Cybercriminals around the world continue to target healthcare organizations. It seems like every month a healthcare-related cybersecurity disaster makes the headlines. This month, the Ascension attack forced clinicians in multiple states to revert to paper record-keeping.
During a Wednesday fireside chat Medcity NewsAt the INVEST conference in Chicago, Cybersecurity and Infrastructure Security Agency (CISA) Deputy Administrator Nitin Natarajan shares important ideas people need to understand about the current state of cybersecurity in the healthcare industry. I shared some.
Everyone is a target.
As cybercrime activities become increasingly sophisticated around the world, the situation for victims is also changing, Natarajan said.
“There are attacks on K-12 schools in the center. There are attacks on medical facilities. In the past, medical facilities were always protected, even during heavy fighting. We never attacked hospitals, we never attacked tents with red crosses on them. But now we are seeing hospitals being attacked on a regular basis,” he declared.
It's inevitable that health care providers will be attacked by cybercriminals, Natarajan said.
Recognizing this, he noted that providers must work tirelessly to become more resilient so they can recover faster from such attacks in the future. He also encouraged providers to start considering third-party cybersecurity risks as part of their business planning.
Things won't get better overnight.
On Monday, HHS launched a new cybersecurity program that will provide $50 million to develop better cybersecurity defense tools for health care providers. While it would be easy to judge this effort as “too slow,” Natarajan noted that all progress is positive.
“Many people liken cybersecurity to a light switch. One day you flip the switch and you have cybersecurity. I think of it like a collection of about 500 dimmer switches. “The daily change of flipping the dimmer switch up brings us closer to where we need to be.”
Cybersecurity requires an all-hands-on-deck approach.
To strengthen their defenses, healthcare organizations should ensure all employees have at least basic cybersecurity training, Natarajan said.
This means training all staff on things like how to properly use two-factor authentication and how to spot phishing emails, he explained. When it comes to cybersecurity, a company is often only as strong as its weakest link.
“It's not just CISOs and CIOs who need to do this; they need to instill a culture of cybersecurity savvy across the workforce,” Natarajan said.
There are free tools that providers should take advantage of.
Money is tight for many health care providers, Natarajan noted, and many don't have the funds to properly invest in cybersecurity measures. But CISA and other federal agencies offer tools that health care providers can implement for free, he said.
“It's not an ideal solution for small hospitals who are trying to figure out how to pay salaries and recruit and retain staff. Opportunities are emerging and we are seeing companies actively offering free versions of their products,” he noted.
“Security by design” is the future.
Natarajan believes companies developing healthcare technology need to move to a “secure by design” approach.
“This means it should be secure by default – you don't have to buy an extra package or turn on security,” he explained. “That means we design our hardware and software to leverage things like memory-safe languages and we build the right security elements into our software.”
Photo: Gabriela Golumbovich, Breaking Media
