A chief information security officer dives deep into why hackers target health care organizations and how the industry is banding together to help prevent major breaches.
Health insurers in the U.S. face 1,000 cyberattacks per second, according to Kevin Charest — and he’s dedicated his career to protecting federal government agencies and private insurers from just such attacks.
Charest is the divisional senior vice president and chief information security officer for the Blue Cross and Blue Shield Plans in Illinois, Montana, New Mexico, Oklahoma and Texas. He previously served as vice president of global cyber defense operations at UnitedHealth Group and as CISO of the U.S. Department of Health and Human Services (HHS). He is also chairperson of the board of ISC2, a nonprofit membership association for information security leaders.
MHCSW recently spoke with Charest to get his thoughts on the industry’s current cybersecurity landscape and how health insurers are working all day, every day to help protect members’ data.
Note: This conversation was edited for length and clarity.
MHCSW: An HHS task force said health care cybersecurity is in ‘critical condition.’ How would you describe the state of cybersecurity in the industry?
Kevin Charest: The health care ecosystem is made up of roughly 470,000 entities. If you look at it at that massive a scale, there’s cause for concern as it relates to cybersecurity. Everyone is connected — through Medicaid, Medicare, different payers and the various networks they all belong to.
When you look at the most sophisticated, largest companies in the health care industry, like insurers and major pharmaceutical companies, their cybersecurity rivals any other industry’s. Oftentimes there’s this notion that health care is behind. It is somewhat, but it’s really only the smaller players who are behind.
The challenge is, small players make up the majority of the industry. Some of those entities have an excellent program, but many don’t, or have some varying levels of maturity as it relates to cybersecurity. These are tough scenarios that make it difficult for us to say health care is in great shape when it comes to cybersecurity.
MHCSW: Why are cyber criminals or hackers focused on the health care industry?
Charest: I don’t know that they’re focused on it. For many years, health care was not on the radar for the hacker community. The primary target for hacking and identity theft was the financial industry. The financial industry has invested tremendous amounts of money over the last 10 years and built fairly sophisticated systems to combat the onslaught they were dealing with. As a result, they have become more of a hard target.
The average hackers, by nature, are not the most industrious people in the world; they’re looking for a quick buck.
Health records can potentially be a prime target because they contain more than just personally identifiable information like names, addresses, and maybe Social Security numbers. Personally identifiable information can be used to commit fraud and identity theft, but that’s very limited. With a health record, criminals can generate many more opportunities for fraudulent activity. There is more opportunity with a health care record.
MHCSW: Earlier you said hackers aren’t focused on health care. Do you think it’s a big problem still even if it’s not their main focus?
Charest: Yes, it’s still an issue. The industry is seeing the overall number of compromises decrease, but there has been an increase in a new type of compromise targeting health care, called ransomware. (In a ransomware attack, hackers encrypt an organization’s data and demand payment to release it.)
Ransomware has become a massive revenue generator for hackers.
(Ransomware hackers) started going after hospitals in 2016. These hospitals weren’t ready; their backup systems weren’t in place. Now, hackers can encrypt the entire medical database for a single hospital, leaving them unable to provide care for patients. There is nothing left for the hospital to do but pay the ransom.
Ransomware has become a massive revenue generator for hackers. They’ve gone from stealing the identities and data to generating revenue by ransoming the data.
MHCSW: When a hospital is compromised, who does that affect?
Charest: It affects everyone whose data has been encrypted (by the ransomware). For example, let’s say we have member in that hospital receiving care. Now all the data is encrypted. Well, how does the hospital get paid by an insurer, how does it make a claim, how do we validate it’s real, how does the patient receive care? That patient’s care is at a minimum going to be interrupted. So you can see the downstream impact. It can be catastrophic.
MHCSW: What are health insurance organizations like yours doing to protect members and their data?
Charest: Many health insurers are developing robust information security programs. But oftentimes programs are focused on compliance — legal or regulatory compliance — and they’re policy-based. They focus on making sure employees have a complex password and that they don’t send protected health information in emails.
While those are important protections, organizations must also build the necessary monitoring systems. Sophisticated systems have developed appropriate controls and policies, designed security architectures, operate and/or partner to operate the necessary security tools, and have a rigorous cyberdefense capability.
To that end, my organization recently opened our CyberFusion Center in our new C1 Innovation Lab in Dallas. There, security analysts monitor data all day, every day to locate security issues. They review and address the alerts and monitor emerging threats to help protect members’ data.
MHCSW: What’s the future of cybersecurity in health insurance?
Charest: The future is, in my opinion, to help improve the security posture of smaller entities and practices, much like the financial industry did.
Health insurers have also got to work toward the ability to share time-sensitive, critical information about what’s happening from a cyberattack standpoint throughout the industry. Because, for example, if you’re another insurer, and you’re under attack, if you can share some information with us, I can build a defense before that attacker ever comes here. That kind of transparent, cross-sharing within the industry, that concept of a safe harbor where there’s no liability, that’s something that we strongly advocate for on the Hill. The Cyber Information Sharing Act (enacted in 2015) is attempting to address some of that.
The health care industry needs to develop low-cost, effective technologies that can be deployed in smaller operations that make up the majority of the health care system, and the industry has got to have the ability to collate and share what we find.
MHCSW: Do you see that happening now?
Charest: I do see the beginnings of it happening. The HITRUST Alliance (a nonprofit focused on safeguarding data and managing information risk) created a pilot proof of concept with small (physician) practices where they essentially deployed a technology that automatically blocks these things. There’s nobody in these small practices with the training (to protect information from hackers), any more than I would understand how to do thoracic surgery.
That’s the problem the industry is dealing with. But so far it’s working very well. They’re trying to show the industry that there’s a market for this — look, solve this problem and you’ve got 460,000 customers.