Public Health’s Silent Defender: Cybersecurity

Some answers have been edited for clarity.

JENNIFER JEAN-PIERRE:
Hello. My name is Jennifer Jean-Pierre and I'm the director of content development at ASTHO. I'm bringing you an important conversation about cybersecurity and what you need to know as a public health professional. I am joined today by Greg Garcia, executive director for the Health Sector Coordinating Council, and Brian Mazanec, the deputy director for the Office of Preparedness at the Administration for Strategic Preparedness and Response or ASPR.

Hi Greg, Hi Brian.

GREG GARCIA:
Hi, Jennifer.

JEAN-PIERRE:
I am so excited for this conversation, so let's jump right in. We really can't go a day without hearing about a hack or cyber threat of some sort. And typically we're thinking about emails or the banking industry. But I think it's really important for us to understand the why. Why should public health officials care about cybersecurity?

GARCIA:
I'll take a shot at that one. I would say there, there's three reasons. The first is one that we know now, cyberattacks are increasing, they're not going away. And the impact of cyberattacks is known to be about patient care. We know that cyberattacks can disable hospitals, it can delay treatments, it can divert ambulances, many problems. Patients can be harmed. And we are all in this for the same reason. We are in healthcare for patients. And we have an organizing principle in the council that cyber safety is patient safety. That is the organizing principle. Secondly, for public health institutions: data. It’s king, right? So, we need to understand public health trends, information, and cyber attacks can steal data. It can corrupt data. It can make it inaccurate and, nowhere is it more important to have accurate data than in public health. That's number two. And number three is operational. Cyberattacks can disable information technology, communications, and operational technology systems. And your hospital system, whether it is your building infrastructure like HVAC or elevators or refrigeration systems, our medical devices, all of these can be disabled by a cyber attack. This is an existential problem. That's why people should care.

BRIAN MAZANEC:
And I would echo everything Greg said, indefinitely, from the perspective of the Department of Health and Human Services and the Administration for Strategic Preparedness and Response. We agree cyber safety is patient safety. Cyber incidents can, and do, impact patient care. To the question about, “why should public health officials and professionals care about cyber security,” it's true that a lot of the focus that, and a lot of the attention you'll see in the media and elsewhere on this issue in health care, is focused on primary patient care. Public health is absolutely critical as well, and part of the equation, this is true of course with the upcoming winter flu season, COVID, RSV, disease detection, public health campaigns are critical, and cyber incidents can disrupt those campaigns and activities and have a negative impact on public health. They are not also just an abstract threat. We've seen cyber incidents that have directly impacted public health organizations, as well as primary patient care facilities. In December in 2021, there was a cyber attack that caused the Maryland Department of Public Health to take its website offline for days, disrupting their COVID-19 response and other routine public health services. In August of 2022, we saw the Fremont County Department of Public Health and Environment in Southern Colorado was shut down for nearly a month dealing with a ransomware attack. So, public health, as well as other aspects of health care, are very much in the fore[front] and affected by these cyber incidents.

JEAN-PIERRE:
Thank you so much for giving us an understanding of why it is important for public health professionals to care about cybersecurity.

And now this leads me into my next question. What is the federal government currently doing to ensure the public health and healthcare industry are protected against these cyber security threats?

MAZANEC:
Yeah, great question. And we are doing a lot. There's a lot of activity in this space. And we at ASPR, the Administration for Strategic Preparedness and Response within HHS, we are designated as what is called the Sector Risk Management Agency for this critical infrastructure sector: the healthcare, public health, critical infrastructure sector. So, as part of that responsibility, what we do is we work with the sector, with Greg and his colleagues, to understand the risks and threat picture, identify best and develop best practices to push those out. And I'm sure Greg can talk more in a moment about some of that great collaboration. And a lot of the recent activity there's a ton of. Information that we, in partnership with Greg and his team, have put out that I think is really helpful to the folks in the sector to bolster their cybersecurity. We also have a critical function that in one that we're frankly expanding significantly because of the elevated threat and the increasing frequency and intensity of these cyber attacks. Which is an incident response. So, when there is a significant incident, the federal government absolutely has a role to play. A lot of times that is the FBI, or our colleagues at the Cybersecurity and Critical Infrastructure Security Agency, CISA. But we have a role as well and we are very active in incident response and seeing what we can do to help blunt the effects of significant cyber attacks. And then we coordinate as well. Internal to the federal government, internal to HHS, there's a lot of different entities that can contribute to battling this threat. We as ASPR, as the Sector Risk Management Agency, serve as a quarterback that, that helps shepherd those efforts and manage the relationship and partnership with Greg and his colleagues in the sector itself.

I want to give a big shout out to, to HHS and in particular, Deputy Secretary Andrea Palm. I would say in the past two years, HHS has really stepped up in a way to organize or reorganize the agency to be really forward-leaning and strategic about not just how they engage with us in the sector, according to council, but with the industry at-large and with other agencies. If you take a step back for a second, Brian mentioned critical infrastructure. Healthcare is critical infrastructure designated by the government along with 16 other critical infrastructure sectors. Telecommunications, financial services, oil and gas, electricity, water, transportation. And there is a sector coordinating council for every one of those critical sectors and the Sector Risk Management Agency. Ours happens to be HHS and FDA on the medtech/pharma side. But it's this partnership that is critical. We're organized with the overall coordination of the Department of Homeland Security, and CISA which oversees the national critical infrastructure strategy tailored to each one of the critical sectors. But it's a partnership that's based on the recognition that regulation alone, healthcare is regulated, but regulation alone can't. address all of these complex and evolving cybersecurity challenges and market forces alone. Industry is not saying, just leave it to us. We'll take care of it. It's not right. So we have to actually come together and be a little bit more resourceful and creative. Because the adversaries are resourceful and creative and that threat is always evolving. I think we're in a pretty good place now, absolutely. And the federal government is doing here, I should note: the relatively recent national cyber strategy that the Biden administration put out, which we are in the throes of implementing now. And in the context of that strategy, one of the main pillars is focused on critical infrastructure in our sector, in particular, the healthcare/public health sector. It's consistently identified as one of the top two or three sectors for focus, given the intensity of the threat, the potential severe impacts on patient health and safety. So, there's a lot of interaction with the National Security Council, the Office of the National Cyber Director as well. And to Greg's point, looking at some bigger picture policy options and things we might be able to do in addition to all the great work that's already happening to address these threats.

GARCIA:
The big picture policy things are important. We have spent a lot of time over the past five years in the cybersecurity working group, developing a range of cybersecurity best practices in all manner of disciplines. And we need to be thinking by all manner of disciplines, I'm talking about information sharing, incident response, securing the medical devices. What about hybrid hospital, cyber hygiene? We need to do better at workforce. What about supply chain, third party risk? All of these things we have developed good best practices for, but now we need to be thinking ahead over the next five years.

JEAN-PIERRE:
Yes, definitely. We should be thinking ahead over the next five years. Thank you so much for that insight.

Previously there was mention of what occurred in Maryland. can you speak a little bit more about that and any key lessons learned from those cyber security attacks?

MAZANEC:
Yeah, the Maryland example I mentioned with the Maryland Department of Public Health. They were taken offline for days responding to a cyber attack. That's... unfortunately, common in these instances, especially with ransomware attacks that can lock down and encrypt the data that's necessary to perform basic functions. I've taken a step back in terms of your question about key lessons learned. Again, in partnership with Greg and his team, we did put out an updated version and this was led within HHS by this awesome program we have called the 405D program that sits in our office of the Chief Information Officer. They led this effort to put out a health industry cybersecurity practices document, a second version. Last calendar year or last fiscal year, rather it's really fresh and it captures a lot of the best practices, including really making it digestible. The top 10 mitigating strategy, top five threats, break all of that out. It has some appendices that really are off the shelf resources for entities of any size. But one of the things I would note, and I think it's relevant in that Maryland example, and just based on our day-to-day execution of cyber incident responses, the importance of having plans and backups in place for responding to an incident when it does happen. Obviously, good cyber hygiene, prevention of the, of an attack is key, but when it does happen, we've seen a noticeable difference in the amount of time that's necessary to recover from an attack based on that preparedness activities in advance, having the backups in place, having an incident response plan. So, I would just emphasize that as a key lesson learned that we continue to see is really important for entities to recover following an incident.

GARCIA:
It's important to focus in on one or two specific instances to bring it home, what a cyber attack can do. But I would also just like to put it in a broader perspective in the aggregate, lest anybody think that just happened to Maryland, not going to happen to me.

No, it's not if it is when I just going to read a few statistics very quick because I don't remember statistics well, but it's important to put it in perspective from HHS, from the office for civil rights, which enforces HIPAA. You have to inform HIPAA if you've got a data breach of 500 records or more. Between 2017 and 2021, there was an increase from 329 to 715 data breaches, exposing data records between 20 to 50 million records. 85 percent of those records exposed of those breaches just in 2022 were caused by hacking, cyber attack. This isn't just inadvertently leaving patient records on a copy machine.

It's caused by hacking. And between 2016 and 2021, we've seen 375 ransomware attacks affecting 42 million patients. And for the 12th year in a row, as of a 2022 report, healthcare is the biggest target ahead of financial services, pharma, technology, and energy. And this can cost anywhere on average between a million to 10 million per breach for an entity.

So it's real money, it's patient safety, it's operations, and it's continuing. It's getting worse. We're getting better, but it's still getting worse.

JEAN-PIERRE:
As someone who doesn't work in cyber security those numbers are astonishing to me. Just the impact that it could have on public health professionals and companies and organizations. So, thank you so much for those, Greg.

Brian, please, I'm sure you have some insight on that as well

MAZANEC:
Well, Jennifer, what I was going to say to Greg's comment is just, this may be even further highlights what you just said, But if anything, the statistics likely understate the volume of maligned activity that's out there, because there are many entities we know that do not report. So, I think if anything, it likely understates, unfortunately, the volume of maligned cyber activity that's out there.

GARCIA:
And that's actually, and that's one of the policy issues that has been in discussion over the years, which culminated in the passage of a statute. To put a fine point on what Brian said, you, if you're a healthcare entity, if you're a hospital, if you're a health provider, if you lose 500 records or more in a breach, you have to. You already have to report it to the office for civil rights at HHS. That's it. But what about ransomware or ransomware attacks? Doesn't necessarily breach personal health records or protected health information doesn't necessarily breach that. If I'm a hospital, if I'm a med tech, I'm a pharma, I don't have to report that. And I don't want to because there's reputational issues with that, and maybe I'll be a further target. There was the passage of a bill a couple of years ago that gave Department of Homeland Security, CISA, the Cybersecurity and Infrastructure Security Agency, the authority to require any entity that has been breached with any kind of cyber incident, you got to report within, I don't know, 72 hours, so that the government and industry in turn can have a more accurate picture of the scope of cyber attacks and the impact of those cyber attacks and the methods of those cyber attacks, so that we can better be better prepared. The devil is gonna be in the details and as to how that is going to be enforced.

MAZANEC:
Yeah, and I would add that mandatory reporting requirement is in the rulemaking process now pretty far along, but it's not actually out in force yet in the requirement to report certain data breaches to covered entities under HIPAA, which is, it does provide us some useful insights on the malicious activity out there that is not timely reporting, which I think from our perspective, as we manage the federal incident process here, we can't do in a nimble way based on the HIPAA reporting.

JEAN-PIERRE:
Thank you so much to both of you on that.

So, my next question is. Along the lines of what governmental research or efforts are underway to stay ahead of any emerging cyber threats that we have?

MAZANEC:
A lot of this is in partnership with our colleagues in the sector, with Greg and others. But I mentioned earlier the landscape analysis that we completed, that I'm not sure that counts as governmental research and development, but it was a key study to really look hard at. How the sector was prepared to, to deal with cyber threats, what top strategies were implemented, where we can focus our efforts. So, that is a type of research that I think informs our day-to-day activity as the sector risk management agency. We also do have now within HHS, the Advanced Research Projects Agency for Health, ARPAH, and they are partnering with other entities within HHS to really focus on cyber threats. They recently launched an initiative called DigiHeals to develop technologies and capabilities that can help the health care public health sector deal with cyber threats. And then the other thing I would mention, but I think just simply exercising more. And this can be something from a public health perspective, public health departments, health care coalitions in states.

There's a lot of different levels at which just exercising cyber incident response, developing and identifying gaps and developing mitigations for them based on that. That's another type of. Operational activity that I think can really glean insights that can help us all better prepare for these threats.

JEAN-PIERRE:
Well, thank you, Brian. It seems like a lot is being implemented.

So, let's talk resources. We know our current environment for resources are limited, so what can be done immediately by public health officials and professionals to assist in mitigating these cyber attacks?

GARCIA:
There was, a few years ago, the softening of a law called the Stark and Anti-Kickback Law. It was originally intended to prevent vendors or other hospitals to seek advantage, commercial advantage by helping other organizations, other healthcare organizations, kickback kind of thing: “I'll help you if you help me.” That was relaxed for specifically for cyber security so that if you are, for example, a sophisticated medical technology company and you're selling some technology, medical devices to a hospital system, doesn't have a lot of resources dedicated to cyber security, perhaps as part of your service offer, you can ensure that they have better cyber security as a customer. Using your technology for the benefit of patient safety. And that's not a violation of Anti-Kickback or the Stark Law. Whether that's—you'd been used too much, very much, I don't know, but that's an incentive from the government that says that yes, cybersecurity is important, and we need as a community to help each other. The biggest difficulty that Brian and HHS are working on is how do we better deal with. The smalls, we just call them the smalls, but it's small rural. And urban critical access under resourced hospital systems who are operating at even or negative margins. And we tell them they need to be paying attention to cyber security. And they say, “Show me the money.” How am I going to do that? I have to be worried about whether I can hire another nurse. The issues related to that could be, can the government provide subsidies or incentives, outright grants, more technical assistance. The Department of Homeland Security, CISA, has a wide range of free resources available to healthcare entities to help them with their cybersecurity. And a lot of that help can come from the private sector as well. Hence the Sector Coordinating Council is a collaborative. We are working together, 400 different organizations coming up with best scalable. Large, sophisticated organizations down to the smalls. That's the best way that we can deal as a community effort to strengthen our cybersecurity.

MAZANEC:
So, the only thing I would add to what Greg said about the current environment with limited resources and what we can do, I think I, we've mentioned a couple of times, there are already a lot of great information sources out there, the health industry, cybersecurity practices being one of them. A lot of what we see with these cyber attacks occurring right now is they exploit pretty basic vulnerabilities. So, if you take some low cost, basic measures, I think that will significantly bolster your posture to deal with cyber threats, whatever kind of entity you are, public health department, hospital. So, really looking at the HICP, looking at the top 10 mitigating strategies, implementing them, I think is a key practice. And the other thing I would encourage folks to do, just make sure the senior officials in whatever entity or department, public health departments, the sort of the leadership there is aware of the risks, that this is something affecting public health, affecting healthcare in general, and be baseline literate in understanding those threats.

Recognizing we need to invest in things. So really leaning into cybersecurity can actually help save you money if you do it right. But it is a resource constrained environment. The healthcare system, public health is very strained post COVID. So, we recognize this is a difficult thing. But cybersecurity, as we said at the beginning, is patient safety.

JEAN-PIERRE:
Cybersecurity is, in-fact, patient safety. And even more than that, it is vital to public health. So, thank you for taking the time to speak with me and answering all of my questions. This has been an insightful conversation and I'm sure that everyone that is listening, has not only been provided with so much information in regards to cybersecurity, but probably has a better understanding of why it's important to have those best practices in place, those strategies in place when it comes to cybersecurity. And especially as it deals with public health.

And honestly, I want everyone listening to be as well-equipped as possible. So, are there any additional resources available that you can share to help us further educate ourselves?

GARCIA:
I'll start: go to healthsectorcouncil.org under the publications tab. We have over the past five years published, we'll be about 27-28 publications, as I mentioned earlier in the podcast, publications on many different aspects of cybersecurity. If you're a public health official, you're not a cyber person. Some of those resources are not going to be useful to you, but I can point you to one that's really good if you're not a cyber person. We published an eight-part video series called Cybersecurity for the Clinician, eight videos, total of 47 minutes. And it is about what you need to know about your responsibility with cybersecurity. The on-camera talent is an emergency room doctor from U.C. San Diego, who is a self-taught hacker, so he knows both sides. He can hack the computer and he can hack the human. And he's the best source for education on that topic. It's free. Everything we provide is free. And you can download that video series on YouTube.

JEAN-PIERRE:
Thank you, Greg. We will absolutely link that below just so that it is easier for everyone to find.

MAZANEC:
And again, I echo Greg's comment, their website, the Health Sector Coordinating Council website, is chock-full of fantastic resources. I also mentioned earlier on the HHS side, the 405D program has a great website. That's where you can find the HICP, the Health Industry Cybersecurity Practices that I've mentioned a few times, and then ASPR, the Administration for Strategic Preparedness and Response. Where I'm from, we have some resources online as well, including the healthcare public health sector cybersecurity framework implementation plan which is a nice compliment to the HICP as a general resource of any healthcare focused entity. We also have ASPR TRACIE, which many in the public health community may be aware of. It's a resource that pushes out topic collections on areas of interest to public health and first responders tied to the ESF #8 mission that we have at ASPR. They have a whole topic collection on different aspects of cyber security that is really useful and practical, especially from a cyber incident response perspective. And then the last thing, I'll just provide a teaser or preview that's coming soon. That might be useful to folks is the risk identification and site criticality tool. That's a big mouthful. But if you spell out the acronym, it's the risk tool is a resource that we have in ASPR that is intended to help organizations, public health departments, hospitals think through how an organization is implementing All Hazards, taking an all-hazards approach to risk management. We have a few hundred entities using it, but we're planning a full release in November, and it's going to be incredibly flexible with an enhanced user interface. It's going to help large and smaller entities really look at their risks and manage cyber threats.

JEAN-PIERRE:
This tool is going to be a game-changer. It sounds so helpful. And thank you for offering us that preview of what's to come. And Greg, this video series just feels as if it is perfect for public health officials to learn a little bit more about cybersecurity, so thank you for that resource as well. It has been such an honor for me to sit with you today and have this conversation, thank you.

MAZANEC:
Thank you so much, Jennifer, really appreciate the opportunity to be with you today and appreciate all the great work ASTHO does, and the public health professionals across the country. So looking forward in our role at ASPR and helping you all deal with cyber threats and all the other challenges that you face as you help prepare and protect our nation's health.

GARCIA:
I think we've said all that we can say, but yes, I echo Brian's remarks. Our public health institutions across the country are critical to our public health and we all need to be secure. It's a shared responsibility. It's not one that we can avoid or shirk. So, there are resources available to you, a lot of different things that you can do to protect yourself.

Brian, we should just take this on a roadshow. You and I: the sequel.

JEAN-PIERRE:
Well, I think that's a great idea. But in all seriousness, it has been such an honor to speak with both of you. Thank you for joining me for this important conversation about cybersecurity and how it affects public health.

Brian, your expertise on the government side is appreciated. And Greg, those stats were eye-opening. Thank you for sharing.

Our time is now up, but remember, for all of your public health information, please visit your one-stop shop: astho.org.