In September, Mikael Öhman took the helm of CORL Technologies, tech-enabled managed services for vendor risk management and compliance, and its sister organization Meditology Services, which provides information risk management, cybersecurity, privacy, and regulatory compliance services for the healthcare industry.
Öhman comes to CORL and Meditology from KMS Healthcare, where he was CEO of the global technology services company. Previously, he was a consultant at McKinsey and Company in Stockholm and Atlanta, managed international operations for Cerner, and led mergers and acquisitions for McKesson’s IT business. In addition to his executive health IT experience, which also includes serving as COO for software, services, and device companies, Öhman co-founded an urgent care business that was sold to Piedmont Urgent Care by Wellstreet.
We recently sat down with Öhman to discuss the current healthcare cybersecurity landscape, what’s on the horizon, and his plans for CORL and Meditology.
EHR: How would you describe the current state of cybersecurity in healthcare?
Öhman: Big, big, big worry. For everybody. Anytime you look at the news, you hear about another health system getting hit with a ransomware attack or a vendor being hacked. That’s why cybersecurity is absolutely a key priority. The bad guys know that healthcare data has tremendous value; you can get rich by holding somebody’s data hostage or selling it.
Healthcare is complex. It requires a highly networked system with many vendors involved at many different points. Data doesn’t just live in one place anymore. While all the data sharing and integration points to move information between on-premises systems and cloud environments are fabulous, they also raise the security threat level by magnitudes. The criminals are going to find the weakest link. When they do, the damage that can be done because of data aggregation is much, much higher. It’s why security is an obvious priority.
Managing and securing healthcare is a much bigger job now than it was 10 years ago when most of your systems were sitting in a data center behind your own four walls. You could see and touch it and feel that you had control. Now, there is a proliferation of cloud-based and SaaS vendors that, if not properly vetted and controlled, can create new exposure points that you may not know even exist. Every provider and payer – anybody using multiple vendors – must be prepared because it’s going to continue to get riskier every single day as new technologies come out.
EHR: What technological advancements and/or healthcare industry trends have created the greatest cybersecurity risks and why?
Öhman: AI tools. While many are necessary and will bring tremendous value, they are also adding to the threat level. The magnitude and complexity of cybersecurity risk has gone up tremendously in tandem with AI advances. Also raising the risk is the growing number of vendor connection points, which go broader than just software. Every medical device nowadays has a Bluetooth connector and is networked in one way or another. Even my scale is connected via Bluetooth to an app that stores my weight. There are three or four steps involved in that exchange and while I doubt anyone is interested in how much I weigh, they could still finagle a way to get to it; it’s data I don’t want them to see.
So, each new connection point is another risk factor and you’re only as strong as your weakest link. I think everyone understands that, but they also need to understand how to manage those exposure points in a way that keeps the exchange secure while still letting you take full advantage of new technologies.
EHR: What is on the cybersecurity horizon?
Öhman: Generative AI, which includes some absolutely amazing tools like ChatGPT. If you’re in charge of cybersecurity in a healthcare setting, you should very quickly start losing sleep over what your employees are doing with something like ChatGPT and all the other AI tools coming out. Is one of your doctors loading ChatGPT up with parts of a patient’s health record and asking for advice and opinions? Look, there are very legitimate uses of that technology, but you have to figure out a way to work with it so data doesn’t land in the wrong hands or so nefarious source code doesn’t wind up embedded in your infrastructure. You need to figure out how to take advantage of these new technologies and you need to stay current or your organization will be left in the dust. But it must be done in a safe and secure way.
The second thing on the horizon is the continued expansion of vendor connections. Sharing data is critical to care delivery; to reducing costs and improving the patient experience. That means you have to manage a much bigger network. While it may be something as simple as using a solution that is embedded in a vendor’s system, it may also be as complex as one that comes from a vendor’s vendor, putting the weakest point far removed from your immediate control. How do you manage an exponentially growing set of places where the bad guys can dig in? How do you do it in a way that is scalable and allows you to intervene before there’s a problem?
The other emerging challenge is around consumer influence. As consumers, we now expect to do everything online via chat and other online tools and apps. When we do, it immediately creates millions of exposure points between healthcare organizations and vendors that need to be locked down. This goes back to the whole vendor management component.
It never stops and it’s going to get even worse with AI’s smart algorithms, which are just an arsenal of weapons for the bad guys like deep fake voice and video. It learns my voice and my accent, so you think you’re getting a phone call from me, but it’s not me.
These are all massive challenges, but they’re also things that our CORL and Meditology experts are already working on so we can help as the landscape evolves.
EHR: What do healthcare organizations need to prioritize in terms of effective cybersecurity and risk management?
Öhman: Three main things come to mind. First, get really good at the basics – the fundamental “boring” controls that remain at the heart of most cybersecurity incidents. That means things like vulnerability management, identity and access, and configuration management – especially on internet-exposed assets. If you aren’t capable in those areas, not much else matters because it’s like keeping your front door unlocked.
Second, install a risk framework you can actually measure and manage. Whether it’s NIST, ISO, CIS, or something else, pick one that makes sense for your organization and then build a profile of your control environment based on it so you can strategically plan where to invest beyond those table stakes controls I just mentioned. Then do things like routine pen tests and control evidence audits to validate that your control environment is operating as effectively as you think it is.
Third, build a scalable third party risk management program. More and more, everything in IT and business is becoming a third party risk. We’re all either running our apps in the cloud or depending on third party providers or the supply chain to run things in-house. The scale is already overwhelming, and it will only continue to grow. The majority of breaches begin with third parties, so you have to have a scalable strategy for understanding who you’re doing business with, what your inherent risk dependencies are, and how you’re going to mitigate as much risk as possible.
EHR: Where do CORL and Meditology fit when it comes to addressing risks?
Öhman: Meditology can provide roadmaps and guidance, and help put the foundational components in place like overall strategies and getting through HITRUST certification and SOC 2 validation and doing that in a way that is effective and pragmatic but also thoughtful. We help companies with real-time threat management, penetration testing, and even mergers and acquisitions. If you’re looking to buy a clinic, the financials may check out, but you also want to make sure there are no security holes, we’ll do assessments around that. These are the core elements of what the company has been doing for years and will continue to build upon.
CORL gets to the network problem, where health systems, payer organizations, and other care delivery organizations have thousands and thousands of vendors and exposure points – the weakest links in highest risk areas – to manage over time. Nothing is static, so six months from now you’ll need to re-evaluate things. We can create a structured, methodical approach that lets you understand at any time where your exposure points are and where you’ll have to intervene. Security is also now a core part of Board agendas – what is the biggest exposure point today? Six months or a year from now?
CORL also helps health systems and vendors with security assessments. Vendors in particular must go through hundreds of security assessments a year. Anytime they want to work with a health system, an assessment is required. We do it one time and it can then be used in many different places, alleviating a significant frustration point. We get them through their business processes faster by providing what equates to a collaborative platform for vendors and their customers to verify security status. It makes the whole process a lot smoother than the traditional series of spreadsheets, emails, and phone calls.