Emerging Technologies Transform VA Cybersecurity Approach

Technology has changed patient care for the millions of veterans the Department of Veterans Affairs medical facilities serves. The volume of data that these tools and devices collect has naturally increased the cybersecurity attack surface that the VA is responsible for defending.

Amber Pearson is the deputy CISO and the executive director of information security policy and strategy at VA. In her role, Pearson oversees the agency’s cybersecurity strategy, building resilience and compliance from ransomware and phishing attacks on our nation’s veterans. Person discussed VA’s approach to emerging tech, the agency’s risk management framework and keeping cybersecurity strong for veterans.

How is VA using emerging technology to advance cyber priorities?  

Pearson: You see more telehealth, telemedicine, remote patient monitoring and internet of medical things — IoMT. All those things have transformed how we deliver health care.

These advancements also pose new security risks and very specific vulnerabilities. When you think about the sheer volume of data that’s generated by personal and home health care devices, those actually changed the attack surface. The more data we have, the more interconnected it is.

For example, if you’re using a telehealth app, this could potentially pose some risks about how that data is shared. There’s risk in an adversary or malicious actor intercepting that connection or stealing that data. That’s where interconnectivity of these devices creates additional entry points for potential cyberattacks. It increases the complexity and how we actually maintain security.

We’ve adopted the concept of secure by design, and these principles are employed in initial stages of technology development. We make sure that adherence to security standards is critical, so that the benefits of those new innovations, those additional attack surfaces that we’re creating and those innovation technologies are not overshadowed by potential risks to patient health and data security.

One of the main risks is the attack surface. That direct feed from that medical device to a larger health record system introduces new capabilities and new pathways for malicious actors to be able to actually intercept the data and also the connected device. In essence, it provides a potential entry point for access to that sensitive information and overall disrupt health care operations.

We’ve seen in recent years an uptick in ransomware attacks in the overall health care community. Ransomware attacks are designed to lock down those systems and IT assets with the goal of extorting payments or disrupting the health care service altogether. One of the most recent cyber resiliency analyses on hospitals showed 80% of cyberattacks leverage identity-based attacks to compromise those credentials. When we think about multi-factor authentication, VA is really increasing the rigor around access controls, and we adopt that zero-trust mentality. We want to make sure that we’re able to deliver world class care for our veterans, their families and caregivers.

What are some of the challenges in building out such an extensive cybersecurity network for the VA? 

Pearson: One of the complexities is around the communications path, ensuring that the security of the data is transmitted between those medical devices and the systems. We want to make sure that there’s data protection when its both in transit and at rest. Increasing our rigor around access control measures is very critical for us, and that complicates the diverse nature of medical devices.

When we think about health care delivery and patient care, we want to make sure that that uptime is in the systems as available. With the need for that real-time data exchange, it puts that pressure on security on health care IT systems. Together with industry, we’re coming together to make sure that we’re introducing some risk-based approaches, and how we protect those data and also making sure that we can keep up the updates and the maintenance and not impact patient care.

How do you ensure the workforce maintains their cyber hygiene?

Pearson: When you think about the innovations that are happening across the health care industry, your security posture is only as strong as your weakest link. We want to make sure that we have the appropriate security controls in place to protect those devices. We’ve worked closely with the Cybersecurity and Infrastructure Security Agency (CISA), the Food and Drug Administration (FDA) and others, to making sure that industry is taking a different approach and ensuring that we’re able to procure devices that have security built in at the beginning. If you’re constantly trying to get after security after the fact, it’s always more costly and complex.

We are really shifting toward the procurement side of the house and how we buy our products. Shifting that mindset overall to all of our manufacturers, making sure that they understand that, and we equate patient care and delivery with security. We want to make sure that we’re putting those appropriate contracts in place and ensuring that vendors understand the security requirements and how to deploy those into our products before we procure them. Making sure that those vendors are meeting those security standards is key.

How important is partnering with industry for VA’s cybersecurity?  

Pearson: One of the biggest things that we’re working with the FDA right now is improved identity credential and access management (ICAM) procedures. When we talk about zero trust, one of the main areas is increasing rigor around access controls. Multi-factor authentication can sometimes be very difficult to actually put in place for some medical devices. When we look at devices, we want to make sure we’re concentrating on the ability to make sure that we’re enabling a unified end user experience, but also restricting access based on specific roles.

How is VA looking to tackle cybersecurity as technology evolves?

Pearson: Since veteran patient data is complex, complicated by the fact that health care is a prime target for threat actors, our veterans are often targeted for fraud and scams. A recent Federal Trade Commission report showed that veterans reported about $300 million in losses to fraud. Our focus is to make sure that we’re presenting potential vulnerabilities at the scale of VA operations; we encompass over 2,000 locations with tens of thousands of systems and devices, which add an additional layer of complexity.

We look at deploying, securing and monitoring our assets constantly. We’re always looking at opportunities for continuous improvement when it comes to our information security programs. The sheer volume of the data generated, stored and transmitted by VA medical devices on a daily basis requires thoughtful architecture and processes, including FISMA-related risk management frameworks. The infrastructure needs to be able to quickly adapt and effectively scale.

While we see ourselves balancing needs between resiliency, with security and the commitment to delivering that world class health care experience that our veterans so desperately need, we want to make sure that we are communicating and also socializing some of those complexities and partnering with other agencies to show that VA is dedicated and motivated by that work because it allows us to serve our veterans differently.