Healthcare Cybersecurity and The Challenges Ahead

Speaker 1:
Welcome to TD Cowen Insights, a space that brings leading thinkers together to share insights and ideas shaping the world around us. Join us as we converse with the top minds who are influencing our global sectors.
Charles Rhyee:
Hello, my name is Charles Rhyee, TD Cowen's Healthcare Technology and Distribution Analyst, and welcome to the TD Cowen FutureHealth podcast. Today's podcast is part of our monthly series that continues TD Cowen's efforts to bring together thought leaders, innovators and investors to discuss how the convergence of healthcare, technology, consumerism and policy is changing the way we look at health, healthcare and the healthcare system. In today's discussion, we'll focus on cybersecurity in healthcare, and according to HHS, over the last 10 years, the number of reported healthcare data breaches have consistently trended upwards. In 2023, there were 734 reported breaches, nearly double what was seen in 2018, and collectively, these breaches are impacting a higher proportion of the U.S. population each year. Two recent cyber attacks impacting Change Healthcare and Ascension Health respectively became particularly high profile for the scale of their attacks as well as the impact to patient care.
These events have left many wondering whether the healthcare space remains vulnerable and what steps companies and regulators can take to limit further risk. To help us discuss this topic, I'm joined by Richard Staynings. Richard is a thought leader, author and public speaker about security in healthcare with over 25 years of experience. He's currently chief security strategist for cybersecurity company Cylera and teaches postgraduate courses in cybersecurity and health informatics at the University of Denver. He's previously held various positions as well in cybersecurity leadership roles at Cisco, General Dynamics and PWC. Richard, thanks for joining us today.
Richard Staynings:
Thank you for inviting me, Charles.
Charles Rhyee:
Maybe to start, can you talk about why to see an increasing number of incidents of cyber attacks in the healthcare industry?
Richard Staynings:
I think there's a number of reasons behind it. First and foremost of which is the fact that healthcare makes an easy target. It is an industry that is full of highly lucrative non-public data, PII, PHI, it's full of PII and PHI, so personally identifiable information and personal health information. Additionally, it has a lot of intellectual property, clinical trial information, drug formulation, these sorts of things that are being conducted, particularly in our research hospitals. And this data is valuable, and criminals have been going after it for quite a number of years, in fact, going back more than a decade at this point. At the same time, healthcare is very poorly protected. It has large expansive flat networks that were designed to facilitate access to health IT systems and health IoT systems by clinicians at any time from any place. You don't have the level of segmentation in place that we would, for example, in the financial services industry where tellers only have access to the particular system that they use as part of their roles and responsibilities.
And in a healthcare environment, doctors tend to have access to every system that's on the network. Those networks are also flat. They're not segmented and firewalled in the same way that a financial services industry network or a defense industry network would be. And we're also very lax about the access controls that we give to our users in the healthcare environment. Role space access is the target, but in actuality, we end up with people, our users in our network having access to far more systems than they really need. And this obviously expands the threat surface and makes it easy for perpetrators to attack, to establish a foothold on the network or to escalate the access controls that they're able to obtain to the point where they can do significant damage as we've seen recently.
Charles Rhyee:
Maybe just to clarify a little bit, when you say flat versus segmentation, maybe you can describe what does that mean exactly and what does that look like in a system?
Richard Staynings:
So, healthcare networks were designed to be flat, so that, is one large expansive network where all of our applications reside, all of our data reside, all of our users reside, and it's segmented via LANs by routing, by using local area networks to stop the overflow of multi-task trafficking and to also facilitate performance improvements on the network. But as a user, if I have credentials on a hospital network, for example, I can navigate to any system on any part of the network at any time to access a particular application or database or maybe an IoT system. There are no firewalls between me and that system. Now, if I compare that with other industries, we have segmented networks or even standalone networks in the case of the military where there is a network that only allows a user to access certain components within a very finite, very restricted part of the IT infrastructure.
Charles Rhyee:
And arguably then, a flat network was considered beneficial though in healthcare. As a physician, if I needed to find a patient record or an imaging study that maybe is in the radiology system, I can navigate to that and get access to it because it was unarguably for the benefit of clinicians in terms of delivering patient care or was it just even an oversight?
Richard Staynings:
No, it was designed that way. I've been in the healthcare space a long time, and when it first started making its way into the industry in a big way, and that was one of the design decisions to allow physicians to access systems whenever. There's this concept of a break glass requirement in healthcare, and that is, if I am a physician, if I am responsible for treating the patient, saving a life, then I need to be able to access whatever systems I medically need access to and I am the ultimate arbiter of medical need because I'm a physician. I've done my 10 years at medical school, I've done my internships and all my training at various institutions, and I know, as a physician, what I need access to, not some network administrator that tells me, "Hey, you work in geriatrics, you don't have a need to access pediatric records." For example, or vice versa.
Now, there are obviously some systems in healthcare that all physicians need access to, the PACS system, so you talked about medical imaging and PACS is the picture archiving system that is used in order to store those images and those images are available to anyone that requires access to them. But there are other aspects that perhaps there's no need. Do physicians need to be able to get to PathLab itself or do they just need to be able to see the results of a hematology test or a blood test? These are the sorts of decisions that we have yet to really make in terms of locking down healthcare networks and it's happening slowly. We are now beginning to see the segmentation of IoT devices from IT devices. By that I mean the multitude of medical devices that actually now make up about 75% of connected assets in the typical hospital system, but we're not seeing that division from a user access perspective or at application and data object level access that perhaps we would in other industries.
Charles Rhyee:
Stepping back a little bit, you mentioned that this was sort of a design decision when IT was coming into healthcare. Along the way, I'm sure some people probably noticed that some of the vulnerabilities of this kind of infrastructure design. Have there been attempts to try to fix that along the way? Have there been impediments to maybe better securing the infrastructure?
Richard Staynings:
Yeah. And it really comes down to a question of priorities and money. You can fix any problem with sufficient managerial priorities and emphasis on performing tasks and with a sufficient amount of money in order to bring in the right people and the right technologies in order to meet that eventuality, to meet that requirement, that goal. The difficulty that we have in healthcare is that systems need to be up 24 hours a day, seven days a week, 365 days a year. We don't have down times that perhaps we would be able to facilitate or to use in other industries where we can switch to an alternate infrastructure and go up on that alternate infrastructure or put a sign on our website to say, "We're down for maintenance right now, please come back to us about eight o'clock in the morning. We're down overnight."
And we see that on a lot of websites that we go to, particularly if you visit a website at one o'clock on a Saturday morning or one o'clock on a Sunday morning, you'll find that the website may be down for maintenance and they're doing the bill. In healthcare, we don't have that luxury, nor do we have the high levels of availability that other industries do. So, we don't have an alternate infrastructure, we don't have duplicate PAC systems, we don't have multiple radiological imaging centers, for example. Although many hospitals have different levels of facilities, all that, one in the ER, one in post-op areas, one in general med, these sorts of things, but they're all used by different groups and they're not interchangeable. We don't have that level of resiliency to switch from one system to the other.
And this was a classic example of what happens when a critical system goes down as we saw with Change Healthcare. Change Healthcare was critical to a third of U.S. healthcare systems at the time, and there was no other alternative. Hospitals couldn't switch to a different system, and therefore, they were down as well. We're seeing that in London with several of the NHS trusts in London with Synnovis being attacked. It was a critical point of infrastructure for two of London's NHS trusts and a whole heap of clinics and physician offices, general practitioner offices around southeast London. This is the consequence of some of our design and our decisions around the allocation scarce resources particularly towards IT and cyber security in healthcare.
Charles Rhyee:
And I definitely want to touch on change more in a little bit, but maybe stepping back, what are the more common types of cyber attacks, the techniques and technologies that are being used to launch against healthcare?
Richard Staynings:
The number one infiltration method is still phishing. Most attacks start with a phishing email, 97% of them, in fact, and we as humans are gullible. We see an email, particularly in a very busy high-stress environment like a hospital and we see an email, maybe read it on our phone and we open it not realizing that that is a spam message or that it's a malware laden message or that it contains an attachment or a link that is malicious. And this is how perpetrators are able to establish a foothold in the network. Essentially, when you, as a user, are fooled into opening an email attachment or a message or you click on a link, that link or that message will download what's called a dropper onto your computer system, and that dropper contains malware, and that dropper will then reach out to the internet and will pull down all of the malicious code that it needs to execute and attack, and it will do it very subtly in a way that most XDRs and other endpoint protection systems are not able to identify.
And before you know it, there's been a full investigation of the network by the malware. They've mapped out the entirety of your network, found the valuable points, and are looking at either exfiltrating that data so that it can be sold, things like PII, PHI, IP, or they're looking to encrypt that data and hold it to ransom, which is what we've seen a lot of in the last decade.
Charles Rhyee:
And you said that's 97% is typically phishing. What about the other 3%? What are some of the more uncommon methods that you've seen?
Richard Staynings:
Well, it's perhaps a USB key. Some infiltration comes in in that way. I remember many years ago investigating a hospital system where the techs had come in to update something within the imaging system. I think it was a CT scanner if I remember, and they brought in a USB key with an update to the application code, plugged it into the control PC for the CT scanner, and proceeded to upload the new firmware or application code to the CT scanner, not realizing that that USB had malware on it. And as a result, of course, that malware was able to spread.
Our medical devices in hospitals are by and large totally unprotected. So, your windows PC that you use to do your daily work in a hospital, whether you work in billing or whether you're a nurse and you are charting patients or whether you are a physician and you are writing prescriptions or case notes, or you're someone else within the infrastructure, those systems are managed by hospital IT, they're patched every 30 days for vulnerabilities and for security updates. But many of our medical devices are FDA listed, FDA regulated devices, and they don't contain things like antivirus software, endpoint protection software. They cannot be patched and updated to newer operating systems.
So we have a lot of legacy systems running Windows XP, for example, or Windows 7, which are discontinued by Microsoft today. Yet, that is the only operating system that will run that particular application or that particular device, and it means that one side of the hospital network is relatively well protected. It's up to standard. And the other side of the medical network, the clinical medical device side of the network is wholly unprotected and we need to implement different levels of cybersecurity controls and different approaches to securing those systems. And that is a huge problem given the rate of growth of medical devices across our hospitals today.
Charles Rhyee:
That's interesting and want to come back to that when we maybe talk about the regulatory side of things. Maybe. Are there particular sub-sectors in healthcare that you've noticed are more prone to cyber attacks than other? I know we've talked about, we've seen more incidents in let's say hospitals recently, but is that where the biggest vulnerability is currently or what other areas are vulnerable?
Richard Staynings:
We've seen attacks right away across the healthcare life sciences space. During COVID, our pharmaceutical companies and clinical labs were being hit extensively, particularly by Russia and China, looking for any research into COVID treatments and obviously into vaccinations that would prevent the spread of the pandemic. And the Russians and Chinese had to be warned off by, I believe it was Mike Pompeo at the time for infiltrating a lot of our pharmaceutical companies. The Chinese, in particular, have been running rife, running ragged in our pharmaceutical systems for many, many years, stealing a lot of the clinical research for their own state-owned industries. But that's an aside. I think we've had attacks against the payer side of the network. Anthem Health was before the Change healthcare breach, the largest single healthcare breach in history at 78.8 million patient records that were stolen again by China. For what reasons we don't know, but that was a massive attack and there were a number of other payers that have been hit at the same time or in similar times for the information that was exfiltrated from their networks.
But by and large today, it's the providers who are being hit, and we've seen an evolution away from the theft of IP and the theft of PHI and PII from hospital systems because that data is less valuable today than it was perhaps 10 years ago or 15 years ago. And we've seen an emphasis on cyber extortion attacks, by that I mean ransomware attacks, for two reasons. One is that they can still exfiltrate the data and then try and sell that data on the dark web, or they can ransom that data back to our hospitals, the providers, the owners of that data or the patients whose data they stole, and then, at the same time, they can also ransom or extort the healthcare provider network that they know is down because of all their systems are encrypted, and they can use that extortion in order to try and persuade the institution to pay 20 million, 50 million, whatever to the criminals in order for them to be able to restore their data quickly.
But that data's already tainted. It's already been touched, and therefore, there's a big question around the integrity of that data and whether it can be trusted and what levels of cleaning needs to take place before any ransomware recovered data is usable. By and large, the attacks that we're seeing, most hospital systems are not paying the ransoms, fortunately because that encourages the criminals to grow their business. But a large number are, and they're instead restoring their data from backups, provided they've got off-site disconnected backups, and they have enough of them because perpetrators will sit there and wait six months sometimes before pulling the trigger and encrypting data just to make sure they get the backups and can hold the victim over a barrel, as it were.
Charles Rhyee:
You mentioned, during COVID, you had state actors, China, Russia, trying to infiltrate systems, particularly around vaccines and things related to COVID. Are those the primary actors? What do you say, is it more state actors or is it really more criminal actors these days?
Richard Staynings:
I think it's a combination of both. If we look at the volume of cyber attacks, then, from what I'm seeing, China's by far the biggest perpetrator. China has close to 100,000 People's Liberation Army cyber officers whose job it is to go and steal information from every other country in the world outside of China. And you see a lot of countries bordering China being attacked by Chinese APT, advanced persistent threat groups, for example. And you see the U.S. as a target for those. And they're asked state secrets, defense secrets, designs to the U.S. stealth fighter, for example, so that they can copy that into their own stealth fighters and their own weapon systems. But we're also seeing, unlike other countries, all countries are involved in some level of espionage obviously, but we're also in China, which makes it unique, we're seeing the theft of intellectual property and commercial trade secrets for non-defense related industries.
So, we're seeing the theft of pharmaceutical drug formulations, clinical research trials. We're seeing the theft of other business differentiators that allow U.S. health care providers like Mayo Clinic and Cleveland Clinic and some of the other big, high-profile names out there to really differentiate the services that they're able to provide to patients in a way that attracts a global clientele. People fly from all over the world to come to Mayo Clinic or procedures and consults because of its reputation and because of its cutting-edge procedures and technologies. And obviously, China is very keen to steal that and to embody that in its own hospital systems. China also has a massive problem with cancer due to all the pollution in China, the ground, the air, the water, and its state-run healthcare system is stretched at the edges trying to deal with a very, very large 1.4 billion population, of which an increasingly large percentage and suffering from cancer. So, they're out to steal anything they can in the cancer space.
So that's the IP theft side of things. Then, we've got other state actors that are just out for mischief. We've got the Russian GRU, their military intelligence units, their FSB, the former KGB that are out there trying to break into systems, and we've seen some fairly nefarious actions from the Russian GRU. WannaCry was a North Korean attacker. I'll come to that in a second, but NotPetya is the single largest and most devastating cyber attack of all time, so far anyway, and that was executed by Sandworm, a group within the Russian GRU against Ukrainian businesses, particularly its tax software, MeDoc, which escaped from Ukraine and went global and caused between eight and $12 billion worth of damage to global companies that used MeDoc software. So that's the other side of state actors.
You've obviously got North Korea. They executed the WannaCry attack in 2017, which was an attack trying to... It's a failed ransomware attack, essentially. North Korea acts very much like a criminal entity, and it's doing bank heists, Bitcoin heists or Bitcoin wallet heists, all of these sorts of things. And obviously, it plays in the ransomware game as well, and that is to keep the Kim family in caviar and his generals in rocket fuel. It's about getting foreign hard currency that North Korea can use in order to keep the country afloat, given it's under such devastating global sanctions right now.
And then, the final group is really the criminal enterprise, and Russia takes the prize there because the Russian Mafia runs, or the Russian organized crime syndicates are allowed to run rife in Russia. They're given de facto protection by the Kremlin and the state, which turns a blind eye against their activities, provided they don't attack anything within Russia or the former Soviet Bloc. It also provides a very lucrative income for the country in terms of hard currency because of all the Bitcoin they're able to extract from ransomware attacks or from theft of various data and systems from victims across the world. These have been growing at a fairly massive clip. As you mentioned in your opening, ransomware is a huge concern, and it's one that we haven't as a law-abiding society really come to terms with and dealt with yet, and that is really a question for our policy, for governments to deal with. But eventually I hope that we can have some level of global UN charter on cyber crime that allows us to operate by the same rules, but we're not there right now.
Charles Rhyee:
Want to move on because we're talking about ransomware in particular. Maybe let's move on to Change Healthcare and maybe you can provide some insights at least as you understand it. I know information a little bit is scarce, but what are your thoughts or your suspicions around the origins and the issues around the attacks on Change?
Richard Staynings:
The Change was another typical Russian ransomware attack. It was conducted by a group called ALPHV, also known as BlackCat. They hide in Russia and are able to operate with impunity from Russia, and they were able to steal the identity of an admin user, we're led to believe. We don't know full details obviously, but we probably won't for several months until the full forensic investigation and reports are published and whether they're ever made fully public or not remains to be seen. But the attack vector was the compromise of the user ID, and that user ID was then able to be used in order to access what's called a jump server, a VPN server within the Change Healthcare environment.
Whether that jump server was part of the server stack that was brought in when Optum UHG, United Health Care Group, purchased Change 18 months ago, or whether it was something that was built by the Optum team and not secured properly, we don't know at this stage, but that VPN server, that jump server didn't have multifactor authentication. So, stolen user credentials were able to get into that system, and as a result of being in that environment, they were able then to exfiltrate a large amount of data from the Change Healthcare network and to implement their attack. The result, of course, is utterly devastating because of the critical nature of Change Healthcare services, a third-party vendor to something like a third of U.S. healthcare systems, and they believe, at least the last report, I believe, suggested that nearly a third of the entire U.S. population's medical records could have been exfiltrated or compromised by the BlackCat perpetrators of this attack, which would make it the singly largest, biggest devastating healthcare attack in global history.
Charles Rhyee:
The scale of it is immense. My understanding is that it was ransomed, and by some reports, it seems like United maybe had paid that ransom. Did they get the data returned?
Richard Staynings:
I don't believe that they did, last I read, but I haven't stayed too close to it in the weeks following the initial attack. But paying a ransom is always a risky prospect, and I suspect the motivations for UHG to pay a ransom whether they wanted to restore this critical system as quickly as possible. In actuality, most organizations that pay the ransom either don't get any data back because criminals can't be trusted, or secondly, they only get a part of their data back or they're unable to encrypt or de-encrypt the data that they have, the keys that they've purchased. What happens is that, when an organization is attacked with ransomware, for example, by one group, other groups will look at that particular victim and say, "Hang on, we can get in on this gravy train as well." So they will go in with their ransomware since there's an open door to that environment for a short period, and they will also try and hold that data to ransom or other systems within the organization to ransom.
So, you end up with a polluted environment with lots of different perpetrators playing in that environment, and it makes it very difficult for you to recover all of your data. In actuality, as I mentioned earlier, paying a ransom is not a good idea because it encourages a lot of people, particularly in the darker lawless parts of the world, like the former Soviet Republic, to jump on the bandwagon and become members of crime syndicates that go around executing ransomware attacks. And we've only got to look back at the history of ransomware attacks. If we go back to some of the early ones like Hollywood Presbyterian, that ransom attack requested $17,000 in payment. And now, Change Healthcare, well, I believe it was 20 million. And then, we're seeing in the case of the London NHS attacks, a $50 million, £40 million ransom being requested by the group responsible for that attack.
So there's a price inflation going on. There's also a devastation inflation. We're seeing secondary and tertiary attacks, as I mentioned, trying to get to the actual patients within a hospital to try and persuade them to either exert pressure on hospitals to pay the ransom or to pay them not to release their medical records. So, we've got this escalation of threat and use of threats against individuals at the same time that we're seeing a huge growth in the number of hospitals hit by ransomware. There's not a week goes by in the U.S. without some hospital system somewhere being attacked by ransomware. A large number of those are vaulted. They're able to be contained very quickly before data is reached and the infiltration method identified and patched, but it's an ongoing battle.
Some hospital systems are better prepared to defend themselves against these sorts of attacks than others. If you are a Mayo Clinic, you have a very large resource pool of expert cybersecurity professionals on your team. You have great tools, you have great policies, great procedures, you have great management, buy-in and sponsorship of cybersecurity right the way to the board level within the organization. And you compare that with an inner city hospital, particularly a publicly funded hospital or a rural health facility, a rural hospital where there may be an IT team with three or four people, only one of whom can really spell cybersecurity, let alone conduct the types of in-depth cybersecurity protections that are required for healthcare in today's digitally interconnected environment.
Charles Rhyee:
The other one that happened more recently was Ascension Health as well. What do we know about what happened there?
Richard Staynings:
Well, not a lot, really. Ascension Health has been very close-lipped about the attack. They haven't made an awful lot public. They did announce that it was a ransomware attack, appears to be the work of Black Basta, which is another Russian cyber gang. We understand that seven file servers were compromised and the PHI data was stolen. These are servers that are used by the Ascension Health system in connection with their electronic medical records systems. And they have been forensically investigating the attack, looking at what data was touched. I believe the emphasis was on... They took down their EMR and their emphasis has been on getting their EMR back up and running. We do know that, or at least we're told that the attack was executed via a file that was downloaded, something that was downloaded by a member of staff.
Now, whether that was an email attachment that had malicious code on it, probably more than likely, or a link to a file, or whether someone was out there downloading a screensaver for their workstation that they probably shouldn't have been able to get to in the first place. We don't know, but the attack was executed from a file that was downloaded we are told, and they are still in the process of cleaning up that environment. The impact is obviously, light Change Healthcare is huge. If you're an Ascension Health hospital, then a lot of your services are in emergency mode only, and as a result, patients have had to be diverted to other hospitals in the area. Ascension, of course, operates in multiple states with a large number of hospitals, so again, another hugely devastating attack.
Charles Rhyee:
So, what do you think this all means for patients, particularly those that... We don't even know whose information got compromised necessarily, so will the people be notified?
Richard Staynings:
People will be notified, and I believe I saw something in the press earlier over the weekend actually to say that Change Healthcare was planning to send out letters to patients since data have been compromised at the beginning of July. It's an extraordinarily long time, and I'm sure they will receive fines from Health and Human Services, OCR, Office of Civil Rights, for not disclosing breach or not reporting breaches to those impacted within the required regulatory timeframe given that the breach happened so long ago. But more importantly, they will also be subject to all of the state breach notification rules. And each of the 50 states has some level of breach notification rules, and a number of the U.S. territories have breached notification requirements as well. And those plainly or more than likely haven't been met, and therefore, they will be receiving fines from each of those jurisdictions and court cases.
They will also be receiving class action lawsuits from patients who are suing their providers because their data was disclosed and maybe they're at increased risk of identity theft, or maybe they've been directly extorted by the criminal gangs involved. So, the breach of non-public data is obviously one area of concern, and that is a confidentiality breach. But far more important is the attacks against the availability and perhaps the integrity of medical data. Don't forget, cybersecurity is based upon the principle of the CIA triad, and not our friends in Langley. It's about protecting the confidentiality, the integrity and the availability of healthcare data and the systems that store and process and create that data in the first place. Now, a ransomware attack is both an attack against confidentiality if data is exfiltrated or touched, and it's also primarily an attack against the availability of systems.
Now, the bigger impact to patients are around availability. Now, what happens when I go to a hospital and that hospital can't see me, and I'm in dire need of emergency treatment? What happens if I'm in an ambulance on a blue light run to a hospital, I get to the hospital and I'm turned away when I get there because all their systems have been ransomed? They stuff me back in the ambulance and they blue light me to the next nearest unimpacted hospital. And this happened to an elderly German patient in Dusseldorf a couple of years ago who arrived at the University of Dusseldorf Hospital with a cardiac infarction, had to be re-diverted to another hospital a 20 to 30 minute drive away in the nearby town of Wuppertal and died shortly after arrival as a result of that delay to treatment. So, there is a direct impact on patient morbidity and patient mortality when these systems are down.
And there is obviously a big discussion around the culpability of those involved in these types of availability attacks of whether it's a case of attempted murder or of some other level of homicide that has been executed by these perpetrators. Now, compare that with a breach of my medical records, which is more important? If my medical records get out on the dark web, boo hoo. If I'm standing for president and my medical records contain elaborate details of my medical condition that would negatively impact my ability to stand for office, then that could have a very negative consequence to me in the same way that we saw fake news around Hillary Clinton when she was standing for president around her having some kind of lung cancer, when in fact she just had some kind of bronchial issue. And that obviously had some impact.
The big question is, is anyone going to die as a result of that breach of confidentiality? Am I going to kill myself because my STD records or some other medical data is released? Probably not. There'll always be the odd case of someone that is hugely impacted by that, and we should do everything we can to protect the confidentiality of non-public data. But it's not life-threatening in the way that an availability attack is. And at this point, most of us in the United States have had some level of our medical identities, some level of our PII, our PHI stolen, and it resides for sale in a database on the Russian dark web somewhere. Does it really matter whether my medical records are stolen a fifth time or a sixth time? It's already out there. The Russians have got everything or the dark web has everything that they could possibly want on me. Do I really care anymore? These are the questions we need to ask ourselves, particularly as it comes to regulation.
Our regulations in healthcare are myopically focused on the protection of confidentiality and privacy. The HIPAA privacy rule, the HIPAA security rule, are both focused around protection of confidentiality and privacy. Is that relevant in today's environment where we're having attacks against availability or perhaps even the integrity of data? What happens if the integrity of my medical record is changed and perpetrators try to ransom knowledge of what files were changed to a hospital and the hospital doesn't pay? I go in for a procedure. My medical record says I'm having my left arm amputated, and in actuality it's my right arm that needs amputating, not my left right or my left kidney that needs removing not my right kidney. And these are the sorts of things that can be obviously quite devastating if they're not caught. Similarly, if my blood type has changed in my medical record and I require a postoperative top-up of blood and the wrong blood is given to me because my medical record says I'm O positive and I'm really AB negative, then I'm have a transfusion reaction to that blood. That could be life-threatening to me.
Now, if the doctor misdiagnoses that transfusion reaction as tainted blood, stale blood, blood that wasn't kept properly, for example, or is past it its date and says, "Oh, there's some level of infection in this blood. Let's give this patient some antibiotics. Bring that up." Not realizing that my medical record has had my allergies removed and I'm morbidly allergic to penicillin and they give me an antibiotic, I'm coding on the table and I become a statistic, a casualty within the healthcare system as a result of an attack against the integrity of medical data. So, there's a lot we need to protect inside of the health system, and we have very, very limited resources to do so. And I think some of our regulations are distracting at best because they myopically focus on things that are not really important today.
Charles Rhyee:
And that's an interesting point. I wonder sometimes about the whole focus on privacy with HIPAA, given we're in a generation where, on social media, everyone posts everything about themselves, it doesn't seem that privacy is the biggest issue. I think you're right when you talk about the integrity, certainly the availability of that data. But from a regulatory standpoint then, what can be done? Because when I think about the role of HHS in particular, it's hard for me to think of what mechanism within either HHS or CMS to really provide some guidance. Would that be coming out of... And I guess this also goes back to your earlier comment about the vulnerabilities within medical devices. Does this become the purview of FDA then to, particularly when they think about their pathways for software as medical devices, for example, where does the regulatory authority, where does it best fit, I guess? What agency is probably best to craft something or is this something that Congress has to provide more guidance?
Richard Staynings:
Well, the big question is is Congress the right body in order to provide that guidance? I think perhaps there's a big concern around the multitude of different regulations within the healthcare space. Were subject to multiple regulations, whether it's HIPAA or Joint Commission, JCAHO, or whether it's FDA on medical devices or FTC on wearable medical devices. The list of groups or authorities just goes on and on and on here, and it's a real mix-mash in order to understand that. Then, when you combine federal regulations and industry regulations with state regulations, then you end up needing to employ a whole load of people just to figure out what is your regulatory exposure to X or Y or whatever. And at the same time, the healthcare industry is undergoing its biggest and most dramatic transformation in its entire history. And we've gone from Florence Nightingale, the delivery of palliative care to the sick and the dying to highly interventionist, highly technologically advanced medical capabilities in a matter of a couple of decades.
If you compare the hospital bed that you were born in to a hospital bed of today, it probably looks nothing like it. There are a multitude of medical devices that surround every patient bed in every hospital today, and those medical devices automate and perform a whole load of medical functions that used to be performed by nurses where we had hundreds and hundreds of nurses in hospitals. And numbers have dropped quite dramatically, particularly since COVID, we're understaffed on nursing staff right way across our system. And we're also at the same time implementing technologies that improve and drive efficiency within our health systems. So, the interconnectivity of disparate health IT systems and the connectivity of a massive level of medical device systems in our healthcare environment that perform all kinds of functions from diagnostics like X-rays, CT scan, ultrasounds to treatment systems like radiotherapy, chemotherapy, infusion pumps, for example, to deliver drugs to patients, embedded infusion pumps so that people can walk around with their particular ailment if they're diabetic, for example, they have an embedded insulin pump, for example. Or pacemakers are another form of the implanted medical device.
We have patient management systems and telemetry systems, O2 saturation, blood pressure cuts, all of these are automated today, nurse call systems. We have a multitude of different medical systems in our environment before we even get to the newer automation that's coming in. Things like pharmacy robots that select drugs, delivery robots that deliver drugs to wards where there's a Pyxis cabinet for drug dispensals, which a nurse will walk up to scan a code and a door will pop out with the drugs for a particular patient. These levels of automation are helping to drive efficiency, and they're helping to remove clinical risks from our environment because of automation, and they're also helping to improve patient outcomes. And we look at things like Da Vinci surgical robots, which are now responsible for about 95% of neurosurgeries across the country, and increasingly are being used in other forms of microsurgery where only a robot can perform that level of accuracy.
All these systems are all connected to our networks, and that connectivity is greatly expanding the threat surface for the healthcare delivery environment. And this is one of the biggest challenges that we have in that we don't know what connects to our hospital environment. We have a list, an asset inventory of medical devices, for example. We have spreadsheets of devices and where they're supposed to reside, but those asset inventories are often out of date. They're not real time. They're not updated with patches that have been applied to systems. And this presents a challenge as far as the risks that those devices present to the overall healthcare environment, to the integrity of our health IT and other health IoT systems, for example, or to things like patient safety because patients were often connected at one side to a medical device, which is then connected to the network on the other side.
And that has led to a whole load of scaremongering around assassination by medical device. It's physically possible, but I think that's taking things to extreme levels of fear, uncertainty and doubt in many ways. But it is a risk that we haven't really come to terms with. And medical devices are growing globally at 18% per annum compound. So, this is a growing problem, but we haven't really got our fingers around yet.
Charles Rhyee:
It's all been very fascinating. And I guess maybe just to close out here, with all this in mind, and particularly putting maybe an investor lens on this a little bit, as investors obviously need to contemplate cybersecurity now as we look at healthcare investments, what are the top five questions that you think that investors should be asking companies to really assess how secure they are?
Richard Staynings:
I think the first one is really to ascertain the level of cybersecurity maturity within an organization, whether it's investors looking to invest in that company or to acquire that company, there needs to be obviously a level of due diligence around their capabilities. Has that maturity been verified by a [inaudible 00:50:13] third-party assessment? Does the company hold ISO 27001 certification, if that's applicable to their business model? Do they have a SOC 2 Type 2 attestation to show from a third-party auditor that they meet the control objectives of that particular attestation assessment? If they're European, do they meet the new NIS2 standards? Can they provide evidence of passing security audit to local regulations? So, that's really the first area I think I would look at.
I think the second one, which is more of a longer term one is, does the company have a culture of cybersecurity? And is this actively sponsored by the board of directors or the oversight committee or whatever the constitution of the governing body of the organization is, through the CEO and through all of the offices and directors and managers of the organization right the way down to the nurses who are walking the floors and the janitors who are cleaning the floors? If you've got a culture of cybersecurity and everyone is thinking cybersecurity and understanding cybersecurity at ever every level of the organization, then you obviously are significantly better prepared for the types of attacks that we're beginning to see. The next question is really one around awareness. Do companies understand what connects to their networks? Do they have an accurate, up-to-date inventory and risk register of all of the devices that connect to networks? Do they have policies for continuous risk assessment to ensure cybersecurity risks and vulnerabilities are discovered quickly so that they can be addressed?
A lot of particularly medical providers will either exempt systems because they're FDA-regulated from patching, or they will defer applying a patch because they haven't placed sufficient emphasis on the speedy release of patches. And perpetrators are recognizing that they have at least a 30-day window between the release of a patch by Microsoft or some other provider and that patch being applied. We need to get a much, much better, much more efficient mechanism or testing and patching systems in an environment. And that's something that any investor needs to be aware of of what is the policy around that speed to patching?
And then I think there's a couple of other areas here. Does the company really invest in cybersecurity capabilities, its people, its processes, its technologies? Does it invest in cybersecurity education training and awareness for its staff on an ongoing basis? Or does it simply say, "Here's the annual CDT training program, community-based training program, go watch this and try not to die of boredom. And incidentally, it's the same one that we gave you last year and the year before that you probably already know the answers to off by heart, even if you paid attention one the times you've seen it previously."? We need multimodal training, education awareness.
And that comes back to my earlier point around culture. It needs to be embodied within the culture of the organization, that the organization be secure. Does an organization have sufficient tools, things like user behavioral analysis tools to spot when a user account does something that it shouldn't be doing? Does it have systems anomaly detection capabilities to spot when a system does something that it shouldn't be doing? This anomalous behavior is normally an indicator of compromise. If we can recognize an attack early on and thwart that attack, then we can very, very easily and very inexpensively limit the damage compared to leaving it for a couple of weeks where damage will be done.
And then finally, the real question, which is particularly in the healthcare space, is does the company assess the security of its entire supply chain of vendors and suppliers? In healthcare, we have hundreds if not thousands, of suppliers of services and products and other things that go into make up a hospital, everything from food processing in the cafeteria to stand up coffee shops around a hospital, through to the procurement of PPE and syringes and medical equipment, to companies that provide either outsourced services to manage our EMR or provide a what we call application service or software as a service even to our hospital? Things like Change Healthcare, for example, would be a classic example as a service provider.
Are we aware of the security of each of those third-party vendors and all of their vendors, their fourth-party and fifth-party vendors that they rely upon? Have we looked at that entire third party risk supply chain right the way through to the bottom of the supply chain? And are we confident that by partnering with that third party, we are not introducing risks to our environment? Do they meet our standards and can they attest to those standards either via certification or attestation, or is it something that we need to go out and audit on an annual basis at our expense? And these are really the questions I would be looking at if I were to invest certainly in a healthcare company. But I think that a lot of those factors are probably applicable in any investment opportunity.
Charles Rhyee:
I'm almost afraid to ask the question, what percent of the healthcare system do you think meets that standard? I'm afraid it'd be a very low number, probably.
Richard Staynings:
It's unfortunately a very low number. And to come back to my earlier point, I think a lot of it depends upon prioritization and resources. A Mayo Clinic is going to be very well-prepared and very well-defended. They've invested millions of dollars in their reputation. They advertise globally around the world, they have invested in cutting edge procedures, and they are operating all kinds of experimental clinical trial systems there that they want to protect and make sure doesn't show up in a hospital in Shanghai or somewhere else. This is their intellectual property, and they've invested millions in order to make that. They're well-prepared. Compare that to a rural medical center or clinic that is rubbing sticks together to create fire because they can't afford matches. There's a big disparity between one side of the system and the other side of the healthcare system. And I think there is a very real existential threat to the continued existence of rural healthcare and inner city hospital healthcare in this country, because of the huge disparity between the haves in the space and the have-nots in the space.
This presents some life-threatening challenges. If you live in rural Minnesota and your hospital closes down and your next nearest hospital is a two-hour drive away, what do you do when you have a stroke or a heart attack? Do you call a $10,000 air ambulance, which incidentally isn't covered on your health insurance and go into medical bankruptcy, or do you hope that you'll be okay? You've got 19 minutes to treat a stroke, and if the nearest stroke center is two hours away, even a helicopter ride's not going to save you. You are going to have some level of lasting damage as a result of that. And these are the kinds of choices that we, as a society, need to make moving forward. But I think there's some compensating, some light in the end of the tunnel, and that is really around driving efficiency within the healthcare sector.
We are an incredibly inefficient industry right now. The vast majority of the money or very little of the money that you and I pay or our employers pay that go into our private health insurance or the money we pay in taxes that goes to Medicare and Medicaid and TRICARE for the military actually reaches us as patients. A large amount of it gets sucked up in administration and the payment and profiteering of middlemen that are involved in our health system. And, of course, there's a whole load of corruption around billing and everything else that we see in the press on a fairly regular basis here. So, we need to improve the efficiency of our delivery. We need to clean up our system, and we need to expand accessibility as well. So, a lot of challenges ahead for the healthcare sector.
Charles Rhyee:
It paints a challenged environment, but it does seem like hopefully the highlighting of the Change Healthcare issue and others maybe spurs action here, either both from the healthcare system itself as well as maybe from regulatory bodies, but a lot to digest here. And I think we'll end it here. Richard, really appreciate you joining us today and all your insights. It's a really fascinating topic. It's certainly food for thought for, I think not only, in general, as a citizen, but as an investor too, how to think about investing in companies given the new threat factors that we're facing today that we probably wouldn't have thought about 10, 15 years ago. So, appreciate all your thoughts, and thank you for joining us today.
Richard Staynings:
My pleasure. Thank you for inviting me.
Speaker 1:
Thanks for joining us. Stay tuned for the next episode of TD Cowen Insights.

The views or opinions expressed herein represent the personal views of the writer and do not necessarily reflect the views of TD Securities or its affiliates.

This material is intended to provide commentary on the market for commodities discussed herein.

Not Advice: The information contained in this material is for informational purposes only and is not intended to provide professional, investment or any other type of advice or recommendation, or to create a fiduciary relationship. Neither TD Securities (USA) LLC (“TD Securities USA”) nor any of its affiliates (collectively, “TD”) makes any representation or warranty, express or implied, regarding the accuracy, reliability, completeness, appropriateness or sufficiency for any purpose of any information included in this material. Certain information may have been provided by third-party sources and, while believed to be reliable, has not been independently verified by TD, and its accuracy or completeness acannot be guaranteed. You should not make an investment decision in reliance on this material, which is intended to provide only brief comments on the topics addressed, and is based on information that is likely to change without notice.

Not Securities or Derivatives Research: This material has not been produced, reviewed or approved by TD’s securities or derivatives research departments. The views of the author may differ from others at TD, including TD securities or derivatives research analysts.

Not Independent: The views expressed in this material may not be independent of the interests of TD. TD may engage in conflicting activities, including principal trading before or after posting this material, or other services involving commodities discussed in this material, or related financial products. TD may have a financial interest in the commodities discussed in this material, including, without limitation, a financial product that references such commodities.

Not An Offer or Solicitation: Nothing contained in this material is, or should be construed as, an offer, a solicitation of an offer or an invitation to buy or sell any commodity, or any financial product that references such commodity, and it is not intended for distribution in any jurisdiction where such distribution would be contrary to law.

Risk of Loss. Transactions in commodities, and financial instruments that reference commodities, involve risk of loss, and are subject to the risks of fluctuating prices. You should weigh potential benefits against the risks. Past performance is no indicator of future performance and the Materials are not intended to forecast or predict future events.