Shawn Tuma: Cybersecurity Is Warfare

In this interview from our coverage of the 2024 Community Oncology Conference, Shawn Tuma, JD, CIPP/US, partner and head of the cybersecurity and data privacy practice at law firm Spencer Fane LLP, addresses common causes of health care data breaches, how he helps clients reduce their risk and be better prepared for these situations when they occur, and effective fixes to remedy and prevent future damage.

Tuma was a panelist for the discussion, “Guardians of Confidentiality: Navigating Cybersecurity & Data Privacy in Oncology.”

Transcript

What are the most common causes of health care data breaches?

With cyberattacks, we have 3 main types that we're dealing with. We have the attacks on the organization itself: the first-party attack. Then we have attacks on organizations that support and that are downstream from the covered entity; that could be your managed service provider, your IT [information technology] infrastructure. And then we have attacks on the supply chain in general, like we've now seen with [the cyberattack on] Change Healthcare. So that's services that you're relying on as an organization.

When it comes to attacks on the organization itself, the first-party attacks, historically, ransomware has been mostly caused by remote desktop protocol [RDP] being enabled in the network, having IT that is not fully prepared to do security. In my world, there's a difference between IT and security. IT makes things happen; they make the computers come on. Security prevents bad things from happening; they keep you from having these attacks and these losses of data. And those are 2 very different skill sets, and in my view, require different expertise in different teams.

So, the biggest reason we typically see is, organizations are trying to use their IT team to be their security team. I don't care how good your IT is, they're just not up to this task in today's sophisticated world. What that means is, we see a lot of failures of basic best practices, things like having that RDP enabled in the environment. And then we get on a call with IT and they say, “Oh, well, we had it protected because we changed the port number,” or something like that. Anyone in security knows that doesn't protect it, but people in IT don't. We see failures of having appropriate backups and of testing those backups to make sure that they are viable, because even if you have them, sometimes they're not always viable, and they can't always be restored. So we need testing of the backups.

[We see] failure of having multifactor authentication enforced throughout the network, especially on privileged accounts. I know no one likes to have to go through the process of entering your password, and then clicking on the little app or using the token or whatever, but that stops so many cyberattacks that it really must be done today.

Your basic firewall, your network, how that structure is keeping things patched and updated for recent security vulnerabilities is very important. User training, good password management, phishing testing—all of these things are critical components of what lead to these cyberattacks, and these are things that should be done to help prevent this. There’s a lot of good resources out there on your best practices.

But really, you've got to take cyber [security] seriously. You've got to understand it's hard, it's expensive, there's no easy way to do it, and you have to be committed to doing this. And you have to have a true risk management program now, because cybersecurity is not a problem that can be fixed. It's not. You cannot fix cybersecurity. It is warfare. It is an active threat actor on the other side that every time you put a security feature or a fix in place, they then find ways to counter it. So this means you have to have an ongoing process for how you do your risk assessments—because that's the foundation—and then how you go through the process of strategic planning and mitigating against that. Then you start with your testing, your training, you do your assessments all over again, and it's an ongoing process.

I really want to point out the importance of that risk assessment process. To me, that's the most important phase. For one, you can't protect against what you don't know and you can't mitigate risks that you don't know exist. And number 2, the US Department of Health and Human Services Office of Civil Rights is the primary regulator in the area of health care, and they have made it a priority for many years now to focus on that risk assessment process. That's something they absolutely look for in every data request we get from them following an incident. So they want to see for years, you've been doing that. They also want to see that your organization has adopted what they call recognized security practices. And they have a excellent resource on that on the internet. It's called HHS 405(d). It's a great place for people to go and find more information. This is how we get our clients through that risk management process, focusing on a lot of that.