An increasing reliance upon healthcare IT and IoT including thousands of medical devices and wearables to deliver health services is changing the balance of risk across the industry
There was a fine balance between health technology services, risk and security before 2020. Some would say that this balance was nothing of the sort and that the entire healthcare life sciences industry has been accepting far too many cybersecurity risks for far too long as exemplified by all the ransomware attacks against hospitals going back 5 or more years. Or the massive theft by a nation-state of Anthem's entire health insurance customer database in 2015. Most pharmaceutical and clinical research organizations have also been targeted by cyber attack and intellectual property theft for at least a decade and most recently by a number of nation-states all in search of data on COVID-19 cures. No matter how you view the evidence, the healthcare industry out-gunned and out-manned has not fared well against a well funded and highly motivated cadre of cyber thieves and extortionists.
Now enter COVID-19 this year and the massive digital transformation forced upon HDOs in order to spin-up telehealth and telemedicine plans to diagnose and treat patients from their homes rather than on-prem, and at the same time support a non-clinical workforce all working remotely from home.
The threat surface more then doubled over night and risks exploded, all at a time that healthcare CEOs were focused upon pandemic disease management, treating COVID patients, and keeping HDOs financially afloat without their lucrative elective procedures - A throw-back and lasting legacy of the "pay per service" model of US healthcare.
With furloughs of IT and in some cases security staff too, in order to stop the hemorrhaging HDOs suddenly became massively at risk of cyber-attack at precisely the worst possible time. Perpetrators quickly recognized their opportunity and the cyber attacks of 2020 bear witness to the perfect storm impacting healthcare today.
With a steady stream of new technologies to support telehealth, and the replacement of nursing staff with medical devices to monitor and manage patients remotely as far as possible, how are hospital security leaders possibly going to protect healthcare IT and IoT systems from attack and keep patients safe?
With limited budgets and security headcount (or the availability of additional security resources), automation and increased use of artificial intelligence is a CISO's only recourse. This was the subject of my panel discussion recently at the Denver AI & Automation Security Forum where I was privileged to moderate a panel of experts in the field including:
- Dr. Benoit Desjardins, M.D., Ph.D, Associate Professor of Radiology and Medicine at the University of Pennsylvania,
- Michael Archuleta, CIO at Mount San Rafael Hospital
- Powell Hamilton, CISO at Centaura Health
- Esmond Kane, CISO at Steward Health
- Joe Searcy, CSO at Elemental Health
Watch the 30 minute video to hear what each of these experts had to say.