LAS VEGAS – There’s no question that COVID-19 has thrust the healthcare industry into a “new normal.”
Although many of the innovations in the pandemic era have been for the better, leaders at the opening panel of the HIMSS21 Healthcare Cybersecurity Forum on Monday noted that they have also exposed the sector to a variety of cyber threats.
As the hacks get more sophisticated, said panelists during the session moderated by Healthcare IT News Executive Editor Mike Miliard, it’s important to remember that cybersecurity is a team effort – and that cyber professionals aren’t miracle workers.
“Walk on water, stand upside down – you name it, the chief information security officer is supposed to do it,” quipped Sri Bharadwaj, vice president of digital innovation and applications at Franciscan Alliance.
Despite the alleged ceasefire taken by hackers at the beginning of the pandemic, those on the ground saw nothing of the sort. In fact, Adam Zoller, chief information security officer at Providence, said he actually saw attacks increase.
“From the vendor’s perspective,” agreed Leon Lerman, cofounder and chief executive officer at the cybersecurity platform Cynerio, healthcare is “low-hanging fruit.”
In particular, panelists said that clinical devices have continued to pose a gap in a health system’s defenses: Too often, they’re not being updated or patched by the vendors.
“The clinical device space continues to be a soft spot in the industry at large,” said Zoller. In his view, real-time inventory and patch management are two main priorities for addressing device security.
“Make sure you have a conversation with the vendors to understand what they’re doing,” added Bharadwaj. “If you don’t have that dialogue, you’re more vulnerable.”
“Third-party risk is probably your greatest risk area,” agreed Zoller. “You’re inheriting their cyber risk into the network. Their risk becomes your risk.”
That’s also a concern as patients continue to seek out telehealth care amidst the ongoing pandemic.
“Devices travel out to the field,” noted Zoller. “Those devices are your network perimeter, so you need to push your defenses out to your devices.”
Given that paradigm, he said, it’s important to get back to basics.
“Instead of focusing on whiz-bang tech of the future,” he advised, focus on things like patching and multifactor authentication.
In other words, people should be “doubling down on the basic cybersecurity practices that your organization should be doing already.”
Bharadwaj predicted that by 2050 patients will only go to the hospital if they need surgery. For everything else, they’ll rely on remote technology, so security needs to be ingrained into the framework of care.
“A lot of things are reactive” at this point, said Lerman. “Getting proactive will be the most beneficial thing.”
Of course, technology can only go so far. After all, as Lerman noted, many security threats depend on a human factor. Getting staff – and decision-makers – on board with best practices is key as well.
One potential strategy to center cybersecurity’s importance, said the panelists, is to note that it is a patient-safety issue as well as a dollars-and-cents issue. Having to take your network down or delay care in response to a cyberattack has a tremendous potential impact.
Insurance can help, but it only goes so far, and insurers are going to be asking organizations how they took action to protect their network in the first place.
“Cyber insurance will take care of the money, but it won’t take care of the patient safety issue,” said Lerman.
Speaking of dollars and cents, the question of whether to pay a ransom itself is an open one. The FBI and other agencies have advised health systems not to do so. But as Zoller noted, that can be easier said than done.
“If people’s lives are on the line, how do you measure the value of human life?” he asked.
Looking ahead, panelists emphasized the importance of continued investment in cybersecurity research and development.
Health organizations should ask: “How do you invest in R&D yourselves? How do you invest in talent, and how do you evaluate attacks, and research those attacks yourselves, and test out against your own network?”
After all, they noted, the bad actors are doing the same thing on the other side.
“When a ransom is paid, [an attacker] is buying more tools so he can get more sophisticated,” said Bharadwaj. “We’re paying the money for them to do R&D. … Their only job is to attack.”
An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.