Aaron Weismann joined Main Line Health as CISO in the summer of 2020 at the height of the pandemic, and the organization faced an enormous challenge. “Everything was distributed, everyone went home, and everyone had telemedicine everywhere,” Weismann says.
Meanwhile, cyberattackers were stepping up their game, with ransomware gangs even deliberately targeting healthcare organizations. “It was an exciting situation to be in,” he says. “We were able to take a hard look at our security infrastructure.”
Main Line Health has more than 14,000 employees in total, four acute-care hospitals, one rehab hospital, a treatment center, five large ambulatory locations for outpatients and 140 clinics – plus IT and medical-related IoT devices numbering in the “low six figures.”
The organization’s leaders were supportive about reinvigorating cybersecurity at Main Line Health, Weismann says. “My leadership team is very security-forward,” he says. “I’m very lucky in that respect – I’ve never wanted for staff and budget, though we’ve kept it reasonable and measured.”
After Weismann came on board, there were a lot of changes that had to be made. For example, the health organization had hardware-based endpoint detection and response on its networks. “That’s not going to work if we have a distributed perimeter,” he says.
Traditional cybersecurity systems “were great if you were on prem – not great if you were working from home,” he says. “So, we replaced everything with cloud-based services.” Even the printers and fax machines have cloud-based management consoles.
“The thing about the cloud, if you have cloud-optimized workflows and appropriate security, is that it’s a better position to be in generally,” he says. For example, if ransomware shuts down local servers, healthcare professionals can still access patient records and other critical systems.
The only major on-prem systems still left are imaging systems that have very robust storage requirements. “We’re able to provide storage at scale more cheaply on prem,” he says. “It’s one of the few non-cloud-optimized workflows.”
Of course, there are still security measures in place to protect local networks, Weismann says, but the main focus now is on what’s outside. “At any given time, we have a few thousand endpoints in the greater Philadelphia building that are not within our building,” he says.
As part of its cybersecurity transformation, Main Line Health had to bring in a whole new set of cybersecurity vendors. Netscope’s SASE platform now provides zero-trust access for remote staff, plus on-prem protection as well, says Weismann. Endpoint detection and response is now all in the cloud, via CrowdStrike. And device management is now handled by Armis Centrix, he says, which also runs completely in the cloud.
The only major vendor left in place that was there before COVID is Splunk (now owned by Cisco). “But we weren’t using it to its fullest abilities,” Weismann says. “We needed to double down and invest heavily in the skillset, which we did, and it’s been fantastic.”
Cybersecurity as an enabler
Too often, cybersecurity has been seen as a cost center and an obstacle to productivity and innovation. But that’s not how Weismann sees cybersecurity. “We’ve done a ton of work over the past few years to become enablers,” he says.
Take, for example, device management. The previous asset management system was ineffective, and there was no way to identify unpatched, outdated, or underused devices. There was also a lack of visibility into what IT or medical IoT devices were being used and gaps in security coverage.
The new system, from Armis, not only brought everything together into one secure cloud-based based platform, but the improved visibility helped in other areas as well. For example, the platform shows how devices are being used, says Weismann. “We can see that this place has heavy use, and this place has light use – and maybe we can reroute patients,” he says.
And it enabled the organization to identify wasted resources. “With biomedical devices, we want to make sure we’re at full utilization,” he says. “We don’t want devices to sit in closets.”
When patients move between hospitals, sometimes devices move with them. The new platform makes sure that those devices don’t get lost in the process.
Armis has also helped the hospital identify legacy devices that don’t have modern security. “We have been able to drive key investments in replacing those devices for more modern and secure devices,” he says. “That’s not to say they’re all gone, but those that do remain we try to cordon off from a network perspective so they’re almost insurmountably difficult to access from the Internet.”
And having good cybersecurity in place makes it possible for the hospital to envision new health care delivery options – such as delivering hospital-level care directly to patient homes.
Planning for hospitals at home
People don’t want to be hospitalized, and sick people are no exception. But the longer they put off getting the help they need, the sicker they get – and the worse the outcomes.
“We want to get to the patients before they go to the hospital,” Weismann says. Some health care organizations are already doing this, he says.
This new approach to health care delivery got a boost in 2020, during the pandemic, when Medicare suspended requirements to provide nursing services at hospital facilities and allowed them to be delivered at patient homes. That meant hospital-quality inpatient-level care for acute conditions, without having to go to the hospital. In 2023, the waiver was extended through the end of 2024. As of this April, 320 hospitals were approved to participate in the program, treating over 11,000 patients. (This is different from ongoing at-home care for chronic conditions, such as diabetes or Alzheimer’s.)
According to the American Hospital Association, hospital-at-home patients had lower mortality rates, fewer returns to the hospital and spent less time in nursing facilities. Medical care also cost between 19% and 30% less when patients stayed home.
McKinsey estimates that up to $265 billion worth of Medicare and Medicaid treatment could take place at home by 2025. That’s a quarter of all Medicare and Medicaid spending.
For example, University of Michigan health offers hospital care at home for congestive heart failure, COVID, and other illnesses, with trained nurses and clinicians visiting patients in their homes to give medicines and provide medical care. In addition, there are daily video visits with physicians, continual monitoring of vital signs, and coordination with testing, therapy, social work, and meal services providers, and 24-hour access to a virtual care team.
UMass Memorial Medical Center offers a similar set of services, which, the hospital says, is covered by insurance the same as a hospital stay would be and qualifies as acute inpatient hospital care.
Both of these health systems offer the home hospital option to patients with a limited set of medical conditions that have low complication rates and monitor vital signs 24 hours a day and send care to the patient’s home immediately when necessary.
This is all possible because of connected medical devices that can operate remotely but be managed centrally, says Weismann. Previously, patients would use their own equipment, he says, like Fitbits or continuous positive airway pressure machines for sleep apnea. Or the equipment would be sent home with a patient then brought back to the hospital for data collection, such as Holter monitors, which provide at-home cardiac monitoring.
No hospital-owned device that Main Line Health sends out with patients currently connects to the Internet on its own, says Weismann. But biomedical device manufacturers have been getting smarter about designing devices that connect, and do so in a secure way, he says, so it’s now possible to deliver hospital-level services remotely.
Main Line Health is currently planning its own hospital-at-home services, Weismann says, but there isn’t a firm date set.
Security that works for employees
The one thing he would have done differently, Weismann says, would have been to get more end users involved in the cybersecurity transformation from the beginning. “It’s one thing to share a plan and share a roadmap,” he says. “But you really need to identify what the practical impacts are going to be.”
Take, for example, device time-outs. Random people shouldn’t be able to come up to a computer once a nurse or doctor steps away and get access to sensitive health care information, so Main Line Health lowered the time-out setting.
Typing in a password is normally just a minor inconvenience. But in the hospital setting, people log in 60 times a day, for 20 to 30 seconds per session. If they had to log in 80 times instead, that’s a major hit. “All the little things that they do during the day that aren’t about caring for patients add up, and drive doctors crazy. Security adds to that.”
So, the security teams worked with the clinical operations staff to identify areas where the security was getting in the way. “We had to be conscious of that and understand the actual impact,” he says. To solve the password-typing problem, for example, Main Line Health expanded its footprint of tokenized authentication.
Now, employees just need to tap their badges to unlock the computer. “It’s a very popular solution,” says Weismann. The lesson, he says, is to have more robust conversations at the onset.
Source:: Network World