HHS CISO: Ransomware, Telehealth Top Challenges
February 23, 2023
CIO Mathias says healthcare needs a stronger public-private partnership.
The head honcho of IT at the U.S. Department of Health and Human Services (HHS) stood on the ballroom stage during AFCEA Bethesda’s 15th Annual Health IT 2023 summit and talked tech to technology professionals. Tapped to give a keynote address, Karl Mathias, HHS’s CIO, shared his vision for a more robust public-private partnership, one that would advance healthcare in meaningful ways. Then he issued an invitation.
“Join us in the quest to save lives,” Mathias said.
Working together, he said, government agencies and private-sector IT companies could continue to advance innovative solutions to difficult healthcare challenges: cyberattacks of healthcare facilities, fragmented technology that pulls healthcare workers away from patients, data silos, and failure to leverage business intelligence buried in data silos. Mathias encouraged the audience to step up and support advancements in human-centered care, cybersecurity, data, and artificial intelligence (AI).
Data
In a few weeks, HHS will publish a new data strategy that has been in development “for a while,” Mathias announced.
“HHS is a data-generating organization, and it needs to use that data effectively to … provide comfort and save lives and enhance the health of Americans everywhere. If our data is used properly, it could be an invaluable asset.”
Data is the driver of research underlying medical breakthroughs. Too often, though, data gets stuck in silos. Looking to the future, Mathias said the goal is to enable researchers to harness data and speed the delivery of new ideas, techniques, and equipment to the practice of healthcare.
Improving infrastructure is part of the solution, Mathias said. The National Institutes of Health’s (NIH) Science and Technology Research Infrastructure for Discovery, Experimentation, and Sustainability (STRIDES) program, for example, is a cost-effective storage agreement with cloud providers that supports 750 research programs across 100 institutions. At last count, the program encompassed more than 170 petabytes of information.
“It’s more than a storage solution,” Mathias said. “STRIDES facilitates data-sharing between these research programs.”
Data-sharing improves decision-making and results. “A lot of times we go by intuition rather than trying to inform our decisions with data analytics,” said Mathias. This mindset began to change during the pandemic, as government leaders used data “to make decisions about where resources should go.”
Cybersecurity
Breaches of healthcare networks are a serious problem. In 2021, the number of Health Insurance Portability and Accountability Act (HIPPA) data breaches affecting 500 or more individuals totaled 256. In 2022, there were 618 such breaches, an increase of 141%.
“The problem is growing,” Mathias said. “Ransomware attacks and other malware that disable medical systems put tremendous stress on systems, medical staff and [they] put patients’ lives at risk.”
When hackers infiltrate and compromise healthcare networks, doctors are unable to enter orders and pharmacists can’t fill prescriptions. Attacks that burrow into medical devices, especially machines that monitor patients or dispense medication, can cause patients to die. In 2022, ransomware attacks affected 290 hospitals, Mathias said.
“When systems go down due to security issues, it has an immediate and devastating effect on patient care. Nurses are dependent on computer systems … a critical tool in their ability to know what care and what drugs have been administered to a patient,” Mathias said. “Manual systems are not as effective.”
Healthcare organizations can improve their odds against cyber criminals by faithfully following cyber security best practices, Mathias said.
An industry-government partnership at HHS, the 405(d) program, comprises more than 200 IT security professionals (representing more than 1,000 medical facilities) who coordinate best practices and assist HHS with cybersecurity information. In fiscal year 2022, the program developed more than two dozen new health-focused cybersecurity awareness and outreach products. Topics covered in those products, which were downloaded more than 10,000 times, include multifactor identification, patching, data security, and ransomware.
In addition, the Health Sector Cybersecurity Coordination Center (HC3) collaborates with the healthcare and public health sector to identify, correlate, and communicate actionable cybersecurity intelligence. In fiscal year 2022, HC3 prepared 22 threat briefings, assisted with 257 victim notifications, and identified 67,722 malicious domains.
AI
Artificial intelligence has tremendous potential to improve the efficiency of healthcare.
A challenge of NIH-sponsored research, for example, is bottlenecks. Delays in NIH’s research pipeline begin at the application stage, where humans do an initial assessment to determine which team within NIH should do the full evaluation, “which really slows things down,” Mathias said.
HHS developed a pilot system to analyze grant applications and automate referrals for evaluation. The AI tool made the correct decision 92% of the time. “The faster we can get good applications into the research process, the faster we can get results,” Mathias said.
But even after winning a research grant, bottlenecks at NIH continue to be a problem. Grantees must report on program statuses annually, a requirement that generates between 35,000 and 45,000 reports every year. To make oversight more manageable, NIH developed an AI system to read submitted PDFs, correlate contents with other data, and flag potential program risks for further review.
The National Institutes of Health has also developed tools to identify potential fraud among the millions of Medicare transactions generated every week. NIH used deep learning approaches to build a pilot system that evaluates claims and identifies cases for further scrutiny.
Doctors and Nurses
Mathias concluded his remarks the way he began them, by focusing on frontline healthcare workers and the potential of IT to help them do their jobs. According to a recent Gartner study of nursing managers, more than 90% of respondents had concerns about staff turnover due to burnout.
“There continues to be a shortage of qualified personnel, particularly nurses, in the healthcare profession,” Mathias said.
Consider Nurse Tabitha (Mathias’s daughter), a member of the rapid response team at a medium-size hospital. She’s been a nurse for 10 years. Her colleagues consider her to be an expert. Tabitha is a nurse because she likes to comfort patients and save lives. She’s highly trained to monitor patients and be alert to signs of trouble. When patients are in distress, she springs into action. At times, she literally brings people back to life.
Nurse Tabitha does not enjoy dealing with myriad patient-care systems or sitting in front of a computer console, logging patient data. She is most effective when she’s with patients, using her expertise to deliver value at the point of care.
“What we do affects her and her patients,” Mathias said of the assembled IT professionals. “Giving time back to our nurses and other medical professionals is critical.”
