Steve Cagle, MBA was CEO of Clearwater at the time of this interview. He transitioned to board advisor on September 30.

Tell me about yourself and the company.

Clearwater is a healthcare-focused solutions firm that provides cybersecurity compliance and managed security services to hospitals, health systems, physician practice management groups, digital health, and health IT companies. Really all types of organizations in the healthcare ecosystem. We help those organizations to be more secure, be more compliant, and be more resilient so that they can achieve their missions.

I’ve been CEO of Clearwater since May 2018. My background is in healthcare. I started my career in a software company that provided quality management software to help pharmaceutical companies comply with FDA regulations, such as good manufacturing practices. I then spent some time in the pharma industry in consumer healthcare products, running a business before returning back to technology and compliance here at Clearwater.

How do health systems decide how much effort and money to invest in cybersecurity?

Unfortunately in healthcare, most organizations have been historically underinvested in cybersecurity. However, we have seen over the last five years or so an increased focus, especially following the pandemic, when we saw a wave of ransomware attacks on healthcare organizations. Then we had the Change Healthcare incident a year and a half ago, which affected about 70% of the providers and caused very extensive damage.

As healthcare organizations have continued to adopt new technology, technology has become critical to operating their businesses or providing care to patients. They have realized that cybersecurity mission critical and requires them to have the appropriate protections in place to reduce risks.

That’s really the key word. It’s about understanding your organization’s risks beyond the high level. A lot of organizations have done high-level risk assessments. They may be helpful as a starting point. But we need to go much deeper in today’s environment, where attack techniques have evolved to become difficult to defend and protect against.

Organizations have had significant impacts from ransomware attacks and breaches. That’s why the Office for Civil Rights of HHS, which enforces HIPAA regulations, has been focused on risk analysis and their risk analysis initiative. Risk analysis in healthcare requires that organizations understand where they have electronic protected health information, where they have those critical systems that support their operations or are connected to those systems with EPHI, and that they evaluate the vulnerabilities and threats, assess the controls that are in place, and determine the level of risk that exists with each system.

By doing that, organizations will be better informed as to where those high risks are. Based on their risk threshold, they can then identify those risks that fall above that threshold and put specific risk remediation or risk management plans in place to address those risks.

That’s a business-focused way of approaching cybersecurity. It’s not checking boxes. It’s not trying to have the best security program in the world. It’s really understanding your risk at a level that is appropriate. Then, taking actions to bring those risks to an acceptable level.

What were the most important lessons learned from the Change Healthcare incident?

Risk analysis. Clearly there’s been a lot of uptick in organizations really understanding, “I need to get to that next level. I’ve been doing the same type of assessment for many years. I’m going to invest more money into doing that risk analysis so that I can have better information about my security program.“

We’re seeing a lot of attention on cybersecurity and risk from the board of directors and the executive teams. From a cultural perspective, there has been a change in healthcare where this has become a priority that organizations need to focus on.

We’ve seen big changes in resiliency, where organizations have plans in place to not only respond to a security incident, but also to contain it to operate under duress through a business continuity plan. Having updated disaster recovery plans and testing those to make sure that they are effective.

As we look at all the solutions out there that are based on artificial intelligence, we have new concerns. There was a big rush to implement a lot of these new technologies that are based on AI. Unfortunately, many organizations did not take the time to establish policies and procedures about how they will use them and to assess the risks around these technologies. 

It is still risk analysis, but it’s a different set of risks and different set of controls. We are seeing a lot of interest from our clients in helping them to establish governance around artificial intelligence, cybersecurity, and privacy, or to assess their risks of those programs and to help make sure that they are implementing these technologies in a responsible way.

The mainstream press loves headlines about the devastating impact to patients of a local provider that has gone down from a cyberattack. How much do we not hear about providers who are successful in preventing that kind of attack?

That’s a very important point that you’re making. We hear about the bad news, but we don’t hear about the good things that are happening.

We’ve done over 650 NIST Cybersecurity Framework assessments for our clients over the last 10 years. We track and trend maturity levels over time. We see that the industry is becoming more mature. We track over time the organizations that adopt the NIST Cybersecurity Framework, which is a commonly accepted and used framework in healthcare, and we see that they are improving above the bar of the rest of the industry. There’s really good data that we can point to that demonstrates that we are making progress.

The challenge is that the bar keeps getting higher. You have more vulnerabilities, more threat actors. Threat actors have been very successful in obtaining ransomware payments from healthcare. They pay more often than any other industry. When it’s easier to attack a certain sector that is more willing to pay and pay more, that’s going to attract more threat actors.

You don’t hear about organizations that are being responsible. They are assessing risks, maturing their security programs, and not having those attacks. Or if they do have a security incident, they are able to address it quickly and with minimal impact. They have network segmentation and other types of controls in place that make it difficult for threat actors to exfiltrate the data or to do damage.

We will continue to see that maturity improve over time. But we have to realize that unless we stop developing and implementing new technologies and increasing the attack surface, it’s not going to stand still. The bar is always going to become higher.

How often do providers pay a ransom, and if they do, what is a typical outcome?

Fewer providers are paying than in the past. A few years ago, it was 67% of the time, and that number has gone down probably closer to 50%.

You really can’t trust criminals. A lot of them will try to uphold their end of the bargain because they want people to continue paying, but that’s not always the case.

There’s also double extortion. You get the encryption keys to unlock your systems. Maybe some of these organizations have good backups in place and are willing to take the downtime that it takes to restore those systems, which could take days or weeks, or longer. In some cases, those encryption keys do not work. They’ve done so much damage that it doesn’t really help them.

Then the second extortion is to get the data back. Often the data will end up somewhere else in the future. Paying the ransom doesn’t give you any guarantees. You’re really taking your chances. That’s why you are seeing fewer organizations making that payment.

How do organizations allocate their spending across prevention, detection, and rapid recovery?

We always recommend starting with a baseline set of controls and adopting industry standard best practices. We can point to the NIST Cybersecurity Framework. We can also point to the 405(d) health industry cybersecurity practices. Those are both recognized security practices in healthcare based on an amendment to the HITECH Act in January 2021.

The 405(d) HICP is a great place to start because it is provided in different volumes for small, medium, and large organizations. It was developed through collaboration with over 600 firms in healthcare — providers, vendors, and the government. It’s a practical way of setting up those baseline controls. 

Once you’ve picked a framework and standard, you go back to how much more you need beyond that. That comes down to the other requirements that you have. Do you have compliance requirements that you need to meet? Maybe even ones outside of HIPAA. Do you have clients, partners, or payers that require you to meet certain security standards, maybe a SOC 2 audit or HITRUST certification? What’s your risk profile? What kind of risk as an organization are you willing to accept?

Then you do that risk analysis to see where you have gaps between your current level of risk and what’s acceptable. Using all that information, we create a target profile. It’s a long-term roadmap of where we want to focus. That will help determine where to make those additional investments. We know the minimum requirements for standards and practices, but going beyond that, what is the organization’s specific situation? 

What is the value of health systems communicating regularly with their boards about cybersecurity, and what metrics are most useful for board members to understand the situation?

We speak to a lot more boards now than we did maybe five years ago. It’s pretty frequent. One of the key functions of a board is risk management. If the board is being informed of the other types of risks across the organization, cybersecurity has become an important area of risk, and one that they need to be informed about.

Typical things that we will talk to boards about are trends, particularly across the sector, and the higher-level concerns or risks that they need to think about.  

The board should be putting the governance in place. What higher-level policies do we want to have as an organization? What is the level of risk we are willing to accept?

Sometimes, but not as much any more, we see risk tolerance levels being set by more at the operating level, the IT department. The IT department is not the risk owner. If a security incident renders a hospital in a position where it can’t see patients, that’s a board level issue. That’s all the way up to the board. So the board needs to decide how much risk we are willing to take. How many resources are we willing to apply? And then put the management team to work with the mandate and the support to implement a program that will ensure that the organization is in line with those policies and is on a path to meet that risk threshold.

We have to keep in mind that risk changes over time. Just because we are below our risk threshold today doesn’t mean that tomorrow we’re not. We do M&A, acquire a new part of the business, partner with somebody else that includes new third-party risk, changing the threat landscape. It’s constantly changing, so the board needs to make sure that that risk management program is prioritized and resourced. Then getting information to know that it’s actually being executed appropriately.

What changes do you expect to see in HHS OCR’s enforcement of HIPAA and security?

The Office for Civil Rights has been focused a lot this year on its risk analysis initiative, where it’s making sure that organizations are prioritizing that risk analysis that I spoke about earlier. The notice of proposed rulemaking was released at the beginning of the year. Part of that rule contains updates to the risk analysis requirement that reflect its current enforcement actions and guidance.

A lot of other requirements are more specific and are required under the rule. I don’t think that rule in its current form will necessarily be the one that is eventually published. I do think, however, there will be an update to the rule or at least some additional standards that organizations will need to meet. The HIPAA security rule was last updated in 2013. The world has changed a lot since that time.

Most of the industry is looking for something specific we can point to, not overwhelming, but addressable. Ideally with some support and help from the government, especially for those smaller organizations or rural health organizations that don’t have the resources or the money to improve the programs the way that they would like.

What does the company’s strategy look like over the next 3-4 years?

Our strategy is to be a market leader in healthcare cybersecurity and compliance. To do that, we need to have a full set of capabilities that are relevant to healthcare organizations. Not just today, but over the next several years. Our strategy is to continue to ensure that we can provide those services to our clients in a way that helps them reduce costs, become more efficient, and focus more on their mission, whether it’s treating patients or driving their business. Being a partner and extension of the organization to help them address cybersecurity compliance.

We are excited about our growth at Clearwater. We are grateful to have dedicated professionals in the organization, as well as a growing list of clients that we collaborate closely with. We are dedicated to this industry and looking forward to continuing to serve this industry and help make a difference in healthcare.

We are thrilled to announce a growth investment from Sunstone Partners, which is a private equity firm that focuses on tech-enabled services with a particular focus in cybersecurity and healthcare. That makes them a great partner for Clearwater going forward. We are excited to have a great partner that can help us better serve our clients. We will be investing in more technology, as well as continuing to scale the organization.