Part One: Cyberthreats and Assessing Third-Party Risk with Providence

More than one in every three Americans had their health care records stolen or compromised in 2023, creating threats to hospitals and health systems across the nation. For cybercriminals, the backdoor into the protected systems of hospitals and health systems often comes via a third party. In this first of a two-part conversation, hosted by the AHA's National Advisor for Cybersecurity and Risk John Riggi, Providence’s Adam Zoller, chief information security officer, and Katie Adams, cybersecurity director of clinical technology services, discuss the potential cyberthreats posed by third parties, and prevention strategies to keep organizations secure and alert.


View Transcript
 

00:00:00:18 - 00:00:25:06
Tom Haederle
More than one in every three Americans had their health care records stolen or compromised last year, making 2023 the worst year on record for cyber attacks against the health care field. So far, that is, if anyone thought 2024 would turn out better, February's cyberattack against Change Health Care - still causing widespread problems throughout the health care system - does not seem like a promising start for improvement.

00:00:25:08 - 00:00:43:09
Tom Haederle
When such cybercrimes occur, however, it's easy to lose sight of the fact that hospitals are not the primary source of data theft attacks.

00:00:43:12 - 00:01:19:10
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. For the bad guys, the backdoor into the protected systems of hospitals and health systems often comes via a third party. That could be a business associate, solution provider or some other entity. In this podcast, hosted by John Riggi, the AHA’s National Advisor for Cybersecurity and Risk, we learn more about the risks posed by third parties from two cybersecurity experts with Providence, a large not for profit health care system operating multiple hospitals and medical clinics across seven states.

00:01:19:13 - 00:01:53:00
John Riggi
Thanks, Tom. Thanks for everybody joining again today for hopefully another very interesting podcast. And we have some very special guests here with us today. We have Adam Zoller, the chief information security officer from Providence. And we also have Katie Adams, the cybersecurity director for clinical technology services at Providence. Adam, great to have you here with us. Well-known, well-respected within the entire cybersecurity community, long history in technology, including with the U.S. Army, as I recall.

00:01:53:03 - 00:01:56:01
John Riggi
Adam, could you tell us a little bit about your background?

00:01:56:03 - 00:02:19:17
Adam Zoller
Thanks, John. Really happy to be here and thank you for the kind words. Adam Zoller, like you said, I'm the CSO at Providence and I've been with Providence for about four and a half years. And prior to that, I was in the U.S. federal government space, both on the government employee side of the house and in the consulting side of the house, doing cybersecurity for the federal government, what's now the CISA organization, and then pivoted over into the commercial sector.

00:02:19:17 - 00:02:28:04
Adam Zoller
I served several years at General Electric in various roles in various companies under GE, and like I said, now at Providence. Happy to be here.

00:02:28:06 - 00:02:42:01
John Riggi
Great. Thanks. Great to have you here, Adam. And Katie, great to have you here as well. I know you've got a tremendously difficult job, as all of us do, but especially you in the medical device space. Could you tell us a little bit about your background?

00:02:42:03 - 00:03:04:09
Katie Adams
Absolutely, John. Thanks so much for the opportunity. So my name is Katie Adams and I am the director of cybersecurity for Clinical Technology Services here at Providence. And I'm actually relatively new to the cybersecurity world. So I've worked at Providence in project management and health care operations for a little over 12 years now and just stepped into this role in the last year and a half or so.

00:03:04:11 - 00:03:13:27
Katie Adams
In my role, I really work to bridge the gap between technology and patient care to promote cybersecurity throughout the organization. So looking forward to the conversation.

00:03:14:00 - 00:03:45:28
John Riggi
Thank you, Katie. Again, great to have you here. And this is a very, very timely conversation that we're about to have. Fortunately and unfortunately, as I said, your expertise is in high demand right now. And this is a very significant area of interest, specially when it comes to third party risk, which we'll be talking about today. And let me back up a little bit and talk about 2023 in the types of attacks we've seen in the volume and sophistication of these attacks and the attack vectors.

00:03:46:00 - 00:04:30:09
John Riggi
So 2023, unfortunately, is the worst year on record for cyber attacks targeting health care in hospitals, specifically. Largest number of protected health information data breaches ever. 126 million Americans had their health care records stolen or compromised last year. Ransomware attacks up 300%. Ransomware attacks accompanied by data theft as well, and of course, data extortion attacks. The ransomware attacks are the type of cyberattacks we're most concerned about because they result in, as we've seen over and over again, significant disruption and delay to health care delivery, risking patient safety.

00:04:30:11 - 00:05:06:07
John Riggi
But, you know, when I look at the numbers, Adam, Katie, there's a lot of stories behind the numbers. You dig deeper, you realize one: hospitals are not the primary source of data theft attacks. It's actually business associates, third parties and other types of health care providers. And you dig a little further and you see that not only is it the business associates that are being targeted quite heavily, it's third party technology and solution providers that are often the attack vector and the source of technical vulnerabilities which lead to other types of attacks.

00:05:06:09 - 00:05:27:00
John Riggi
And unfortunately, 2024 is not shaping up to be any better than 2023. Lots of reasons for that. Let's take a deeper dive on third party risk management and especially in organization, your side. Adam, if I could start with you. How does third party risk manifest itself in a hospital system the size of Providence?

00:05:27:02 - 00:05:51:25
Adam Zoller
Yeah, that's a great question. You know, as you mentioned, you know, hospital systems, health care providers were incredibly reliant on third parties to deliver critical services to our patients. Especially in Providence's case, the communities that we serve within and the poor and the vulnerable. And this results in these attacks against third parties and the risk results in lost productivity, both on the clinical side but also on the IT and security team side.

00:05:51:27 - 00:06:29:02
Adam Zoller
I spend a tremendous amount of my time and my team spends a tremendous amount of their time both assessing and addressing third party security risk before third parties are onboarded. And then after the third parties are onboarded, we spend a tremendous amount of time managing risk. As you mentioned, a lot of these attacks are coming in through the third party angle, whether it's reportable events like data theft events impacting business associates, or the regulatory risks that third parties introduce in our ecosystem or managing reputational impact, the third parties that introduce risk in our organization or get compromised managing that reputational impact, the results of that.

00:06:29:04 - 00:06:51:03
Adam Zoller
And then of course, the direct incident side of the house. From a third party perspective, we deal with a number of third party incidents. Like you said, 2023 was kind of a standout year when it comes to incident volume. In 2024, we're seeing, if not the same incident volume, but in the first couple of months and, you know, an increase in the first couple of months as far as incident volume is concerned.

00:06:51:06 - 00:07:14:15
Adam Zoller
And we're seeing incidents occur that span the entire gamut of types of incidents. You can imagine things like data theft, data loss that require us to report to regulators or impactful incidents like ransomware events that impact third parties. And these ransomware events can result in anywhere between, you know, a week of downtime for that particular third party, to upward of a month of downtime for that third party.

00:07:14:15 - 00:07:21:17
Adam Zoller
And when you're talking critical services that clinicians rely upon to deliver care, that can be very impactful.

00:07:21:19 - 00:07:41:17
John Riggi
Yeah, thank you for that, Adam. Absolutely right. And again, we've seen the impacts that ransomware attacks have on third parties. As you said, if they are mission critical or as I say, life critical in some instances, the bad guys have figured out, again, we're talking bad guys that are primarily based in Russia when it comes to ransomware groups.

00:07:41:24 - 00:08:07:03
John Riggi
They understand if they attack a key third party strategic node, let's say like an oncology software provider or a timekeeping service or many other or a quote-unquote "secure file transfer system," they know that gives them access to many organizations and the disruption is magnified, thereby forcing that third party in a very difficult position, perhaps to pay the ransom.

00:08:07:06 - 00:08:18:18
John Riggi
So we talked about clinical impact, Katie, that's your life and your world. Talk to us about how third party risk manifests itself on the clinical side of Providence.

00:08:18:20 - 00:08:39:02
Katie Adams
Yeah, absolutely, John. I think just to add on to what Adam was saying, you know, it really takes a village to deliver quality health care to our patients and our communities. And when third party systems go down, whether that's inside of Providence or whether it's vendors that are delivering critical care and critical services to our patients and our caregivers, it has a big impact on the organization.

00:08:39:02 - 00:08:55:29
Katie Adams
You know, we're looking at rescheduling patients for critical appointments. You know, you mentioned oncology patients. In the cancer space those treatments are really time sensitive. And so if we need to end up delaying their care as the result of a cybersecurity incident, it's a significant impact on our patients and our organization.

00:08:56:02 - 00:09:20:21
John Riggi
Yeah, thanks Katie again for pointing that out. It is the delay disruption to health care delivery by these cyberattacks which creates the risk to patient safety. I say this all the time to anybody who listen, including my current and former colleagues at the FBI and across across all government agencies. A ransomware attack on a hospital or one of our mission critical third party providers is not a data theft crime.

00:09:20:21 - 00:09:44:25
John Riggi
It is not a white collar crime. It is a threat to life crime. We understand the impacts. We see them constantly. Adam, going to get back to you for a minute. So Providence, massive system, multibillion dollar multi-state system. And I would assume that you all should not have any issues dealing with third parties at all, that you have it all under control, you have everything you need.

00:09:44:28 - 00:09:57:13
John Riggi
And those third parties simply adhere to any request you make. I don't think that's the case. But, so given your size, let's talk about how do you manage third party supplier risk at scale?

00:09:57:16 - 00:10:16:05
Adam Zoller
Yeah, you know, Providence, like other hospital systems, deals with a lot of the same sort of issues and incidents I would imagine that we're seeing sector-wide. So when we talk about managing third party supplier risk at scale, I think it's, you know, there's aspects of the people side of the house which I won't really touch on, but process certainly.

00:10:16:07 - 00:10:46:08
Adam Zoller
And then on the technical front, managing technical risks that third parties introduce also comes into play. So I think where I would start is, number one, just generally speaking, kind of on the people and process side: consolidation of roles and responsibilities when it comes to how you manage third party risk in a health care system. We've consolidated at Providence all the roles and responsibilities for clinical engineering under one accountable leader in that accountable leader roles up to the same accountable leader as cybersecurity at Providence.

00:10:46:08 - 00:11:16:27
Adam Zoller
So my boss, BJ Moore, the CIO, a huge proponent of cybersecurity and of managing clinical risk, is now accountable for both the clinical aspects of device management and engineering, but then also the cybersecurity aspects of the clinical device space and the third party applications space. And by having that consolidated level of roles and responsibilities up to one accountable leader, then you don't run into the same prioritization issues that I think a lot of my brethren in the space are are dealing with.

00:11:17:00 - 00:11:38:14
Adam Zoller
I would say also a security culture. A lot of security organizations kind of operate in the shadows and don't like to share their priorities or don't like to share the compensating controls that they have in place for cybersecurity or don't like to, frankly, share that we're having cybersecurity incidents very openly that are targeting either clinical devices or third party applications or third party services.

00:11:38:16 - 00:12:04:01
Adam Zoller
And we've taken a bit of a different approach at Providence. And that's an approach of not necessarily oversharing because there is risk to oversharing, but sharing with the appropriate level of individuals in our organization that we are facing cyber events and what we're doing specifically about the cyber events and what we're doing specifically to manage the risks. And I would also just generally say it's easier to catch issues on the way in than manage issues that are already in your environment.

00:12:04:01 - 00:12:29:11
Adam Zoller
And what I mean by that is having strong controls for vendor onboarding and third party risk assessments and architecture assessments upfront so that you're managing the risks that you accept when the vendors get onboarded into your ecosystem versus having to go play catch up and clean up after the fact makes it much, much easier. To that end, centralizing purchasing power in your organization is going to be a strong lever that you can pull to manage the risk that you're bringing into your environment.

00:12:29:11 - 00:12:48:12
Adam Zoller
Because if somebody in your in the field can't go out and buy whatever they want without going through the security process, that's going to prevent a lot of security risk from being inherited to your system. And then also, I would say just lastly, proactively address vendor security challenges and challenge the vendors when they come to you with proposed solutions that are insecure.

00:12:48:15 - 00:13:18:02
John Riggi
Thanks, Adam, for that. Couple of key points you mentioned. I think they're worth repeating. One, the consolidation of clinical engineering and cybersecurity under the same accountable leader, the chief information officer. We have seen a lot of institutions moving to that model to eliminate the gap. Quite frankly, we have seen in the other all the other alternate structure where clinical engineering biomed are totally separate, not managed by a chief information officer.

00:13:18:04 - 00:13:38:12
John Riggi
There is a gap in communication and visibility to the vulnerabilities even in inventory networks and so forth that the bad guys exploit. They have exploited very frequently. Katie, what are your thoughts on all of that Adam, you know, gave us a great overview picture. How does that impact you directly?

00:13:38:14 - 00:14:03:16
Katie Adams
Yeah, absolutely. John Well, I actually wanted to go back to, I think part of your original question that's really important to call out is how do we manage risk at scale? You know, Providence is a really large nonprofit health care organization with over 52 hospitals and and over a thousand clinics spread across seven different states. And especially because we are a health system that has combined several different smaller systems over time to become the organization we are today,

00:14:03:18 - 00:14:32:25
Katie Adams
we have a wide range of vendors, specifically in the medical device space. Different makes, different models. And so as we think about third party risk, really trying to manage and oversee all of those different permutations becomes quite complex quite quickly. And I think an additional layer that Adam was speaking to earlier is really a lot of these medical devices are so specialized from a clinical standpoint that there may often be only one or two vendors in the market that are even making this type of machine to deliver the clinical care that we need.

00:14:32:28 - 00:14:45:03
Katie Adams
And so in that case, it's really imperative that that vendor take cybersecurity quite seriously because there aren't a lot of other alternatives for us to look toward to be able to still deliver that same care to our patients.

00:14:45:06 - 00:15:14:15
John Riggi
Right. And again, I think you have some unique challenges as large as you are. There's often that misperception out there that, you know, they're large. They, again, have all the resources. They don't have the same challenges as other systems. But you have different challenges. As you said, you were formed by the acquisition of many other systems that did not have the same controls, perhaps in place, and the policies and in the wide array of vendors that you have to now deal with.

00:15:14:18 - 00:15:23:03
John Riggi
Adam, back to you. What types of incidents or events have you faced over the past several years and especially those that relate to third parties?

00:15:23:05 - 00:15:42:01
Adam Zoller
Yeah, I think if you can imagine it, we've probably faced that. And you know, Katie's also on the front line of this and and helping us remediate once we do get hit by these is attacks. But as you mentioned, John, earlier, I mean, we're seeing an unprecedented level of attacks across the health care industry and we're on the receiving end of a lot of those attacks at Providence.

00:15:42:01 - 00:16:06:23
Adam Zoller
So, you know, external attackers trying to commit payer provider fraud, you know, on the less impactful, I guess, the business operations side of the house. But, you know, just as impactful when you look at financial implications of being able to steal money that's due to a hospital systems from our payers. So we've seen a lot of fraud attempts, a lot of social engineering enabled fraud attempts, targeting our hospital system and the payers that we work with.

00:16:06:26 - 00:16:34:01
Adam Zoller
We've also seen attempted ransomware attacks. You know, knock on wood, we've been able to stay ahead of these ransomware attackers through, you know, really doubling down on doing the basics well at Providence and being very proactive in the way that we deal with managing security risk. We've also seen external attackers targeting our data for data theft purposes, you know, sometimes in conjunction with or I suspect, to be in conjunction with ransomware attacks.

00:16:34:04 - 00:16:55:09
Adam Zoller
We've also seen denial of service attacks. Those still exist and they're still being perpetrated by activist groups worldwide. We've had vendors on the third party side of the house bringing in infected laptops into our environment to perform maintenance on clinical devices and then introducing malware into our environment as a result of that infected laptop being plugged into a system.

00:16:55:12 - 00:17:17:10
Adam Zoller
We've also had third parties being hit by just about everything that I've talked about thus far, but I'll kind of zone in on number one: third parties being hit by ransomware. We've had some third parties that we rely on for clinical services that have been hit by ransomware attacks in the last several years. And as I mentioned before, those ransomware attacks have knocked these third parties offline for in some cases over a month.

00:17:17:16 - 00:17:38:24
Adam Zoller
And you can imagine that can be very, very impactful for a hospital system that's reliant on, for example, a third party to do lab work that gets hit by ransomware. And then we have to figure out where are we going to get that lab work done and then go forward. How do we work with that third party going forward to make sure that we're not accepting an inordinate amount of cyber risk by continuing to do business with that third party?

00:17:38:26 - 00:18:04:15
Adam Zoller
And then lastly, we've had third parties hit with data theft and use third parties as business associate are oftentimes then collaborating with us where we're both kind of on the hook to regulators to report these incidents and make sure that the victims of these incidents, the patients that that we care for, get notified that they were victim of a data theft event and then provide them with potentially credit monitoring or identity identity theft monitoring.

00:18:04:17 - 00:18:15:23
John Riggi
Yeah. Thank you, Adam. Clearly, the risk from your business associates transfers to you. But it's not just the technical risk. Legal and regulatory risk. All of that.

00:18:15:26 - 00:18:24:08
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.