October 2019 Do No Harm 2.0 Robert Lord & Dillon Roseen Last edited on October 16, 2019 at 10:47 a.m. EDT Acknowledgments Dr. David Mussington, Professor, UMD School of Special thanks also goes to Gabe Nicholas, whose Public Policy and Board Director, (ISC)2 extensive work in the final stages of this paper aided greatly in creating the finished product you hold Mitchell Parker, Executive Director, Information today. Security and Compliance, IU Health The authors would like to thank the countless Michael Prebil, Program Associate, New America independent privacy and security experts, healthcare Joy Pritts, Principal, Pritts Consulting practitioners, executive leaders in healthcare, and experts in artificial intelligence, information Lucia Savage, Chief Privacy Officer, Omada Health technology systems, and workforce development whose work made this report possible. Specific John Schwartz, Chief Information Security Officer, thanks go to those individuals who provided Health Quest thoughtful commentary throughout the development of this project, including: Heidi Shey, Principal Analyst, Forrester Laura Bate, Policy Analyst, New America Dave Summitt, Chief Information Security Officer, Moffitt Cancer Center Rear Admiral Susan J. Blumenthal (Ret.), MD, MPA, Senior Fellow in Health Policy, New America Hussein Syed, Chief Information Security Officer, RWJBarnabas Health Daniel Bowden, VP and Chief Information Security Officer, Sentara Healthcare Ian Wallace, Senior Fellow, New America Mark Combs, CIO, Steptoe and Johnson, PLLC Beau Woods, Cyber Safety Advocate, I Am The Cavalry Carlos Cruz, SVP/Chief Compliance Officer, Tri-City Medical Center Please Note: The affiliations of the noted individuals in no way indicate organizational endorsement of the J. Michael Daniel, President, Cyber Threat Alliance recommendations in this report. Each of these individuals has merely provided commentary, insights Dante Disparte, Founder, Chairman and CEO, Risk and enhancements that we are very thankful for. Cooperative We also wish to acknowledge the supporters of the Matt Doan, Cybersecurity Policy Fellow, New New America Cybersecurity Initiative whose support America helped make this paper possible, notably the Citi Foundation (through their support to New America’s Matt Fisher, Partner, Mirick O’Connell Millennial Public Policy Fellows Program), Florida Michael Fried, CIO, Baltimore City Health International University and the Hewlett Foundation. Department Chandresh Harjivan, Partner and Managing Director at the Boston Consulting Group (BCG) David Holtzman, VP, Compliance Strategies, CynergisTek Peter James, Founder, Amen Ra Security Robert Morgus, Fellow, New America newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 2 About the Author(s) The Initiative seeks to address issues others can’t or don’t and create impact at scale. Robert Lord is a fellow in New America’s Cybersecurity Initiative and the lead adviser to the Healthcare Cybersecurity Project. Lord is the co- founder and president of Protenus, an analytics platform that leverages artificial intelligence to detect data breaches in healthcare. Before co- founding Protenus, Lord was an MD candidate at the Johns Hopkins University School of Medicine. Prior to medical school, Lord was an investment associate at Bridgewater Associates, the world’s leading hedge fund. Robert received his A.B. in social studies, magna cum laude, from Harvard University. Dillon Roseen is a law student at the University of Michigan School of Law. He was a Millennial Public Policy Fellow in New America’s Cybersecurity Initiative and the staff lead for the Healthcare Cybersecurity Project. Roseen, from Peachtree City, Ga., was a Fulbright Scholar in Amsterdam where he conducted research on the intersection of law, politics, and international security and earned an LL.M. from Vrije Universiteit Amsterdam. Previously, he graduated with highest honors from the Georgia Institute of Technology. About New America We are dedicated to renewing America by continuing the quest to realize our nation’s highest ideals, honestly confronting the challenges caused by rapid technological and social change, and seizing the opportunities those changes create. About Cybersecurity Initiative The goal of New America’s Cybersecurity Initiative is to bring the key attributes of New America’s ethos to the cybersecurity policy conversation. In doing so, the Initiative provides a look at issues from fresh perspectives, an emphasis on cross-disciplinary collaboration, a commitment to quality research and events, and dedication to diversity in all its guises. newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 3 Contents Executive Summary 6 Foreword by Sen. Mark Warner 8 Personal Introduction by Robert Lord 10 Chapter 1: Why Should We Care? 15 I. Cybersecurity Is A Patient Safety Imperative 15 II. The Case for Urgent Action 16 III. The Cybersecurity Risk Landscape Facing the Healthcare Sector 17 Chapter 2: How Did We Get Here? 24 Chapter 3: Culture 26 I. Summary 26 II. Healthcare-Specific Culture Challenges 28 III. Healthcare Culture Policy Recommendations 34 Chapter 4: Technology 43 I. Summary 26 II. Healthcare-Specific Technology Challenges 45 III. Healthcare Technology Policy Recommendations 50 newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 4 Contents Cont'd Chapter 5: Workforce 60 I. Summary 26 II. Healthcare-Specific Workforce Challenges 62 III. Healthcare Workforce Policy Recommendations 65 Chapter 6: Conclusion 75 Appendix: Summary of Policy Recommendations 77 Culture 77 Technology 78 Workforce 79 newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 5 Executive Summary While this report is ostensibly about cybersecurity in healthcare, we hope it is remembered as yet another contribution to the broader body of patient safety literature in medicine, albeit an unorthodox one. Specifically, we aim to highlight the need to mitigate the risks to patient safety created by the growing integration of information technology and operational technology into healthcare, and to propose ways to mitigate that risk. The report takes as a core premise that there is great benefit to be had from technology adoption, but also that in order to achieve that benefit, action will be required to prevent those same systems— either maliciously or by accident—leading to patient harm. Recognizing that this is a complex systemic challenge, the report ofers 17 actionable recommendations which we believe could make a real impact. These recommendations are organized across three pillars: culture, technology and workforce. The report begins with a personal introduction by co-author Robert Lord which makes the case that information security should be at the heart of modern healthcare by pointing to Hippocratic Oath of “Do No Harm,” which has long underpinned the work of healthcare professionals. Since the potential harms posed to patients today are not what they once were, he argues that “Do No Harm 2.0,” requires significantly more attention and resources to be applied to cybersecurity by the healthcare sector. Next, Chapter One—“Why Should We Care?”—gives a high-level overview describing the cybersecurity challenges and constraints facing the healthcare sector. Some of these challenges are unique to healthcare while others will be familiar to cybersecurity experts in other fields. The chapter will be most useful for those who want to better understand the cybersecurity threats the healthcare sector will face over the next five years. This chapter is designed to give action- oriented colleagues a set of arguments to support their efforts for change. Chapter Two of this report—“How Did We Get Here?”—looks back at the major policies, technological innovations, and cybersecurity incidents that have shaped the current healthcare cybersecurity landscape. This chapter is for those who want to better understand the structural context underpinning technology and cybersecurity developments in the healthcare sector. By providing historical context, we hope to help ensure that future efforts will build on, rather than repeat, past attempts at improvement. Chapters Three, Four, and Five constitute the major policy recommendations of this report. Each one tackles a set of recommendations centered on one of the three pillars mentioned above, culture, technology, and workforce. The policies in these chapters are relevant for policymakers in federal, state, and local newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 6 governments, as well as healthcare leaders who can shape the internal policies of their health systems and organizations. The report concludes with a “call to arms” couched with optimism that this is a solvable problem if proper action is taken and appropriate resources are committed. newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/ 7 Foreword by Sen. Mark Warner The WannaCry ransomware attacks in 2017 demonstrated that cyber-attack targets have moved from being concentrated on finance and government entities, to other industries like health care, telecommunications, and logistics, with the attack surface growing to include vulnerabilities in hardware as well as software. The rapid adoption of technology in health care has the potential to improve the quality of patient care, expand access to care, and reduce wasteful spending. However, such technology also has the power to put patients at risk as it facilitates the proliferation of valuable personal health care data. To support the benefits of health