5 min read
I was sitting with a cup of coffee (this is Seattle, after all), warming my hands, having just come out of the drizzle (this is Seattle, after all), talking to a friend about my recent webinar with Mike Hamilton with Healthcare InfoSecurity, where we covered 2020 strategies and tactics for cybersecurity in healthcare using the lessons learned from the past and present.
“Sounds like you’re doing Dicken’s 'Christmas Carol' – only for cybersecurity.”
Never being one to waste a good analogy, I did get some help from the “ghosts” of cybersecurity past and present to come up with seven priorities I believe healthcare organizations need to make for a more secure future in 2020.
You don’t have to spend a lot of time on HHS’s Breach Portal, fondly known as the 'Wall of Shame', to see the kind of challenges we’ve faced over the past couple of years in healthcare.
When healthcare’s not being sucker-punched via phishing and ransomware, we’re distracted by alarms, projects, and investigations. And then one stumble in IT operations discipline causes us to accidentally expose PHI data – a self-inflicted breach – via misconfigured servers or lost/unencrypted equipment.
Oh, and our third-party partners will, from time-to-time, also let us down.
The “Ghost of Christmas Past” solution? Building a castle guarded by strong protective controls, with our network, systems, and PHI data secure inside, while keeping the cyber problems outside the walls. It was a great approach, for a while.
Over the past 18 months or so, a lot of us have begun to rethink the “Fortress” security strategy. As a CIO friend says, “We think about cybersecurity as a picket fence. We can make the pickets higher, and move them closer together, but in the end, we wind up with more fence to paint and maintain, while never really keeping determined bad-actors out.”
Our security life has drastically changed in the past few years. Starting with the day in 2016 that Hollywood Hospital went down from a ransomware attack, through the admission last week by Hackensack Meridian that they’d paid hackers to release their systems, we’ve become a juicy target.
The pressure on security professionals to “never-ever-ever let that happen to us” is stressful enough. Couple that with today’s relentless IT Operations pressure demanding you “never-ever-ever let the network or applications go off-line” since they’re critical to modern healthcare delivery. You’re carrying more responsibility than ever before.
Even the most heroic among us struggle to make it all work.
And that struggle – just one mistake – is all the bad-guys need to sneak into your network, lurk around for weeks (or even months, according to some of the OIG/HHS reports), find the data-crown-jewels, then slip back out between the pickets without being detected. For many orgs, the first time they know they’ve been hacked is when the FBI calls.
Even worse, the majority of your front-line defenders end-users. And they’re busy doing things other than cybersecurity. Train them all you want, but their real focus is on seeing patients, filing claims, buying supplies, and a bunch of other stuff that’s driving better care to patients and families.
What to do? The time has come for a strategic transition in our approach to cybersecurity. Sure, the fortress approach to security with associated protective controls is table-stakes. But it’s time to shift our thinking from keeping bad-actors out, to finding them quickly if they get inside the network. You want to quickly end their visit, and thoroughly remediate any damage done.
As my colleague Mike Simon likes to say, "You have to see the criminal to catch the criminal," we absolutely have a path to a better 2020. Here are seven practical ideas about where to focus, and how to improve:
With increasing regulatory requirements, medical devices, user training, and limited staff and/or budget, most IT leaders in healthcare have more to do than there are hours in the day. Critical Security’s MDR is built for HIPAA-regulated environments. Our Critical Insight team of experts use advanced threat technology to watch clinic and hospital networks around the clock. If they confirm a security event, we help remove the threat in minutes, without unnecessarily exposing personal health information. Our team of threat hunters have been known to stop security events within a few hours of starting Critical Insight's MDR services. If you’d like to learn more, I’m a quick phone call or LinkedIn message away.