Cheryl Martin (Host): Healthcare facilities are known for being attractive targets for cybercriminals. So, what can healthcare organizations do to combat these threats? And what can you do to keep your patient data safe? We get some answers from Bryan Harper. He's the IT Director and Information Security Officer at Northern Inyo Healthcare District.

 This is Mountain Medicine, a podcast from Northern Inyo Healthcare District. I'm Cheryl Martin. Bryan, so glad you're on to discuss this vital topic and concern.

Bryan Harper: Thank you for having me.

Host: First off, what are the current cybersecurity threats in healthcare and how can patients protect themselves?

Bryan Harper: Well, some of the bigger ones are, you know, ransomware attacks where they hold hostage or data and the patient data. We also have phishing, which is a solicitation by email; social engineering, which is done through social media or through emails or voice solicitation through the phone calls. We also have advanced persistent threats, which are basically long-term covert operations that are used to exfiltrate data over a certain amount of time. And obviously, we have the Internet of Things, which are medical devices and vulnerabilities that pose risks to people.

Host: So, when these threats happen, can patients do anything to protect themselves?

Bryan Harper: Absolutely. So, they can be cautious with their personal information. Obviously, avoiding sharing personal health information over unsecured-- basically meaning, you know, if emails are coming in, don't send personal information through emails, and don't just give out your information to unverified channels, meaning somebody just calls you out of the blue or an email. And that's kind of one of the biggest things, obviously, monitor your medical records. Just like you would do with your own credit, to kind of check your health records. Make sure there's no unusual activity or discrepancies in your medical record. And the last thing is probably using strong passwords for your medical records or your portals or anything like that. So, those are just three of the smaller things you can do.

Host: Okay. So, it's fine if you are, let's say, talking directly to someone at the hospital and they're asking for personalized information to give it over the phone.

Bryan Harper: Yeah. You also want to make sure that you're talking actually to the hospital. So if you get an unsolicited call they should be able to validate some information for you. What you'll find in a lot of times is the voice solicitation, these hackers, they'll have personal information. So, it's kind of tricky. And with the advent of AI, it makes it even harder because a lot of people are calling from overseas, and you used to could tell that. But now, with AI, they can actually mimic Western voices and talk just like we do in the U.S. So, you have to be very careful of those things. So, if you have concerns, tell them you'll have to call them back and actually call them instead of waiting for them to call you.

Host: I actually did that one time when I had placed a call for a specific person to call me from the hospital and then another person called and responded in general, and I was just a little nervous, and I did not give them the personal information they were asking for. Just to be on the safe side.

Bryan Harper: That is the best thing to do. Just like with anything, you know, you don't take calls from banks or stuff like that. You always want to make sure you're making the initiation of the phone calls to make sure you're talking to the right people.

Host: Now, Bryan, you covered current cybersecurity threats. Any other challenges overall that healthcare organizations face in cybersecurity?

Bryan Harper: Yeah. Obviously, data sensitivity is kind of a big target for cybercriminals being able to compromise your sensitive data. Obviously, in healthcare, because a lot of times healthcare is behind the eight ball, as we say, with technology because of older and newer systems mixed, so it makes the security complex because of different things that we have to do. And then, obviously, resource constraints, a lot of hospitals do not have the budgets or have staffing limitations that can hinder implementation of effective security measures. So, those are just some of the unique challenges in healthcare.

Host: So, what then in those instances are best practices for these hospitals who may be limited in resources?

Bryan Harper: Yeah. I mean, obviously, you want to do regular security audits. Obviously, in California, we have to follow certain protocols. We do the risk assessments. We do third party penetration testing, which is ethical hacking, where we pay a company to actually do hacking and find vulnerabilities. Those help us find those weaknesses. And, obviously, we want to do training to our staff. Here at the district, we do in-person training. We do video training. So, keeping your staff trained because with technology, we can do all the technology pieces we possibly can. But at the end of the day, we call it the human firewall. If you get a phone call or an email and you click on something or you give out personal information, you've compromised us. So, we want to make sure our staff are properly trained. Then, obviously, we want to implement multi-factor authentication, which enhances the security, requires additional authentication, kind of equivalent of an ATM. If your ATM card, you actually have a card and you want to have a PIN number. So, those would be an example of a multi-factor authentication.

Host: Now, is there anything that patients can do to help maintain HIPAA compliance?

Bryan Harper: Obviously, they want to make sure their data is encrypted. So, if they're given flash drives with their personal information to take up at organizations or hospitals, you want to make sure that data is encrypted and make sure that you're not losing that data. The other things they can do is make sure that if they're using a machine at home or a laptop, make sure those things are up to date because if, for some reason, there's something on your personal device and you stick the flash drive because you want to check your medical records, that data could then be transmitted to the USB and then taking it to another organization, you could compromise that organization along with your medical records. And then, just make sure you have access controls. Know who you're giving your data to and things like that.

Host: So, you recommend writing their names down?

Bryan Harper: Correct. I would definitely ask if who's inquiring on that data.

Host: Okay. You mentioned vulnerabilities. Any others that you want to mention, and in terms of anything else that can be done so they can be mitigated?

Bryan Harper: Yeah. First thing you want to do is if you see anything, you want to report suspicious activity of anything that looks out of the ordinary. Make sure you're using common sense. It all comes down to that.

Host: So, how do you balance accessibility and strong cybersecurity and healthcare systems? And then, once again, can patients and families do anything to help?

Bryan Harper: Yeah. So using an approach using security-friendly security measures, basically employing security solutions that balance the usability and protection such as single sign-ons and using strong authentications. And then, obviously, continuous training. Training the staff, training the patients. There's all types of classes out there that patients can take that are free for protecting themselves. Make sure you're understanding the world that we live in today. And then, obviously, from a patient standpoint for their health organizations and support in those investments. Make sure you're engaged into your health organization. Make sure that you're getting properly funded. Because at the end of the day, the funding that we use for cybersecurity protects your personal data. So, those are the some of the things that I would highly recommend.

Host: Bryan, you touched a little bit on this, but I would like for you to expand. How can healthcare employees contribute to cybersecurity? And just talk about what that means for patient data protection.

Bryan Harper: So obviously, employees have an active participation. They have to follow the security protocols that are set out. Obviously, we talked about training, regular training, training themselves. And then, obviously, we have reporting mechanisms of making sure that they're reporting any suspicious activities or phone calls. And just do those common sense things when you're dealing with people's personal data.

Host: Now, you use the term Internet of Things earlier. Expand more on that and how should organizations and patients secure connected devices and technologies in healthcare.

Bryan Harper: Yeah. Obviously, one of the things that we do here at Northern Inyo is we do segmentation. So, our medical devices and our normal stuff are completely separate. So, we want to make sure we're mitigating risk for that, which helps the patients so you don't have to worry about your IV pump and your things that are going to be hooked to you that they would be potentially hacked because they're on the same network. Doing regular security updates. Keeping firmware and our software up to date. And we do device monitoring and implementation of real-time monitoring that we can respond to unusual activities.

Host: And Is anything required for patients when they, let's say, are staying in the hospital for a few days or weeks with their devices?

Bryan Harper: Yeah. So, I would say if you have devices, I would adhere to security, you know, the guidelines of the manufacturers. Don't be trying to make changes. And then, obviously, you want to report your issues to your healthcare provider or the manufacturer of the device.

Host: So, how should healthcare organizations and patients prioritize cybersecurity investments and allocate resources effectively, because do you see this getting worse before it gets better?

Bryan Harper: Yeah. It's healthcare is a number one target of cybercriminals because we hold a lot of personal information. If you've ever paid by credit card, you've ever, you know, have your social security number, your driver's license, so we're a one-stop shop. So, for prioritization of investments and things like that, we want to do risk assessments. Obviously, as I discussed earlier, we want to make sure we're doing all the things that we're required to by law. And then also penetration testing, which is the hacking legally that we do with a third party company to find those things. We want to make sure that we're focusing on critical areas, again, such as employee training, encryption of our devices, and using threat detection tools.

Host: What you've just shared is a perfect segue to this. What other strategies, Bryan, are you using to stay ahead of these cybersecurity threats? And anything patients can do on their part that you haven't covered?

Bryan Harper: Yeah. So, from a threat intelligence, we use multiple intelligence avenues. We use the Critical Infrastructure Security Agency, which is CISA, which is a Department of Homeland Security. We use the California Security Agency. We also use part of the FBI. And then, we kind of use all those threat intelligence along with some of the tools that we use here in the district to stay up to date on new threats and vulnerabilities and mitigate those. And we're always constantly evolving our security measures because like everything in technology, technology changes daily. So, what we do today, tomorrow will not be effective, so we have to constantly stay up to date.

Host: So, patients should have a sense that you're doing everything you can to be ahead of the game.

Bryan Harper: We're doing everything we possibly can to stay ahead of the game as much as possible. We have to be right 100% of the time. They have to be right once. So, it comes down to the persistence of the threat actor and the persistence of our team, which is the reason why we talk about funding and making sure we're getting the things that we need.

And then, obviously, we want to utilize security awareness websites for the patients. The patients can go and check their personal information to make sure that they've not been breached. Because if obviously if they've been breached and potentially their data has been out there, their medical records could be out there, not necessarily from us, but from other organizations that may have had a breach or their personal stuff have had a breach. So, they can check those things on certain websites.

Host: Now, any other future challenges and opportunities you see in healthcare cybersecurity that you want to share before we wrap up?

Bryan Harper: Yeah. So obviously, there's increased regulation that are going to be coming out hopefully that kind of has a compliance requirements to enhance the data protection. So, obviously, new technologies require update and security strategies. And then, we also want to make sure we're collaborating with our partners, like in the FBI, in CISA, and those organizations to make sure that we're making sure that we're protecting the patient and personal information of pretty much everybody that's coming in our doors. And so, we have to have a greater collaboration with our healthcare providers, our vendors. This is all crucial for security posture.

Host: Bryan Harper, thank you so much for just helping us navigate the latest in healthcare cybersecurity and also just for giving us tips on how to safeguard our patient data. Thank you so much.

so much. Thank you for having me.

To learn more about Northern Inyo Healthcare District, just visit our website, NIH.org. And if you found this podcast helpful, please share it on your social media. And for other topics that may be of interest to you, check out our entire podcast library. This is Mountain Medicine, from Northern Inyo Healthcare District. Thanks for listening.