The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

The New Reality of Securing Healthcare


Securing healthcare has never been either easy or straight forward given the patient safety dynamic of the industry, but after nearly two years of dealing with the global COVID pandemic, that challenge is now a whole lot harder.

COVID19 caused a massive an immediate pivot across healthcare as patients consults were forced to go online via telehealth and telemedicine. At the same time non-clinical healthcare workers were sent away from hospitals to work from home. Combined this resulted in a significantly changed threat surface that cyber perpetrators were quick to exploit and take advantage of with a succession of ransomware and other extortion attacks and by nation-state sponsored theft of COVID clinical research and vaccine drug formulations.

Since the pandemic there has been a 600% increase in cyber attacks against healthcare entities and many have been knocked off-line for multiple weeks trying to recover from attack. This has resulted in some critical healthcare services not being available to some areas of the country at a very critical time in public health safety. It has also been a very unwelcome distraction to those caring for COVID infected patients and others with non-COVID related diseases seeking treatment.

Despite evidence to the contrary in the latest Healthcare Innovation Survey, many significant healthcare cyberattacks, go unreported or are down-played by CEOs wishing to minimize reputational and financial damage to the organizations they are in charge of. Many are paid based upon on the value of stock or other financial KPIs so this is hardly surprising and its likely that many providers have yet to discover that they have, were, or are still being attacked given the stealthy nature of APT attacks.

Join Hussein Syed, CISO at RWJBarnabus Health, Mark Hagland, Editor-in-Chief at Healthcare Innovation, and Richard Staynings, Chief Security Strategist at Cylera, as three veterans of healthcare security discuss the new reality of securing this industry and keeping patients safe.



Securing Healthcare in a Post-Covid World

Plainly COVID has changed the paradigm of global healthcare delivery. The industry was forced to pivot quickly to a new and alarming reality and make changes that were necessary but largely unplanned. The pandemic brought about the greatest change to Healthcare technology and working practices ever seen outside of war.

COVID forced us to quickly provide new forms of remote delivery of healthcare services to our patients via telehealth, telemedicine and other remotely delivered services. It forced non-clinical healthcare staff out of dangerous hospitals to their homes where they could work remotely. But all these changes greatly altered the risk posture of healthcare providers and expanded the threat surface to likely attacks.

While diligent security teams have been reassessing risk and security, and slowly implementing new controls to protect against new threats and vulnerabilities, there is still a concerns of what might have been missed. 

Despite new controls, what do we need to consider to make sure that these COVID changes have not exposed our HIT / HIoT systems to elevated risks or more importantly, our patients to new safety concerns?

Cybersecurity has been a secondary consideration for hospital CEOs and their boards for decades, permeated only by minor inconvenient changes to regulations like HIPAA, Joint Commission and HITECH. But the reality is that the healthcare industry is now the target of attack by cyber criminals looking to monetize stolen PHI, PII and research IP, or to hold providers of health services to ransom. 

Plainly, this places consumers of health services at increased risk of patient morbidity and mortality. Patient safety and cybersecurity are now the same thing, interchangeable terms to describe risks to providers and consumers of health services. Yet the reality has not fully sunken in for many. There is a higher chance of you as a patient (and we are all patients at some point in our lives) being negatively impacted by a cyberattack than at any time before. Its no longer a question of convenience, cyber attacks are a question of patient safety.

Listen the the following 38 minute Fireside Chat with Janette Wider, Managing Editor of Healthcare Innovation as Richard and Janette explore the new reality of securing healthcare in a post-pandemic world.

 

 

 

Securing Patient Data, Ensuring Privacy, and Building Trust

With thousands of new medical devices and healthcare applications being designed and developed each year it's no wonder that hospitals have such a hard time securing them against cyber attack. 

With new innovative technologies that improve patient care and clinical outcomes there are many costs and concerns. Integration with other HIT and HIoT systems to accomplish true interoperability becomes increasingly difficult with legacy undocumented systems. 

There are also sometimes risks that need to be considered, and in today's environment of near constant cyber attack against healthcare providers and other critical infrastructure industries. Often these attacks are launched by powerful and well equipped belligerent nation states and organised crime syndicates that operate with apparent impunity from behind the iron curtain.  

But if only new HIT and HIoT systems were designed with security from the outset perhaps securing these technologies would be less difficult. This was the basis of discussion at a recent MedHealth Matchmaking Mixer where HIT / HIoT innovators and manufacturers came together with technology and security experts in the health IT space.  

Follow the discussion in the video below:




The Challenge of Securing Healthcare

What are the biggest challenges facing healthcare security leaders today and how do leaders navigate the almost insurmountable obstacles placed in their way? 

How can we overcome a long list of clinical, financial, operational, and technology risks to secure patient safety and ensure greater operational resiliency for healthcare services?

Join me for an in-depth panel discussion on the challenges and opportunities that healthcare cybersecurity leaders are presented with today.

Speakers:

  • Esmond Kane, CISO Steward Health Care
  • Richard Staynings, Chief Security Strategist, Cylera and Teaching Professor, University of Denver University College
  • Michael Katz, Security Sales Specialist, Infloblox 
  • Moderated by Janette Wilder, Managing Editor, Healthcare Innovation

Panel hosted by Healthcare Innovation as part of the NorthEast Health IT Summit and Cybersecurity Forum.



The cybersecurity of our medical health devices

 

Left-right: Richard Staynings, Chief Security Strategist, Cylera; Jonathan Bagnall, Ph.D., Cybersecurity Global Market Leader, Philips; Andrew Pearce, Senior Digital Health Strategist, HIMSS Analytics (Moderator)

 

Healthcare is plainly a target of cyber criminal and offensive nation-state actors. Not a week goes by without at least one hospital or clinic somewhere being targeted by cyber extortionists or thieves. When COVID started to spread outside of China, university health systems, pharmaceutical companies, and biomedical labs were the target of state cyber actors, out to steal research and formulations into treatment programs, new drugs or vaccines.

Since the world partially shut down, hospitals and clinics have been the target of organized crime syndicates, plying their ransomware tools and other forms of extortion against overwhelmed and under-protected healthcare providers. This is as true for providers in Asia Pacific as it is in the Americas or Europe.

Healthcare was forced to pivot very quickly to remote services like telehealth and telemedicine for patient services, while non-clinical staff quickly found themselves working from home or on furlough, as hospitals scrambled to figure out how they were going to pay their bills, without the usual elective surgeries and other revenue-generating activities that forms the basis of a typical independent health provider's business model.

New technologies, in many cases rapidly implemented, without the usual security assessments and testing, exposed a highly distracted industry to risks. Risks that perpetrators quickly took advantage of and used to their advantage.

This is what we are beginning to describe as the 'Attackers Arbitrage'.

 

Read the Healthcare IT News article for more on this subject.

Watch the linked on-demand video of the subsequent panel discussion between Jonathan Bagnall, Cybersecurity Global Market Leader, with Philips Healthcare; Richard Staynings, Chief Security Strategist with Cylera; and Andrew Pearce, Senior Digital Health Strategist, Analytics, HIMSS