This interview is part of a series powered by HLTH and CHIME to highlight key insights and perspectives from leading executives speaking at ViVE.
The inherent challenge of making healthcare data more accessible to more institutions is that it can also make this information more vulnerable without the right protection, whether that’s in the form of a clear set of institutional protocols, cybersecurity technology, effective staff training or all of the above. Ransomware attacks accounted for nearly 50% of all healthcare data breaches in 2020, according to a report from the Department of Health and Human Services Cybersecurity Program.
Lauren Boas Hayes
Cybersecurity will be an important topic at the the ViVE conference by HLTH and CHIME scheduled for March 6-9 at the Miami Convention Center in Miami Beach. One of the speakers scheduled to present on this topic is Lauren Boas Hayes, a senior advisor for Technology and Innovation with the Cybersecurity and Infrastructure Security Agency CISA). In response to emailed questions, Hayes discussed some of the work her organization is doing to address cybersecurity threats to healthcare in the U.S.
To register for the ViVE conference, click here.
Note: This interview has been lightly edited
How does your organization work with hospitals and other healthcare organizations in cybersecurity?
CISA works to provide healthcare organizations with the tools they need to protect themselves against all types of cyber incidents, especially disruptive attacks like ransomware. We partner with the sector risk management agency, the Department of Health and Human Services (HHS). The resources and tools we provide include the Stopransomware.gov website, which houses our guidance on preventing and responding to ransomware attacks; CISA’s cyber hygiene services, which are no-cost services that help organizations improve their own cybersecurity posture; and the Cyber Security Evaluation Tool (CSET) which is a standalone tool for assessing your own readiness and maturing your cybersecurity programs.
What are some of the biggest misconceptions about ransomware and cybercrime in healthcare?
The biggest misconception might be that ransomware can’t be prevented or defended against. There are critical and concrete steps organizations can take to harden their defenses against ransomware to avoid being “low hanging fruit” for the bad guys. As part of our continuing mission to reduce cybersecurity risk, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. Additionally, there are steps you can take if you do become compromised to minimize the impact and recover quickly. These are all outlined in CISA’s Ransomware Guide on StopRansomware.gov.
In 2020, according to data from an HHS Cybersecurity Program report, there were 239.4 million cyberattacks attempted, while 560 healthcare organizations were affected by ransomware attacks. Why is the healthcare industry facing so many attacks?
Over this past year, we’ve seen a massive uptick in ransomware — impacting our families, our schools, and our hospitals, among other critical infrastructure partners and operators. The rise in attacks on hospitals is a classic example of “target rich, cyber poor.” Cyber criminals saw the pandemic as an opportunity to exploit burdened healthcare organizations, who they viewed as having insufficient knowledge or resources to respond without payment. Additionally, healthcare organizations often operate systems with more vulnerabilities than is common in other industries. The rationale given is often that key technologies cannot be taken offline for patching. While organizations may feel operational pressure to keep devices always running, this leaves the vulnerable systems at greater risk of compromise.
In October 2020, CISA, FBI, and HHS issued an alert about cybercriminals’ heightened targeting of healthcare providers and public health agencies and recommended key defense mechanisms for the organizations. These ransomware attacks, however, raise a larger point: any internet-connected computer or device is at risk of a ransomware attack – meaning all of us.
Do you see any patterns in these attacks?
What we’ve seen is that most of the attack vectors are repeated and can be dealt with by avoiding what we’ve called Bad Practices. These are three things that are basically guaranteed to get an organization compromised that we’ve published as our signposts to get people to avoid doing them:
- Running unsupported software
- Using weak passwords
- Using single-factor authentication with remote access tools.
Do you see the problem getting worse?
Ransomware is an epidemic wreaking havoc on businesses across the country, and if the business model works, it will continue. However, we see more and more organizations taking steps to better defend themselves, and our partners in law enforcement are doing more and more to disrupt the networks of the criminal actors behind these attacks.
What are some measures healthcare organizations are taking to protect themselves, their patients, and the security of their patients’ data?
Organizations are patching their systems in a timely fashion and getting rid of unsupported software in their environment. They are signing up for our Cyber Hygiene services and following the recommendations they receive to mitigate vulnerabilities in their public-facing infrastructure. And they are upgrading to more sophisticated means of identity control and access management. The battle against ransomware doesn’t start the day you get hit by ransomware. It starts long before that with the proactive measures every company and organization must take to harden their systems, get security plans in place and back up their systems.
How much is the effectiveness of these measures to guard against attacks down to the software and how much is down to protocols implemented by healthcare organizations?
Cybersecurity is not just about process and technology. It’s also about people. Everything comes down to your cybersecurity program at your organization. There are bad practices which all organizations must avoid and critical technologies and controls which all organizations must implement to meet the minimum expectation for securing your enterprise to protect your business and most importantly your patients. The security technology ecosystem is constantly evolving and there are always new and innovative technologies which can be implemented to enhance your organization’s security. However, technology is only as effective as it is well implemented, maintained, and operated and those three components require a highly trained and agile workforce. Investing in your people is a critical component of any successful security program.
How do you see the healthcare industry changing or evolving to better guard against these attacks in the long-term?
Partnerships are CISA’s superpower – our ability to share information broadly about threats and vulnerabilities is central to our ability to prevent other victims from getting attacked. CISA partners across the entire federal government and brings an All of Government approach to the work we do to secure the nation. But we know that national cyber defense really must be an All of Nation approach. We hope the healthcare industry will consider a “security first” mentality to think about security first when investing in new technologies. We also hope to see stronger partnerships between the healthcare sector and CISA, as well as our sister agencies — FBI, USSS and HHS — and we want to deliver the right guidance, tools, and services to help the healthcare industry protect against all forms of attack. Ransomware is today’s challenge – tomorrow, there will be another.
Photo: traffic_analyzer, Getty Images
