The New Perimeter: Cloud, Remote Access, and Health Care Cybersecurity

Mike Nelson, global vice president of digital trust, DigiCert

DigiCert's Mike Nelson breaks down the urgent need for health care organizations to standardize cybersecurity practices and rethink digital perimeters in a post-pandemic world.

Please introduce yourself by stating your name, title, and any relevant experience you’d like to share.

Mike Nelson: I am Mike Nelson. I am the global vice president of digital trust at DigiCert. My responsibilities include working with a lot of our top customers to help implement and apply the solutions that we bring to strengthen their security posture against all of the threats that are happening in today's world.

Before coming to DigiCert, I spent my career in health care. Health care is near and dear to my heart. I spent time at the US Department of Health and Human Services on the policy side, working on IT policies to help protect and secure critical infrastructure in health care. I then went to GE HealthCare and built medical devices and software, where I also saw the challenge of implementing strong cybersecurity. I've been at DigiCert for about 10 years. I have a lot of experience in the cryptography space.

The data show a sharp rise in third-party breaches—what are some of the key drivers behind this trend?

Nelson: As I look at the evolution of cybersecurity, organizations typically start with their own stuff. What software are we developing? Let's secure all of our devices. Let's secure our users. Let's make sure all of our systems have strong authentication. Those are manageable tasks, but when you start looking at third-party vendors and you're onboarding software or cloud technologies, organizations struggle to assess the risk of that.

As consumers, it’s hard to know how to get into cyber and protections. I always talk about a test that my parents could pass. If my parents are onboarding technology into their home, what questions would they ask around cybersecurity? They'd be clueless. They wouldn't even know what questions to ask. There are a lot of business leaders today for whom cybersecurity is relatively new for them, and they don't adequately know how to assess the technology and to even ask the right questions around what's included in that software. Organizations need to get better at asking the right questions to do those assessments. I also believe that, as technology providers, we need to do a better job at communicating the software components that are included, and any vulnerabilities that are part of that.

The last thing I'll say about this is there are tools that are emerging that help organizations do a better job of that. There's something called a Software Bill of Materials (SBOMs). SBOMs are a tool that’s being used more widely in the procurement process, where they say, "Hey, we're buying your software. Can you provide an SBOM?" It gives an ingredient list. It communicates to organizations what is in that package. It also should highlight the vulnerabilities and things that they need to be aware of.

That's a good step in the right direction, if businesses can start using tools like an SBOM. There's also a new tool called a CBOM, which is a Cryptography Bill of Materials. If you're buying a solution that has cryptography on it, you should know what it's being used for and where in the products it's being used so you can manage and understand that risk.

Organizations just don't know how to ask the right questions yet. They're not using the tools that are available to them to help do better in the procurement process.

How can health care organizations more effectively vet the cybersecurity practices of their suppliers and partners?

Nelson: Health care is a very broad ecosystem. You have the payers, the providers, the medical devices, and pharma. If you're looking at the health care providers, those environments are incredibly complicated. There are so many different systems. You have electronic health records (EHRs), medical devices, pharma, diagnostic devices, prescription management systems, and nursing workstations. There is so much technology there.

Standardizing approaches is the best way that health care organizations can at least start to establish a baseline for them. My encouragement, whenever I speak with organizations—because I get asked this a lot from companies that we consult in—is: you should look at the basics of cybersecurity. Do you have strong identity on the assets in your organization? Are you using that identity to properly authenticate all systems? Are you encrypting data that is sensitive? Are the IT systems set up to be able to be updated if new risks are identified? If they are, what's the process for updating, and how frequently will you be patching the systems to ensure that we maintain security?

Those are all questions that I would standardize across the purchases of any IT systems if I'm buying technology as a health care provider. Then you start standardizing and saying, "Look, we have a benchmark where we are not going to introduce technology that doesn't meet the standards that we have in our organization."

The other benefit of doing that is that you begin to change the industry in the right way. When you start changing procurement and you have those expectations of your third-party suppliers, third-party suppliers start building more secure products because they won't be sold if they're not secure. It's the right thing to do. Health care providers need to have more standards in procurement for cybersecurity. The health care industry is working on that. There have been a lot of things through group purchasing and things that the industry is doing to try to raise the level of security through procurement. We're still early in that and there's a lot of improvement that needs to happen.

With the growing use of cloud services and remote access, how should healthcare leaders rethink their digital perimeters?

Nelson: That's a great question. Let's be honest, the COVID-19 pandemic destroyed the perimeters of health care organizations. Before COVID, the perimeters were the wall of the hospital, and hospitals were very reluctant to do anything outside of that. They controlled their network.

COVID pushed a lot of remote care, a lot of telehealth. It opened up a whole new industry, but it forced the adoption of the cloud in remote care, which I think is a positive thing for health care. The industry is still trying to catch up to that change. I do think that there are still some gaps in security around that, but the cloud is being universally adopted in most industries today. It can be done in a way that is secure.

The challenge that health care has is, as they adopt the cloud, doing it in a way where cybersecurity is foundational to the approach—it’s not a bolt-on. Anytime you're trying to bolt security on after you've purchased something, that is the wrong approach. You have to architect and design for security as you're doing that. Organizations that do that thoughtfully move into the cloud in very secure approaches. The cloud can be very secure with the right approaches, but when you try to bolt it on or add it as a band-aid afterward, it becomes more challenging.

My recommendation to organizations is to make sure that, as you are embracing technologies like the cloud or remote connectivity, you have cybersecurity as one of the foundational elements to your architecture. You're being very thoughtful in making sure that identity, authentication, and encryption is part of everything that you're doing, and that anything that's connecting to the cloud is properly authenticated. Data should always be encrypted. When you employ approaches like that and use the latest and greatest standards, it's secure.

What advice would you give to health care leaders about ensuring that third-party security matches or exceeds their own standards?

Nelson: As I said, if you don't have standards, you need to have standards, and you need to work those standards into your procurement practices. You need to be really adamant about selecting vendors that are openly communicating about the security of their devices.

I would ask questions about strong authentication and password practices. We've seen horrible practices where passwords are embedded in the user instructions. The Verizon report talks about the challenges of passwords and recommends strong password practice; I can't emphasize that enough. But it's not just user passwords; it's also digital systems and having mechanisms to authenticate through things like digital certificates—making sure that it's not just password authentication; it's userless authentication, where systems are connecting but need to be properly authenticated.

I would ask questions around system updates, frequency, and how and when they do those. I would ask questions around encryption and how data are handled when stored. Are they using encryption when it's in transit? How are they protecting it? Make sure that the foundations of security—and the things that, as security professionals, we know need to be done—are there in the systems that you’re buying.

I would also begin using tools like SBOMs and CBOMs in their procurement and require their vendors to provide those. When you do, that gives you a really good insight into the software you're buying. Last year, the US Food and Drug Administration (FDA) began enforcing regulatory authority to prevent medical devices going to market that don't meet certain security standards. It’s great that they're doing that because that's going to help health care organizations to know that new products coming off are actually secure and meet certain benchmarks.

One of the things the FDA is requiring is that medical device manufacturers, when they submit to the FDA, have to include an SBOM. That's one of the tools that they're using to assess the trustworthiness of medical devices. It's cool that the federal government is using that tool, and all health care providers that are procuring technology should be doing the same thing.