This interview is part of a series powered by HLTH to highlight key insights and perspectives from leading executives speaking at VIVE.
The inherent challenge in making healthcare data more accessible to more agencies is that it also makes this information more vulnerable to attack if not properly secured, whether through the adoption of a clear set of agency protocols, cybersecurity techniques, effective staff training Or all more. Ransomware attacks accounted for nearly 50% of all healthcare data breaches in 2020. Department of Health and Human Services Cybersecurity Program.
Lauren Boas Hayes
Cybersecurity will be an important topic of the conference ViVE Conference HLTH and CHIME were held March 6-9 at the Miami Convention Center in Miami Beach. One of the speakers scheduled to speak on the topic is Senior Consultant Lauren Boas Hayes Technology and Innovation with the Cybersecurity and Infrastructure Security Agency (CISA).In response to email questions, Hayes discusses some of the work her organization is doing to address cybersecurity threats to U.S. healthcare
To register for a ViVE conference, Click here.
Note: This interview has been lightly edited
How does your organization work with hospitals and other healthcare organizations on cybersecurity?
CISA is committed to providing healthcare organizations with the tools they need to protect themselves from all types of cyber incidents, especially destructive attacks like ransomware. We work with the Department of Health and Human Services (HHS), the industry risk management agency.The resources and tools we provide include Stopransomware.gov Website containing our guidelines on preventing and responding to ransomware attacks; CISA’s Cyber Health Servicesa free service that helps organizations improve their own cybersecurity posture; and Cyber Security Assessment Tool (CSET) This is a standalone tool for assessing your own readiness and refining your cybersecurity plan.
What are the biggest misconceptions about ransomware and cybercrime in healthcare?
Perhaps the biggest misconception is that ransomware cannot be prevented or protected against. Organizations can take critical and concrete steps to strengthen their defenses against ransomware to avoid becoming a “low-hanging fruit” for the bad guys. As part of our ongoing mission to reduce cybersecurity risk, CISA has compiled a checklist: Free Internet Security Tools and Services Help organizations further enhance their security capabilities. This living repository includes services provided by CISA, widely used open source tools, and free tools and services provided by private and public sector organizations throughout the cybersecurity community. Also, if you do get compromised, there are steps you can take to minimize the impact and recover quickly.These are listed in CISA Ransomware Guide at StopRansomware.gov.
According to data in the HHS Cybersecurity Program report, there were 239.4 million cyberattack attempts in 2020, while 560 healthcare organizations were affected by ransomware attacks. Why is the healthcare industry facing so many attacks?
Over the past year, we’ve seen a massive uptick in ransomware — affecting our homes, schools, and hospitals, as well as other critical infrastructure partners and operators. The rise in attacks on hospitals is a classic example of “targeting the rich, cyber-poor”. Cybercriminals see the pandemic as an opportunity to take advantage of overburdened healthcare organizations that they believe don’t have the knowledge or resources to respond without pay. Additionally, healthcare organizations often run more vulnerable systems than other industries. The reason given is usually that the critical technology cannot be patched offline. While organizations may feel the operational pressure to keep devices running at all times, this puts vulnerable systems at greater risk of compromise.
October 2020, CISA, FBI and HHS Send out a warning Regarding the high level of cybercriminal attacks on healthcare providers and public health agencies, and recommends key defense mechanisms for these organizations. However, these ransomware attacks raise a bigger problem: Any computer or device connected to the Internet is at risk of a ransomware attack — and that means all of us.
Do you see any patterns in these attacks?
What we see is that most attack vectors are repetitive and can be handled by avoiding what we call bad practice. These three things are basically guaranteed to get an organization compromised, and we’ve posted them as our road signs for people to avoid doing it:
- Running unsupported software
- Use weak passwords
- Use single-factor authentication with remote access tools.
Do you see the problem getting worse?
Ransomware is an epidemic wreaking havoc on businesses across the country, and if this business model works, it will continue. However, we are seeing more and more organizations take steps to better protect themselves, and our law enforcement partners are increasingly disrupting the networks of the criminals behind these attacks.
What are healthcare organizations doing to keep themselves, their patients, and patient data safe?
Organizations are patching their systems in a timely manner and getting rid of unsupported software in their environments. They are signing up for our Cyber Health Service and following the advice they receive to mitigate vulnerabilities in their public-facing infrastructure. They are upgrading to more sophisticated means of identity control and access management. The battle against ransomware doesn’t start the day you get hit with ransomware. Long before then, every company and organization must take proactive steps to harden their systems, develop security plans and back up their systems.
How effective are these measures in preventing software attacks, and how many protocols are implemented by healthcare organizations?
Cybersecurity is more than just processes and technologies. It’s also about people. Everything depends on your organization’s cybersecurity program. All organizations must avoid bad practices and all organizations must implement key technologies and controls that meet minimum expectations to protect your business, and most importantly, your patients. The security technology ecosystem is constantly evolving, and there are always new and innovative technologies that can be implemented to enhance your organization’s security. However, technology is only effective when implemented, maintained and operated well, and these three components require a well-trained and agile workforce. Investing in your employees is a critical component of any successful safety program.
How do you see the healthcare industry changing or evolving to better protect against these attacks in the long term?
Partnerships are CISA’s superpowers — our ability to share information broadly about threats and vulnerabilities is critical to our ability to prevent other victims from being attacked. CISA works with the entire federal government and brings a “government-owned” approach to the work we do to protect the nation. But we know that national cyber defense does have to be a national approach. We want the healthcare industry to consider a “safety first” mentality when investing in new technologies, putting safety first. We also want to see stronger partnerships between the healthcare sector and CISA and our sister agencies (FBI, USSS, and HHS), and we want to provide the right guidance, tools, and services to help the healthcare industry protect against various form of attack. Ransomware is today’s challenge – tomorrow, there will be another.
Photo: Traffic Analyzer, Getty Images
