/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Health Technology: How has the cyber security landscape for health care evolved in recent years?
Natarajan: We see cyber security developing in two ways. We are seeing a change in adversaries, who were traditionally large nation-state actors or large cybercriminal organizations, and we are seeing a lot more actors across the landscape. There are now cybercriminal and cyberterrorist organizations of all sizes.
We are also seeing an evolution in threats such as ransomware as a service, which allows anyone to become a potential adversary. You had to recruit a team and get expertise. Now all you need is money and someone you don’t like, and you can create your own cyberattacks against a new victim group.
Where we’re seeing the second part of growth is in the afflicted area. It used to be a belief that cyber criminals only target large corporations and large governments. If I’m a small rural hospital or a small rural school district, I don’t have to worry about anti-nation-states coming after me. But we are seeing that this is no longer true. We are seeing victims across the country, big and small, public and private, rural and urban. Anyone can be a potential victim of this new threat from adversaries.
This combination of an increase in the frequency, volume and sophistication of attacks by a growing adversary base, along with a growing base of potential victims, is truly changing the landscape of healthcare and beyond.
There was also a perception for a long time that healthcare was exempt. Even if you go back to traditional warfare and conflict, you never bomb a hospital. But we are seeing that hospitals are no longer exempt. We are seeing cyber terrorists, cyber criminals and nation-state actors going after and impacting healthcare facilities.
It is not just about revenue and financial gain. At the end of the day, a cyber attack against a hospital becomes an issue of patient safety, and its impact is felt and echoed in the communities it serves. Even in urban areas where there are too many healthcare providers or too many hospitals, the effects of the loss of any one institution for any period of time are still felt. Those forces – the growth of an adversary and victim base over the past several years – will continue to grow in the years to come. This is what worries me the most.
to explore: Three tips for health care organizations to prevent vishing and smishing.
Health Technology: Are there certain factors that make health care particularly vulnerable to these types of attacks?
Natarajan: I’m really excited about the progress in healthcare. We’re looking at where healthcare is going to go over the next three, five, seven years and it’s amazing. But with that also comes an expanded attack surface. The convenience of being able to connect to the Internet brings an additional vulnerability. When we look at healthcare, there was an increase in technology adoption at the start of the pandemic. The growth in telemedicine and telehealth capabilities appeared almost overnight. It’s not going away and, arguably, it will continue to grow and evolve over time.
This is going to make it more complicated for the healthcare sector, not only based on the volume, scope and growth of challenges that we have seen over the past few years from COVID-19, but also based on what we expect to see in the coming years. What will you see in the coming years. The fact that those effects can be felt so close to the bed is really worrying.
implementing the five pillars of #zero trust Security architecture can help #Health care Organizations mitigate cyber threats. @CISAgov Deputy Director Nitin Natarajan shares cyber security best practices #HIMSS23, pic.twitter.com/0OCrY3ieM1
— HealthTech Magazine (@HealthTechMag) 18 April 2023
Health Technology: What types of strategies or technologies can healthcare organizations deploy to improve their cyber security posture and reduce risk from these cyber attacks?
Natarajan: There are a few things. We still ask people to return to the basics: strong passwords and multifactor authentication. Those capabilities, as well as regularly updating and patching the software, are of the utmost importance.
Another approach we focus on is the secure by design, secure by default model for technology products. How are we protected by design? how we insist that manufacturers are indeed using things like memory-safe languages and look into vulnerability disclosure programs and other measures to make sure what we’re buying is safe ? How do we make sure that, as consumers, we’re pushing that to our vendors and they’re really being asked those tough questions?
Then, how do we as consumers be sure that what we are buying and buying is by default safe? How do we make sure that, out of the box, it has a certain level of security built-in and that we won’t have to pay extra for a secure model versus an insecure model?
Finally, within our institutions and healthcare, how can we move this discussion away from CISOs and CIOs and really extend them to CEOs and boards? Over the years, we have often expected the CISO or CIO to handle the security of the entire enterprise. Often, when they’re talking with the CEO and the board about cybersecurity challenges and vulnerabilities, it doesn’t make sense – it’s a foreign language. How can we shift that conversation from simply asking the CISO to accept risk, change the landscape, and protect the organization, instead, extend that conversation to the CEO and the board? How do we really instill a sense of corporate cyber responsibility among those who are risk accepting?
For me, it’s a three-legged stool. We spend a lot of time on risk identification and risk mitigation. We forget the third step of that stool, which is risk acceptance, and risk acceptance is really with the CEO and the board. How do we make sure they understand the risk they are accepting at the end of the day? We always accept some risk. We’ll never redo everything, but making sure risk acceptance is well informed at the highest levels of the organization is really what we need to get there.
Read more: As cyber threats grow, can Zero Trust protect healthcare organizations’ data?
Health Technology: How can healthcare organizations strengthen their safety culture and ensure that safety is on everyone’s mind?
Natarajan: It’s about getting everyone involved. It’s about moving it from an IT solution to an organizational solution and making sure that not only is the CEO and the board aware, but, frankly, everybody is aware. This includes each physician, each employee in the facility who supports clinical care and the downstream supply chain. You also have to make sure that you are not introducing new vulnerabilities.
I mean, we know that some hospitals rely on on-time delivery and a lot of third-party vendors, sources and contracts. How do you make sure that the people you’re working with are protected and that, clearly, they’re practicing the level of cyber security that you expect of them? You also need to be sure that you’re asking them the questions they’re asking, that you’re choosing products and vendors that have a specific focus on cyber security, and that you’re using cyber security to guide your decision making.
It really does take everyone. People joke about who would click on a phishing link, but people will click on anything. Computers are very prevalent and available in healthcare these days, and many people still think they can get a million dollars through email. So, we have to address that trend and make sure that people are thinking with a cyber security mindset in every role throughout the organization. We shouldn’t just expect our CISOs and our IT and cyber security teams to solve this for the organization. Everyone has a role to play and everyone has to play their part.
