By R. Dana Barlow
July 2024 – The Journal of Healthcare Contracting
Searching for secret treasure maps, product formulas and blueprints, fiscal transactions, financial backgrounds and the like may seem like obvious targets for cyberhackers. So, what’s the appeal with healthcare provider organizations?
Simple. The bad guys want money quickly and easily, according to George Godfrey, Chief Supply Chain Officer and corporate vice president, Financial Shared Services, Baptist Health South Florida, Coral Gables, FL. “From a government standpoint, patient information can have a negative financial consequence such that if patient information is compromised, then it can cost a lot of money,” he said. “I don’t think the automotive history of your car, if it’s leaking oil, can cost the car manufacturer money. If you own a 2020 Ford F-150 and someone breaks into Ford’s system and posts your maintenance records, does that have any financial consequence for Ford? Who wants to pay to prevent that?”
Instead, the target is much more personal, but on a collective basis.
“What kind of information do people want to pay to prevent it from being exposed? Some of it could be credit … a lot of it involves privacy issues … like with your health. By that topic alone it sets it apart from other areas,” he continued.
Still, disrupting payment transactions or privacy issues within a single healthcare system likely won’t generate the financial gains sought by more sophisticated cyberhackers so they strive for larger targets teeming with sensitive information, according to Godfrey. Should supply chain transactions be disrupted his team maintains backup plans with suppliers that rely on product demand history.
He points to simple economics: “There’s been enough occurrences that have been rewarding to the bad guys that just motivates more bad behavior,” he said. “The more money you make the more resources you can hire, the smarter the resources you can use, then the more successful you’re going to be,” he added.
“Compliance in any form is a moving target,” said Bruce Goff, senior director, Category Management, and responsible for third-party risk management, Mayo Clinic, Rochester, MN. “Technology related to cybersecurity is doubly hard given the pace of change and the many bad actors making a living at hacking.”
Goff encourages IT security leaders to review the seven elements of an effective compliance program, which the Department of Justice has published for decades, including policies and procedures, governance, risk assessment, training and education, reporting mechanisms, monitoring and auditing and enforcement. “I just think it is a useful framework to discuss with leadership – or think about it from your outside board member or investor’s perspective – on whether your cyber compliance program is effective,” he added.
Never-ending story
Despite wishes to the contrary, 100% complete cybersecurity is a pipe dream, experts acknowledge.
“One hundred percent cybersecurity has always been impossible,” deadpanned Amanda Chawla, MHA, FACHE, CMRP, senior vice president and Chief Supply Chain Officer, Stanford (CA) Medicine. “Threats change not daily but evolve by the minute. Complex operations and systems always have some failure scenarios, and software development and technology disruption are continuously moving forward and increasing complexity in the surface that attackers thrive in. The pandemic changed details, but not the basic problems.”
Jack Koczela, director, Sourcing & Transformation, Supply Chain, Milwaukee-based Froedtert ThedaCare Health Inc., concurs. “We should always be striving for 100% security, but no system is completely secure,” he said. “Cybersecurity is an arms race that requires us to constantly adapt and improve our systems.”
To err is human
Even though humans intentionally may hack or code software “bots” to do it, humans also casually and mistakenly invite intrusion.
“My own opinion is that 100% defense against cybersecurity attacks is hard to achieve because in the end it relies on the person who accidentally clicks on the link in the email. It could happen to any of us … very scary,” admitted Jacob Groenewold, vice president and Chief Supply Chain Officer, Froedtert ThedaCare Health Inc.
“Everything touches the network, and everything is interconnected,” charged Tom Harvieux, Chief Supply Chain Officer, BJC HealthCare, St. Louis. “There’s so much to secure and all the bad actors need to do is find one weak link. It’s like the analogy where you can design a great prison, but no one can design it well enough to overcome a human spending 24/7/365 sitting in it just thinking how to get out of it.”
Harvieux admits that “users are sloppy and a weak link” as “hackers have gotten very sophisticated about phishing with emails and texts that use company leader profiles to get the chain of command to act. AI is making this harder to detect.”
He centers on the inclusion of those banner warnings atop email texts in red font and ALL CAPS against an attention-getting colorful highlight that screams, “THIS EMAIL CAME FROM OUTSIDE YOUR ORGANIZATION …” “I have stuff internally within BJC that goes into junk mail because it’s that strict,” he added. “It’s just really rigorous.”
Harvieux cites AI as a useful tool for hackers, too. “They will take an email or a text from your CEO, send it to your CFO and then they will do a daisy chain where they will have it sent from your CFO to somebody else to ‘activate these Amazon cards’ or ‘sign in and do this.’ And it looks so legitimate,” he said.
BJC tries to solve this by employing two- or three-step verification procedures, particularly for high-dollar requests, that may involve a live telephone call or video message for confirmation.
“Because cybersecurity is such a high-risk, having a partnership with your IT is really becoming a central focus for supply chain,” Harvieux noted. “Cybersecurity requirements in contracting is very real because the risk can be astronomical – from financial to operational to reputational.”
But Stanford’s Chawla warns against concentrating more on cybersecurity as a technical issue and not enough on human operators.
“There are human errors that can lead to breaches despite having robust systems,” she noted. “Somewhere along the line across suppliers, providers and other partners there will be incidents – it is about how you manage through them and mitigate disruptions continuously improving, evolving and striving towards ‘zero incident’ – akin to the concept of ‘zero harm’ in healthcare. Useful percentage guarantees are hard to find, and it is better to focus on understanding your business and which areas you want to prioritize for more layers of protection as well as more robust backup plans for inevitable incidents. Cyber incidents are 100% certain to happen, but catastrophes are not a certainty for any single organization.”
Changing human behavior may be just as challenging and time-consuming as updating technical capabilities, according to Mike Mucha, Chief Information Security Officer, Stanford Medicine.
“Human behavior, especially group behavior, takes concentrated effort over time to change,” Mucha noted. “So, it’s very difficult to get to 100% compliance without technical controls. Behavioral components should be presented in multimedia and repeated, and tested, until it starts to become the new normal. The ideal version is to make the easiest and most productive technical path also the most secure one. But that’s hard to accomplish.”
Soldier on
Regardless, experts maintain a positive attitude about ongoing digital battles.
Godfrey acknowledges progress has been made during the last several years and he foresees more clearly defined progress emerging within the next few years.
“Right now, the more people that are working on it are now causing delays [for the hackers] … the work that we’re doing as a standalone provider versus what a manufacturer is doing,” he noted. “All of that work I think is positive even though it’s not coordinated or dictated by an agency or the government at this point. Hopefully, that journey is yielding results.”
Godfrey salutes his IT department. “They’ve been, at times when this topic was not popular, getting a lot of pressure. But they’ve done a good job of keeping the patient in mind but at the same time maintaining balance [with supply chain issues]. I have one of the best IT security guys that you can imagine – Anthony Longo, vice president and Chief Information Security Officer. We have a great team and an alliance with his team, his department and my department. The productive action and teamwork have been very important versus having internal debates.”
Harvieux echoes praise for his IT security team, led by Matt Modica, Chief Information Security Officer. “The environment is changing too quickly,” he said. “One hundred percent may not be achievable but we’re always aiming to close gaps. And to be harder to hack than the other guy.”