Presentation submitted by Nargiz Geybullayeva, Nicholas Lauerman and Fritzi Lea Müller.
Undergraduate and graduate students from leading universities around the world were tasked with creating a cybersecurity strategy for a U.S. health system that is inclusive of their supply chain, addresses the threat of gray market and counterfeit products and includes approaches to monetize the cyber hygiene capabilities.
The mission of MHS is to improve healthcare quality, safety and patient experience through innovation. Thus, we need a cybersecurity strategy inclusive of the supply chain that addresses the needs, fears, and wants of MHS’s patients. Patients want easy access to healthcare but are afraid of data breaches. Therefore, MHS must earn the trust and confidence of their patients.
We propose an extended zero trust strategy with three sections to achieve this goal. A zero trust strategy concentrates on how to handle internal threats and vendor relationships. This approach is necessary because the majority of cyber attacks come from internal actors and because of the interdependencies between crucial data and infrastructure, services, and users. With this integrated approach, we believe that the vulnerability of healthcare IT systems can be resolved. The three sections of our approach are RFID technology, private cloud technology, and a hackathon.
In order to keep MHS patients physically safe, the counterfeit and gray market problem must be addressed. After weighing innovation and feasibility, we decided that the best option for MHS would be to implement RFID technology. It has been heavily tested and will be easier to implement than many newer technologies. Our analysis demonstrates why the high initial investment is outweighed by the benefits. Additionally, this technology has successfully curbed the counterfeit and gray market problem in many other industries time and time again. In one example, the technology was able to save lives by reducing the occurrence of potentially lethal baby formula. In order to increase the success of this technology, we recommend teaming up with Vizinex, a RFID solutions company that has had previous success in this industry.
In order to gain the trust of the patient, MHS must also consider the software security aspect. When looking at how to do software updates, we looked to the financial industry because they also are a target for cyber attacks due to their access to sensitive information. The world’s largest ATM operator - Cardtronics proved that doing updates using a private cloud, rather than a flash stick, is more secure, cost-efficient, and scalable. Wanting a tried and true solution, we decided upon Azure API - the private cloud platform for health record sharing from Microsoft Healthcare. Currently, the platform is being utilized by other industries such as banks and financial service providers, the chemical industry, and insurance companies. At the same time, it prevents fake updates (ransomwares and trojan horses) by providing automatic updates and antivirus called Microsoft Security Essentials. Thereby, this solution would enable MHS to conduct updates much faster, efficiently, and securely.
While our first two sections covered the hardware and software aspects, we needed a way to integrate our approach. In order to ensure MHS is constantly ahead of cyber threats, we believe a hackathon would be necessary. In addition to testing current systems, it would allow MHS to test the functionality of new systems before rolling them out. In MHS’s situation, we believe a student hackathon, rather than a corporate hackathon, would be appropriate. This would allow innovative approaches to problems and help protect MHS against the future shortage of skilled IT workers. After a pre-selection phase, the participating teams will select one of three spectrums to compete in. This hackathon should be repeated each year to keep on top of current trends.
To successfully introduce our extended zero trust strategy, we recommend applying Kotter’s 8-step model. The main three sections of this model consist of creating a climate for change, engaging and enabling the whole organization, and implementing and sustaining the change. This model would then be combined with the IT roll-out strategy suggested by Google, which consists of three phases. Within five to six years, the Core IT Adoption, Early Adopters, and Global Go-Live waves should be completed. In order to take this approach, certain resources need to be allocated. For the extended zero trust strategy to go smoothly, MHS needs to dedicate capital for initial investments, time to develop relationships with partners, a specialized IT team, and change ambassadors at every level of the organization. To promote communication and engagement with both employees and patients, we recommend having information events demonstrating the benefits of the strategy and to segment patients into different levels of change resistance and training employees how to handle it. If implemented correctly, MHS’s supply chain will become more transparent, integrated, and secure.
To track the improvement, we created KPI’s in two buckets. In one bucket is patient satisfaction and employee involvement. The other bucket consists of quantitative KPIs, such as reported incidents, cost per incident and system downtime during an incident. With these KPIs, we are also able to quantify the return on investment of our strategy. In short, the ROI of MHS’s cybersecurity investment is the hypothetical loss from cyber attacks subtracted by the investment to prevent cyber attacks. This difference is then divided by the cost of the investment. For this calculation, the average cost of a breach within the healthcare industry, $6.5 million for, needs to be considered. With regard to our suggestion, the implementation cost of RFID technology, the cloud solution ($500k-600k per year), the hackathon ($15,000) and the extended zero trust strategy need to be considered. In order to help continue driving innovation, we suggest applying for federal funding. A few organizations that MHS could potentially get funding from are: Food and Drug Administration, European Commission, and the National Institute of Health.
An extended zero trust strategy has the potential to remedy the main threats of an IT system: Internal threats, breaches caused by vendors and hardware and software vulnerabilities. We believe that, with this approach, MHS can reduce the vulnerability of its IT systems while increasing the quality of its service. If you have any further questions, please feel free to reach out to our team.
Fritzi Lea Müller