rob, I want to kick this back over to you because I know you talk about this every day. What are your ideas on, and your thoughts on threat actors targeting healthcare data?
Rob Courtney, Carahsoft:
Well, like I said, they’ve uncovered, and it’s now all over the dark web, how valuable the information is. Some of the worst attacks, I know one of the ones about four years ago was on Scripps Healthcare in San Diego. And they were down for months, and I mean months, where they couldn’t get to their data. I don’t recall if they actually paid a ransom, but I do know that the cost to them in terms of lost patient revenue and other things, like some of their data got actually out. They actually got the privatized data, the EPHI, and so $500 million and counting as of about two years ago. It was a significant threat. Now, that news was all over the place. And so the bad guys said, “What did these guys know that we don’t know?” You’ll see these nation-state bad actors from around the world attacking what they call U.S. infrastructure, and the healthcare system is a huge part of our infrastructure. Because people need patient care, and hospitals have to be up-to-date with their patient data 24/7.
Now, it’s not the only infrastructure they’re targeting. I think the power infrastructure is probably as big a target for those nation-state actors as healthcare is. But if they can bring a healthcare system down, that affects our economy, it affects the livelihood of those hospitals and the caregivers. And that’s exactly what those nation-state actors are trying to do. It’s a real challenge. I think the other thing that attracts the nation state actors is that the federal government regulates what healthcare systems must do in terms of digitizing data, protecting data, keeping a backup copy. There’s just so much data there. And the other thing that healthcare providers don’t do a good job of is getting rid of data. They’ll have data for 10 years, 15 years, 20 years. They have to keep it for, I think, seven to 10 years. They must keep it for that long by state regulation.
And the number of systems now that now have access to some kind of patient information continues to grow by leaps and bounds. That’s the other challenge for the healthcare providers is understanding the threat landscape and understanding the platform where all the bad guys can get in.
Carol Vassar, host/producer:
Well, Rob, I’m glad you brought up the federal regulations, and I’m sure there are state regulations, that framework around cybersecurity, but we’re at a state right now where things are changing very quickly on the federal level in particular. How does that affect national oversight of our medical records?
Rob Courtney, Carahsoft:
That’s a great question, because the feds through HHS have, it’s not a paper with their recommendations for new cybersecurity rules that was released to the public on December 27th, 2024. It was sent out for a 60-day comment period where all providers and vendors were allowed to comment back and give their inputs back to the HIPAA board before those regulations get finalized and put into law. I actually sent a note to DOGE, the Department of Government Efficiency, saying that some of these are egregious and I think overreach. And the reason I said that and gave that input is because the cost to implement this, if they go with all those regulations, is somewhere around $9 billion. And the problem with that is going to be, who is going to fund that? Where is the money going to come from?
And so there are … I’ll just highlight two or three things that are important and probably need to be addressed. One of them is resiliency, and they use the word resiliency as opposed to data protection. Data protection is now an outdated term. They don’t want them only to protect their data and back it up. They want them to be resilient. And they put a 72-hour timeline in for the provider to be able to get their data back up so that the systems can access the data so they can do their transactions and treat patients using real patient data. I’ve actually run two focus groups where I had between 11 and 15 CIO-type level people in the room. And I asked them to raise their hand, if you can currently get up in 72 hours or less today, not one out of 25 raised their hand, not one.
Another one is network segmentation. It’s not called that as network segmentation. But the challenge that healthcare has is there are so many devices, whether they’re medical devices or in-hospital devices or people using their mobile phones or iPads to get in. All those now have access points, and the bad guys can get in. I’ll tell you a story of one of the CTOs of a large customer of ours. This was a few years back. They found a dormant ransomware file in their data, in their patient data, and they found it before it exploded, which was total luck, total luck. And they were able to get rid of it, and they didn’t have an incident. Now, that came from a firmware upgrade on a medical device in one of their hospitals or one of their clinics. And so, the number of places that these bad guys can get in and launch an attack from is growing exponentially, especially in the advent of telehealth back in the COVID days. And telehealth is still big today.
There are more guidelines coming, and I’m not saying they’re needed. A lot of them are around process, but some of them are technology. Everyone wants to go to the next shiny object. I think of people, process, and technology. And so, these new HIPAA guidelines talk a lot about process,s and they talk a lot about things that technology can help you solve, but they don’t talk about people. Jen was talking about training or internal bad actors. One of the guys at HIMSS told me that there was a phishing email sent, and it looked like it was sent from the CEO. Please click on this link and do this, and the link would take them and let a bad guy in. And so, training of people to understand and be vigilant is incredibly important in today’s world.
Carol Vassar, host/producer:
Jen, expand on that idea of training people. We’ve talked about process, we’ve talked about regulation, what needs to happen in terms of training people, not just in IT departments, but users right at the bedside?
Jennifer Waltz, Imajenative:
Oh, yes, absolutely. Let’s just start, number one, with using, everyone is talking about all these different technologies. But here is where AI could help. Again, training of your staff, it’s, how do you make sure you can define intelligently something in email, making sure that people are very vigilant about these things? And it can’t just be one action. I think all of us that work in corporate environment, we know once a year we have to take an ethical training. We have to agree to certain laws that we’re going to adhere to so that we don’t compromise ourselves and the company that we’re honored to work for. And so, I feel instead of doing it once a year, it has to be exercises at least, maybe bi-weekly. I used to do this with one of my teams. And I partnered with our cybersecurity division so that they would send out test emails to see who on my team would be susceptible and vulnerable to possibly opening it.
And so, I didn’t tell my team this exercise was happening, and so we got three people on my team, I had 16 people on my team, and so then they were like, “Oh, okay. That’s how security has to link up with everyone, every division in the company.” It’s not just an IT issue, it’s a human issue. And so you have to continue to have a training program, and that needs to be evergreen, and you really have to publish out to the company when they’re testing to see who might be vulnerable, statistics, and what they should be avoiding. And it’s really just common knowledge and just consistent training, Carol.
Carol Vassar, host/producer:
Cybersecurity and quality are the responsibility of every employee, every associate at the healthcare system. Jen, you mentioned AI, so I’m going to bring AI into the conversation a little bit more fully. Are the bad guys using AI to get at those vulnerabilities that you have been talking about, and all those little monitors and all those cell phones that are being used?
Jennifer Waltz, Imajenative:
Absolutely. And so, here’s the thing. AI has been around over 20 years, it’s just been in a different form. Just to take it back just very quickly, it’s why we had intelligent routing in our networks. That was AI. It was machine learning. And so, if you can understand how you can network and segmentize traffic, then you have an understanding of how AI works; it works on demand. And so, your question about how threat actors are leveraging AI, number one, they’re using the same things that we’re doing, machine learning algorithms to identify patterns so that they can detect vulnerabilities. And they’re using quantum computing so that they can assess those numbers very, very quickly. Also, natural language processing. It is enabling more sophisticated social engineering attacks. Carol, like you mentioned, we all do this on social media. It’ll say, “Hey, take a picture of yourself to see what you look like when you were 16 or what you would look like when you’re old.”
Okay, let me tell you what they’re doing with that. They’re building a model on you so they could replicate your identity based on what you might have looked like if you had a child or when you get older. Then they’re also using this automated vulnerability scanning. Again, using very high-end quantum computing to size this at this unprecedented scale. GenAI is creating this convincing phishing communication, and it’s specifically tailored to healthcare contacts. And then people are using AI-based password cracking, and that’s basically using predictive analytics and modeling. Rob, I mean ,I’m sure you’ve got some other things, but when you’re thinking about how you can protect and defend when you’re talking to partners that are coming through Carahsoft, what are some other things that you’re seeing?
Rob Courtney, Carahsoft:
There’s no question that AI has been around for a while. I used to work at HP, and we partnered with some of the larger healthcare institutions like Stanford and Ohio State to use predictive analytics to improve patient care and patient outcomes. AI is a big buzzword today, but it’s because the power of the compute is now available can really do a lot more than it used to be able to do. Being able to process massive amounts of data in a very short period of time makes AI applicability in healthcare even better. I’m going to shift, though, from the bad guys using AI, because they definitely use it, to what can the providers do for AI? And so, the providers don’t want AI for the sake of AI. They want AI embedded into solutions they already have, and cyber defense is an excellent use of AI.
As an example, Palo Alto Networks, who has networking and firewalls, uses AI embedded in their technology to detect an anomaly in the network. And so, it can get that detection and raise it to an IT person so they can shut it down or turn that node off, or really discover is that really an anomaly or not. There’s another partner of ours called Elisity that does network segmentation, and they do micro segmentation. And they can detect from any individual point on the network that there’s an anomaly using their AI technology that’s embedded, and coordinate it off so it can’t get out of that person’sdevice and into the network. I used to work for a company called Veritas, and they’re now owned by Cohesity. One of the things they’ve been doing for four or five years is that they acquired a company and they’ve embedded the technology into their data protection that can detect anomalies in the data.
And so they can detect that somebody’s logged in that has never logged in before, or they keep logging back in several times, or they can detect. Like that example of that ransomware file that got into that provider through a medical device. The CTO asked me very specifically, “What would have happened if we had Veritas technology when that happened?” And so the answer to that was, “We would have detected an anomaly and gotten that anomaly detection to your IT folks immediately.” Rather than you running across it by luck, all of a sudden, you would know the day it happens. Because that creates an anomaly in the system. It’s a file that got in there that doesn’t belong there. And so, AI can be used to detect those anomalies.
I think that with the healthcare providers, they can’t use AI to put that stuff out themselves. They need to have the vendors embed AI technology into their solutions to help with their cyber defenses. When I talk to CIOs about AI, they say, “We want to use AI for three or four things, and that’s it. The most important is saving lives.” And so that’s where predictive analytics can come in. Improving patient care. Cyber defense is a big one, right? And those three are probably top of mind for them. But embed technology that can help them with those great things, or save money. There’s no question that AI can, over time, allow them to reduce costs, which is a big issue in healthcare today, too. And when that attack hit that provider and they caught it, all of a sudden, it became a board-level issue.
Guess what? They got the funding they needed to improve their cyber resiliency, but the HIPAA rules, and I use the word resiliency a lot. Resiliency means to me the ability to get back up and not lose data, and get back up quickly. Resiliency is what you need to be able to meet that 72-hour requirement. And I can’t believe that healthcare providers don’t already want to have that. When you’re down for seven days or a month and you’re doing things on paper, it’s expensive, the care isn’t high quality, and then you’ve got to go back and re-input that data in the system, because you must store it electronically. There’s a lot of manual effort, so it’s very costly when the system goes down.
Carol Vassar, host/producer:
Jen, you and I spoke about the value of children’s health records on the dark web. Is that A, a fact, and B, is that the reason we’re seeing attacks on children’s healthcare systems?
Jennifer Waltz, Imajenative:
Okay, so why would children’s hospitals across the country be attacked when there’s no credit card information for them? The only thing that they could really find out is date of birth, healthcare provider, and they can find out how vulnerable they are to certain things. And so, number one, as we discussed, you’ve got social security information. Now, back in the days you didn’t have to have a Social Security number for your child. Everything was under your parents name when you were insured. Now, in order to receive any benefits, every member has to have a Social Security number. While most people aren’t putting their children’s social security numbers in LifeLock or making sure that with all of the credit bureaus that the credit is locked for that child. Because the child won’t really need credit until they’re getting ready to go to college and applying for loans and things of that nature.
And so, bad actors are getting this information, and guess what they’re doing? They’re applying a credit profile for these people. In addition, on the dark web, we know some of the most bad actors, and I use that because I can’t use the term in terms of strength, but some of the worst people are on that dark web. And guess what they’re looking for? They’re looking for vulnerable members of society that have their home address. They now know what’s wrong with them. They have their name. And maybe a bit of a profile about the children, so imagine that information in the wrong person’s hands. And we all know that these bad people aren’t just people in IT. There are other segments of society that prey on vulnerable individuals.
Now you’ve got this whole conflux of number one, is someone looking for my child on social media? Are they cruising the neighborhood knowing that my child might have some type of physical ailment or something like that? Those two things are very scary. And something that we need to make sure that children’s hospitals or anyone that cares for children that their data is protected. We’ve all gotten so desensitized as adults to having our information breached through some credit bureau or going to a retail store or something. And think about that, we’ve gotten desensitized to it. It’s still a danger, and so especially with our younger family members that we love, we really need to be more protective of making sure their information doesn’t fall into the wrong hands.
Carol Vassar, host/producer:
It’s a matter of protecting their future and their physical well-being.
Jennifer Waltz, Imajenative:
Absolutely, and these children’s hospitals, they face these unique cybersecurity challenges, specifically because they’re often maintaining, like Rob was saying, longer-term data and more comprehensive patient records from birth through adolescence. And then, depending on the diagnosis, their systems are frequently connecting with these research institutions, which further expands the attack surface. And children’s hospitals, they’re using these highly specialized medical devices with unique security requirements. And they typically serve as regional centers connecting with some of the smaller providers that are out there. And because of the extreme sensitivity of pediatric services, it creates this perfect environment for additional pressure to pay a ransom. And so, all of these things show that children’s hospitals are increasingly targeted precisely because disruption creates immediate public concern, and then the pressure to resolve incidents quickly.
Carol Vassar, host/producer:
One final question. I’m going to take it out of the healthcare realm and the bad guy realm and bring it to the patients, the families, and the general public. What can I do? What can my children, my adult children, do? What can my adult children do with my granddaughter to protect their digital health data?
Jennifer Waltz, Imajenative:
That’s a great question. I want everyone to know that there are 10 steps that they could do from my perspective to protect their health data. Number one, review your medical records regularly to identify potential inaccuracies. I would also say, use the online patient portals with strong, unique passwords and multifactor authentication. When you’re logging in, make sure your passwords are strong. Make sure you have several ways that they can vet you, either through your cell phone or through your email, that you are who you are when you’re accessing your patient records.
Carol Vassar, host/producer:
And you’re talking about things like MyChart, for example.
Jennifer Waltz, Imajenative:
100%, MyChart, yes. Also, be very cautious about using health-related apps, specifically those that are not covered by HIPAA. You want to make sure that you’re not putting information out there that isn’t federally protected. Also, asking providers that you’re going to about their security practices, especially smaller providers. It’s a normal conversation. Then we were talking about social media earlier. Be very careful and selective about sharing any health information on social media. We have gotten so used to being, “Oh, Billy’s sick. This is happening. He had to stay home from school.” We have to be very vigilant, especially with our children, to not put that information out there. Not even just for them, but even for ourselves. But then, understanding that like we’ve just heard recently about 23andMe, these genetic testing companies, they might not be HIPAA-covered entities, and that’s also something to be very wary of. Use credit freezes and monitor accounts for medical identity theft. You can do that now. It is free to do that with these credit agencies. And so, definitely I would say that not only do that from themselves as adults, but also their children.
I would also request accounting disclosures from healthcare providers. And then opt out of data sharing, especially when you’re going through a health information exchange, and then making sure you use one email for all of your healthcare. That way, you don’t have disparate information just in case something happens.
Carol Vassar, host/producer:
Jen Waltz is the Chief Cybersecurity Officer for the cybersecurity consulting firm, Imajenative. We also heard from Rob Courtney, the Chief Technology Officer for Carahsoft.
MUSIC:
Well Beyond Medicine.
Carol Vassar, host/producer:
Thanks to both Jen and Rob for joining us on this episode of the Nemours Well Beyond Medicine Podcast. Cybersecurity and the privacy of Children’s Health records. Just one of the many concerns outside the doctor’s office affecting kids and their health that we talk about on the podcast. Have an idea for the podcast? Email us at [email protected] or visit our website, nemourswellbeyond.org. Leave us a voicemail there. You can also visit the website to take a moment to subscribe to the podcast. Subscribe to our new monthly E-newsletter, or catch up on episodes you may have missed. Again, that’s nemourswellbeyond.org. Our team working on this episode includes Lauren Teta, Cheryl Munn, and Susan Masucci, and we thank them as well. Join us next time as we celebrate Nurses Week with Dr. Margo Minissian, a nurse innovator, leader, researcher, and scientist at Cedars-Sinai Hospital in Los Angeles. I’m Carol Vassar. Until then, remember, we can change children’s health for good, well beyond medicine.
MUSIC:
Let’s go, oh, oh.
Well Beyond Medicine.
