Episode 7: Exposing the Hidden Dangers of Cybersecurity and Privacy in Healthcare

“We've seen this proliferation of ransomware and the evolution of ransomware is what the threat actors want to do is get inside your environment and shut down your environment." - Nick Merker, AVP of Privacy, Cybersecurity, and AI at Eli Lilly

Welcome to the Boombostic Health Podcast newsletter!?

Welcome to Boombostic Health, where we challenge the business of healthcare and explore bold ideas that drive meaningful change. Each week, we bring you candid conversations with top experts, innovators, and leaders exploring the latest trends and technologies shaping the future of healthcare.

Get weekly insights and candid talks with experts who are shaping the future of healthcare. Explore trends, technologies, and challenges in an accessible way for all.

Click here to Subscribe on LinkedIn

Join the conversation by listening to our latest podcast episode here.?

Episode Spotlight: Unveiling Cyber Threats and Privacy Shifts in Healthcare

Expert Insight: Nick Merker , AVP of Privacy, Cybersecurity, and AI from Lilly, shares his expertise on the current cybersecurity landscape and its implications for healthcare.

Real-World Examples: The discussion includes recent incidents, such as the Change Healthcare breach, highlighting the impact on the industry and the risks of outdated systems.

Future Outlook: The conversation explores how advancements in AI and data analytics are paving the way for predictive and preventative healthcare.

Bradley and Nick delve into the growing threat of cybersecurity in healthcare, focusing on ransomware attacks that shut down systems and demand ransom. Healthcare is a prime target due to the severe consequences of system downtime, making hospitals more likely to pay ransoms. They emphasize the importance of strong business continuity plans to handle such threats effectively.

The discussion also touches on the role of companies like Apple in healthcare. With wearables collecting health data, there's a shift in how health information is managed. Unlike traditional healthcare data, information from wearables isn't protected by HIPAA, leading to privacy concerns. This highlights the need for new regulations to manage the vast amount of data generated by consumer devices

The Evolution of Cyber Threats

BRADLEY: So moving to a really critical topic for the healthcare world, and there have been some big, big headlines on this that have impacted all of healthcare in one fell swoop in one way, shape or form, which is cybersecurity.

And in some ways, this relates to the AI topic, because instead of just having some person with broken English doing some kind of phishing scam, trying to get you to respond to a fake email, you could potentially have somebody unleashing millions or billions of those at A-B tests and having them run through a model that makes it so they sound like it's even written like a particular person. It's pretty remarkable what could be done from a nefarious perspective, but on the other side, these technologies can be used for good and cybersecurity, it's a major consideration. Share your thoughts on this part of the world and how it affects all industries, but then maybe a couple of comments on how healthcare specifically should be thinking about cybersecurity.

NICK: Yeah. So I've been, as I mentioned, I was outside counsel for a very long time and I've worked with many cybersecurity incidents. In the very early days, the cybersecurity incidents were focused on taking social security numbers, credit card numbers, those types of things, selling them on the black market to the extent that could be done, and then making a buck that way. And then the person that bought it would engage in identity theft. Those days are over.

We've seen this proliferation of ransomware and the evolution of ransomware is what the threat actors want to do is get inside your environment and shut down your environment. Most of them do. I'll talk about other threat actors in a second. They'll shut down your environment and then they'll hold your company ransom. We've seen this. The ransom that these folks are asking for is increasing and they have turned into big business.?

You have what's called ransomware as a service now, where you have these threat actor groups. So what they're doing is they're developing the software. They are software developers. They're a software company essentially. And they develop ransomware. They give it to a separate threat actor who then gets into your environment and deploys the ransomware. And then when you're negotiating with the threat actor, you're negotiating with that threat actor group who has hired negotiators who will negotiate with you. You make some payment with cryptocurrency and then the threat actors, everyone kind of gets a piece of the pie at the end. So this has turned into big business and are very, very sophisticated. They have lots of data on what ransom should be, et cetera. So this has really evolved.

A new way this is involved is when they're in your environment as well, they will exfiltrate data too. So they'll have a second type of extortion. So they can say, not only do you need the decrypt key to get your information back, I'm going to publish what I took from you unless you pay me some ransom. So this type of attack has really kind of changed the game.

Healthcare as a Primary Target?

How this relates to healthcare is, I think healthcare is a primary target for threat attackers. We've just seen this. So it's three primary targets:

1. Healthcare
2. Critical infrastructure
3. Public institutions like cities and towns.

Cities and towns because most of the time they have less sophisticated infrastructure, so they would be seen as low-hanging fruit historically. And then the other two, it's because critical infrastructure and healthcare, if those systems are down, it can cause major damage. For example, a hospital is infected with ransomware and they can't actually load patient information through an electronic medical record. That becomes a major problem.?

How can I provide care if I don't know what allergies you have or whether you had a dose of this drug 25 minutes ago? And it turns into a major issue. So that's why threat actors are targeting healthcare because there's a higher likelihood that hospital will pay the ransom to get their systems running again than maybe if the ransomware group went after a fast food chain where you're just losing dollars on the day because you can't serve food, but there's no actual threat of patient harm. So that's why healthcare is particularly being targeted.

BRADLEY: Right. Yeah. Well, there were some major incidents in the last 12 months. One related to revenue cycle, which is the fancy way of saying how you bill and get paid for stuff in healthcare. Every healthcare entity consistent with businesses in general need a consistent way to bill and get paid. And there's a major player, which I will name Change Healthcare. Everybody knows this, that had this incident and they were so pervasively used that it disrupted healthcare in a like catastrophically huge way.

I think that uncovered a few different insights from my perspective. One is the dependence upon a major vendor to an industry is extremely risky if that major vendor has antiquated infrastructure. I don't say that in a way to say anything negative about Change Healthcare, just the fact that it was a combination of lots of companies over a long period of time that resulted is kind of a roll-up, I think and grew somewhat organically, but there were a lot of, I think doors in that older infrastructure. It's hard to monitor all that, keep track of it.

Business Continuity Planning?

The healthcare sector is increasingly targeted by ransomware attacks, posing significant risks. Recent incidents highlight the vulnerability of relying on major vendors with outdated infrastructure. The Change Healthcare breach is a prime example, disrupting healthcare operations nationwide.

The second is this issue of having too much dependence upon any one vendor. And I'd say the third is the reality that there are these sophisticated actors that are targeting this kind of infrastructure and they end up getting their reward at the end. So that creates incentive and it's fascinating to think about it as an industry now that exists that even has pricing guidance. How much should it, how much, tens of millions should we get paid if we're able to hack into X, Y, Z??

The other thing I would say, and I'd love to get your thoughts on all of this, but the traceability of crypto or lack thereof in these incidents, surely there are a lot of people a lot smarter than me who are working on figuring out how they crack that code within law enforcement. But just to turn it over to you, I'd love to hear your thoughts on specifically an incident like this where it's just such a pervasively used system and gets crippled and it effectively brought healthcare to its knees because nobody could get paid.

NICK: Yeah, so at the end of the day, ransomware is largely an availability issue that identifies kind of the, whether a company has a strong business continuity plan or not. So if, I'll put the Change Healthcare example aside and just take my home, for example. If my air conditioner has a ransomware event and it no longer works, now I have a business continuity test for my home. How am I going to keep my home cool in the summer? Do I have fans? Do I have a backup air conditioner? What is my plan? And for me personally, I don't have a plan. I would just call the HVAC repair person, but for companies, companies would have a plan. And that plan gets executed when there is a ransomware event that maybe impacts the company directly. You'd also, of course, run your incident response plan.?

But if it's a downstream vendor of yours, you'd run your business continuity plan. Just like that vendor was hit with a tornado or a hurricane or something, how are you going to keep your business afloat while that vendor is not available? I think for me, that's the, I think we learned this not only with these types of availability events, but we also saw supply chain issues during COVID. To me, it's all kind of the same ilk of things. Where is your business continuity strategy to keep things going when these events occur?

BRADLEY: That's a good, very good way of looking at it. It's a business continuity, probably at every level. It's not just at the level of the company who is the customer or the vendor. It's also at the vendor level and then the vendor has vendors. I'd say it's certainly more effective or less onerous to have business continuity from a technology perspective when you are in a more modern architecture. I think that's just, you can call me Captain Obvious, right??

If your technology was written 40 years ago and still is sort of, there's like two people that still know how to maintain the code. I'm being, for effect, a little bit excessive with that or extreme with that example. It's an issue. So I think certainly to make sure that healthcare runs in a manner that is supportive of patient care, there certainly needs to be this redundancy built in and the best possible approach to keeping the data secure, the system secure.

There are new technologies like blockchain, for example, that maybe that could play a role. I don't know. And that's probably, well, you're a computer science person. Any thoughts at all on using, let's say if every medical record system was on the blockchain and was completely secured in a manner that was impenetrable, just theorize this, does that help solve this problem? Or what are some of the solutions that are more not about what's our contingency plan, you know, when things go wrong, but what is the best possible way that you could put in place to have this defense mechanism so you aren't vulnerable?

NICK: Yeah, so I have a couple comments on that. The first is that I think we've seen a consolidation of services to a few key vendors across really everything that we do within the information technology space. You know, you might be like, take AI, for example, if you're a company that consumes GPT-4 over API, and that's like a primary driver of some critical function of yours. Well, that's a major business continuity issue. I don't know if there's if you could just lift and move to something else very cleanly. So I think this consolidation of really key vendors is an interesting thing that companies need to think about.

Blockchain and Its Challenges?

But your answer on solutions, although the blockchain, like a decentralized medical record with the blockchain component, would be a really interesting solution that might solve the business continuity issue, it would create other issues. Like, you know, what if what if my dad loses his key for his medical record on the blockchain? How's he going to get access to that? Or what if there's an attack by a nation state where they get 51% of the computing nodes on that blockchain, and now they can take over all of these medical records. So there's just, I think those are interesting solutions that people are thinking about, but also creates other problems that you have to think through to that are, to me, just as interesting, because I'm a technology nerd, interesting problems to solve.

BRADLEY: Yeah, there's an unintended consequence to almost any move that you make. So is that so that the moral of the story is business continuity.?

NICK: That's what I think. I mean, if at least for ransomware, it's understanding supply chain and business continuity issues. And then of course, your own company having a really, really strong incident response plan testing and doing all that great, great stuff that everybody does.

BRADLEY: Okay, that sounds good. Any other comments on this? Because I'd like to also touch a bit on this sort of more consumer oriented aspect of healthcare and where things are going there. But any other closing comments just on the cybersecurity issue and the importance of ensuring that you've got this business continuity in place? And just if I'm building a healthcare business, leading a healthcare business, what would be your closing comment??

NICK: The thing we didn't touch on is how the regulatory landscape here is changing, too. We've seen rule making by the Department of Homeland Security, we've seen about how to report critical infrastructure cybersecurity incidents, which healthcare could be a part of depending on how that gets defined. We've seen the FTC possible changes I mentioned earlier, I just think I would keep on the lookout for just the trends on how it is changing from an incident perspective, but then also how it's changing from a regulatory perspective. Because both things are moving quickly.

It's just I mean, just stepping back kind of this whole hour reflecting on what we've talked about. For me, it's such an exciting time to be in privacy, cybersecurity and AI and data governance, which I also do because everything is changing very rapidly. The tech is changing, the laws are changing. It's just such a fun time to look at these issues and find practical solutions that can help move things forward. It's just I think it's really exciting.

Consumer Health Data and Future Trends

BRADLEY: Anybody who has a curious mind and is involved in healthcare and in these issues we're discussing, it is an exciting time. There's a lot of work to be done, but it's for good.

One final topic. I know we've got short time here, and this has been a great conversation. There are these major players out there that are starting to bring healthcare data into their strategies that aren't traditionally healthcare companies, like Apple and others. I'd love to hear your comments on where you see that going and how it might relate to the strategies of others in healthcare. Is it going to transform things kind of like iTunes transformed music, for example?

NICK: Yeah. I actually just, this is kind of a comical side, I guess, but I saw an article last week that Harvard has developed a smart toilet that will analyze, you know, that analyze urine and fecal matter from people as it is being used. And to me, that really like finally hit it home for me that we're going to be in a state soon where I'm wearing, you know, an Apple watch right now, tracking my steps, I can look at my heart rate. We're going to have so much opportunities for personalized medicine because of all of the data that can be collected.

The interesting item on this is that these companies like Apple and others that are not engaging in standard transactions, not, you know, they're not providing claims to insurance and such, they fall outside of the traditional law HIPAA that we've had, which regulates healthcare privacy. So you're going to see new regulators step in and kind of fill that void. We saw that with the FTC and their health breach notification rule that they were really flexing for the first time ever in 2023. I think you're going to see more of that. It's going to be the same exact thing we've been talking about, where there's this huge innovation, huge, quick innovation, this mass amount of data. And then the lawmakers and regulators are going to be catching up like, oh, oh, no, what do we do about this? How do we get in front of it?

To me, it goes back to that responsible principles for companies on what you do with that data. Make sure you're using it properly, because we've had lessons with the FTC and other regulators where they will eventually catch up to the companies that are doing things incorrectly. And it may take a while. But if a company is kind of taking a too risky approach or are kind of a known bad actor, it's eventually going to come home for them.

And so it's just such an interesting time because there's so much data that's coming.

BRADLEY: Yeah, I would also suggest that with all of this collection of data that includes the wearables like you're wearing and you're a healthy individual who, you know, is young, but if you think about folks who are, you know, out in living their lives and in the community and who historically had to spend a lot of time going to doctors, you know, historically weren't as proactive. I think the opportunity when you put together wearables, compute AI, all these concepts together, you find yourself in this predictive, preventative situation. Now patients have to obviously, or individuals have to take an interest in this and be willing to listen to the signals that are coming to them.

But heck, we've already seen it with one of my podcast guests who is from Roche and talked a lot about where things have gone with diabetes, you know, it used to be that you were really constrained in what you could do. And now you've got this whole set of, this whole ecosystem of capabilities that make it so you can live your life and monitor and manage that.

We built an AI model at hc1 , a lab data business that I run, lab analytics business. We collaborated with a major pharma company on this, and it can predict based on customary lab values, who is predisposed to having cognitive decline in the future, you know, and that gives you a way to start monitoring and managing these things proactively. So the future is incredibly bright.?

I love this conversation. We've covered the regulatory landscape with a focus on AI. We've covered cybersecurity broadly, but zeroed in on healthcare. We've covered this explosion of data coming from consumer-generated activities and devices. I mean, this has been an absolutely eye-opening, fantastic conversation. I took a couple of pages and notes while we were having the conversation. This is exactly the kind of thing that we're here at Boombostic Health to do. So the entire community of folks thanks you.?

I thank you for your willingness to engage and really bring this really critical content out there to people who are looking to lead, make healthcare better, improve patients' lives, and ultimately boost the bottom line of healthcare. I look forward to having you up again sometime if you're open to that.?

NICK: For sure. Thank you. Thank you so much.?

BRADLEY: Okay, awesome. Thanks so much, Nick. Have a great day.

The Verdict: Legal and Regulatory Insights

Direct-to-Consumer Healthcare and Data Privacy

BRADLEY: So now we'll transition to the verdict with Emily Johnson , where we'll cover the legal and regulatory implications of these various topics that we just discussed with Nick Merker, the AVP of Privacy, Cybersecurity, and AI from Lilly.?

We've had Nick Merker on talking about direct-to-consumer healthcare and how some of these hyperscale companies like Apple are getting engaged in consumer health data. This differs a lot from the traditional approach to healthcare where you had healthcare providers, physicians, medical device companies, drug companies using data for various purposes. But now all of a sudden we have this proliferation of devices that people wear that are collecting data and that's only going to continue to increase.

We'd love to hear from Emily here on her verdict segment about what we should be considering as healthcare leaders as it relates to the privacy concerns and also the opportunities that exist with all this new proliferation of data.

EMILY: Sure. So it's an interesting area, sort of the wild, wild west, now that patients are, or individuals I should say, are taking accountability for their own health. They are getting devices that they can wear. Some might be prescribed by a physician, most of them are not. When they're not, if something goes wrong, if there's some sort of breach or some sort of misuse of their information, it's not subject to HIPAA the way healthcare data is. So there isn't a direct reporting obligation with respect to protected health information because it's not, it's not PHI.?

Clarifying HIPAA and Data Protection

BRADLEY: So just to be clear. So if I have my whoop band on and it's collecting information about my heart rate variability and it identifies some kind of issue that could be emblematic of like a heart condition or something, that's not HIPAA protected because why??

EMILY: Correct. It's not protected health information because you are not a covered entity under HIPAA. So there's this common misconception that any health information is subject to HIPAA. I mean, look at all the chatter on Facebook and the news about somebody having access to my information and disclosing it. HIPAA applies in very limited circumstances with respect to very limited covered transactions.?

A covered entity under HIPAA is a health care provider, a health plan, like an insurance company or health care clearinghouse. You're none of those. Apple isn't any of those in this capacity. So they're not subject to HIPAA. They're still subject to privacy requirements. There are state requirements that define personally identifiable information or PII. And more and more states include health information in their definition of PII. So if something goes wrong, even if something doesn't go wrong, entities that maintain this information have an obligation to secure it in accordance with the regulatory framework that exists, which is going to be driven by state law in this capacity.

BRADLEY: So people all over the world use Apple watches, for example. So the privacy laws that dictate how they have to handle your information are state specific??

EMILY: In the U.S., in the U.S., they're state specific. There is also a and this changes near daily, right? But there is also a reporting obligation from the FTC, Federal Trade Commission, that mirrors HIPAA, but speaks to health information maintained exactly in this situation by these device manufacturers. So consumers are still getting notified of these incidents. It's just not a HIPAA violation. There's still protections in place. That's just it's just not HIPAA.?

BRADLEY: It's not HIPAA. And everybody in health care has heard of HIPAA. Right? But maybe not everybody understands it, which is what you're pointing out. Most people do not understand it. OK, interesting. So do you use an Apple watch??

EMILY: I do. Yeah. And I have an Apple watch. I have an Aura ring.?

BRADLEY: I mean, you've got all kinds of biometric data going up into the clouds. I'm just kidding. I once had a customer many years ago who made this comment about she was asking about software. Where do we install it? I explained it's in the you know, it doesn't have to get installed. You know, good news. She sat back and said, I don't want my data in the clouds. No, no, no. It's not actually in the clouds.?

EMILY: Sort of reminds me of Zoolander and the files are in the computer.?

BRADLEY: Exactly. So not. Yeah. In the computer. So in any event, this is an issue that I suppose over time will get addressed more formally and become some kind of gold standard.?

Future of Data Protection Standards?

EMILY: So, yeah, absolutely. There's no doubt. I mean, people are there more and more devices that are available, more information out there just because it might not be subject to HIPAA doesn't mean it doesn't need to be protected. You know, the information that my Apple watch can tell me if I have signs of atrial fib or, you know, some sort of other issue with my heart, their cycle tracking situations. Right??

There's also the reproductive freedom acts and exceptions to HIPAA for how that information can be shared from these devices, because these devices do track that information. So certain states are trying to implement regulations saying you can or cannot disclose that information regarding reproductive health. There is an exception to HIPAA now saying you can't disclose reproductive health information if it's going to be used against somebody like criminally or for liability purposes.

BRADLEY: So what if a health care system has a partnership with Apple where that data is flowing from your Apple watch into the electronic health record for purposes of monitoring your atrial fib or something else??

EMILY: So that's going to be different. That's going to be different once it's incorporated and sort of prescribed by a physician or health system and it's incorporated into your medical record. At that point, it would be subject to HIPAA.?

BRADLEY: So the nexus is really where an actual health care provider is taking a look and using it somehow to monitor your health. So it's kind of interesting. Apple clearly is monitoring in a way that would identify heart issues.?

EMILY: Right.?

BRADLEY: Like where does the accountability end up showing up that that should be communicated somehow.?

EMILY: Right. I mean, it's a great question. It's sort of big brother.?

BRADLEY: I had never thought about that. I never literally I never thought about that until right now. Like literally, I mean, with especially with AI, there's a lot that could be right.?

EMILY: And I think my watch if it automatically tells me if I have signs of atrial fib or if I have to just do the EKG thing, but it's a good question.?

BRADLEY: I mean, the data is probably in there.?

EMILY: Right, it was for sure in there. I mean, that happened with my sister-in-law. She had a cardiac incident and they were able to go back when she was in the hospital and look at the data from her watch to show that she had signs or to find signs of heart failure leading up to her cardiac incident.?

BRADLEY: And so the point at which they looked at that, it became HIPAA protected because they were doctors looking at it.?

EMILY: Yeah, I don't know that it was ever fully incorporated. I think it all still stayed on her device.?

BRADLEY: So that's the, it's so interesting because it's kind of gray.?

EMILY: It is very great. It's not clear.?

The Balance Between Innovation and Privacy

BRADLEY: Yeah. But I think this is also a good example of where it is progress to have these biometric devices. It is completely progress. And to prevent progress in the name of information privacy and data privacy, I personally feel it is completely misguided, frankly. I mean, think about the grocery and the fact that you've had these, isn't that great? You have those little cards you scan and that you get a discount. Your data has been collected for a long time in very specific personal ways.?

I was on a webinar the other day where this individual was all doomsday about AI taking over jobs and how your data should be more protected. I just thought, the Luddite model just isn't gonna work. You can waste your energy on that. I think the better way to lean in is say, how can it be applied? Like me, I wanna live in a world where I have a biometric tracker that automatically says, hey, you've got a predisposition to heart failure or whatever it is, CKD or anything. And that way you can be proactive.

So the topic, I have a tendency to get into some tangents here, but the topic clearly is that there is information privacy protection, but this is a whole new world. And there aren't clear answers to all of it or much of it, but maybe that opens a lot of opportunities. I think it does for people who want to innovate and make progress in healthcare.?

EMILY: Yeah, absolutely.?

BRADLEY: As long as they're following the law, right??

EMILY: Correct.?

BRADLEY: Well, thanks so much, Emily. Appreciate your interpretation and real world experience as always. And we really love to wrap this all up with Emily's input. In fact, I saw that we had some really good comments on LinkedIn about how valuable it is to have this legal and regulatory perspective come into the Boombostic Health podcast. So thanks for fitting it into your schedule.?

EMILY: Thanks for having me.?

BRADLEY: Thanks for being here again. Look forward to seeing you next time on Boombostic Health. Thank you.

Get Involved:

Are you passionate about transforming healthcare? Join the conversation by listening to our latest podcast episode here. Share your thoughts and insights in the comments below or reach out to us directly. Let's work together to drive meaningful change in healthcare!

Stay tuned for our next edition, where we'll feature more expert insights and innovative ideas shaping the future of healthcare. Don't forget to subscribe to Boombostic Health for regular updates!