The Challenge of Securing Healthcare

What are the biggest challenges facing healthcare security leaders today and how do leaders navigate the almost insurmountable obstacles placed in their way? 

How can we overcome a long list of clinical, financial, operational, and technology risks to secure patient safety and ensure greater operational resiliency for healthcare services?

Join me for an in-depth panel discussion on the challenges and opportunities that healthcare cybersecurity leaders are presented with today.

Speakers:

• Esmond Kane, CISO Steward Health Care
• Richard Staynings, Chief Security Strategist, Cylera and Teaching Professor, University of Denver University College
• Michael Katz, Security Sales Specialist, Infloblox 
• Moderated by Janette Wilder, Managing Editor, Healthcare Innovation

Panel hosted by Healthcare Innovation as part of the NorthEast Health IT Summit and Cybersecurity Forum.

Read More

Beverly Hills Healthcare Security Forum

California Healthcare Cybersecrity Forum in Beverly Hills. Photo: Pat Lambert.

An esteemed panel of biomedical and security leaders discussed "The Biomedical Elephant in the Room" at the California Healthcare Cybersecurity Forum today in Beverly Hills.

Healthcare IoT (HIoT) now extends from one side of healthcare delivery to the other and today that includes an increasing number of medical devices, robots, health automation systems and building management systems none of which hospitals can easily do without.

Most of these connected devices however are not traditionally managed by IT, many don’t appear in any asset management database, most are not patched against vulnerabilities regularly (if ever), and the vast majority are highly vulnerable to cyber-attack and extortion. Very few have effective compensating security controls like micro-segmentation to protect patients from being the subject of the attack rather than just the device attached to them.

A large number of network and implantable medical devices, pose a significant patient safety risk if not secured and could cause patient harm or even fatalities.

Dick Cheney, former Vice President of the United States, had the wireless interface to his own pacemaker disabled because of fears that me might be hacked or assassinated by a political opponent or foreign government via manipulation of the cardiac defibrillator keeping him alive. This scenario was the basis of an episode in the TV series Homeland, in which the Vice President of the United States was hacked and killed.

Edited: Homeland, Se2Ep10

The panel which discussed what can be done to mitigate security risks and protect patient safety comprised of the following experts:

Chad Wilson CISO at Standford Childrens' Health,

Dr. Benoit Desjardins MD, Ph.D. Associate Professor of Radiology at Penn Medicine,

Harb Singh Security Program Manager at Cedars-Sinai Medical Center,

Richard Staynings Chief Security Strategist at Cylera, and panel moderator

For those that missed this highly informative and educational session, Richard will be moderating a similar panel in Boston at the Healthcare Innovation, Healthcare Cybersecurity Forum, on Oct 4th.

Read More

Rocky Mountain Health IT Summit

Richard Staynings and Michael Archuleta address the Rocky Mountain Health IT Summit today.

Thanks to everyone who attended our presentation today at the Healthcare Informatics Rocky Mountain Health IT Summit in Denver, where Mike Archuleta, CIO of Mt San Rafael Hospital, and I greatly enjoyed sharing our thoughts and advice on how to secure Healthcare IT and IoT.

Unfortunately, today we live in an era of escalating cyber threats from bad actors and nefarious nation states intent on the disruption of our business and personal lives. Regrettably, this also includes life-sustaining healthcare technologies. If this weren't enough, the healthcare industry is also in the process of transforming to a near complete reliance upon information technology and internet of medical things (IoMT) technologies. In fact Healthcare IoT (HIoT) devices are growing at 20% per annum according to some sources which means the problem is getting bigger and bigger each and every day! This includes a proliferation of medical devices, pharmacy and surgical robots, AI-augmented labs and diagnostic systems, and networked connected hospital building management systems like elevators and HVAC systems, without which the modern day hospital cannot function for long. This provides hackers with a very large attack surface upon which to exploit a weakness or vulnerability and establish a beachhead for more nefarious purposes - perhaps the theft of medical records and personal identities, or to ransom hospital data or patients.

Effective cybersecurity has always been about the combination of people, process and technology and that still holds true today. However the perpetrators of cyber-crime are hell-bent on exploiting every weakness regardless of the patient safety issues of their actions. As cyber defenders we need to employ the best processes, skilled security resources, and best technologies in the defense of our diagnostic and clinical systems. It also means that old out-of-date and end-of-life systems should be replaced, while all other systems are updated regularly with security patches, especially if your hospital still runs some version of Windows. The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!

56% of Health Providers Still Rely on Legacy Windows 7 Systems

As a first step hospital CEOs and their boards need to gain an accurate understanding of their risks and that means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about. Remediation of identified risks then needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. That will require discipline, established and documented processes, and quality resources whether people or tools, or a combination thereof. Above all it requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.

Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. This allows them to offer more profitable and cost-efficient services to patients via among other services, secure online portals, telehealth and telemedicine, just proving that security does not need to be advanced rocket science, just the combination of good people, process and technology to add value to a business.

For anyone interested our deck can be downloaded here.  Please feel free to leverage our content for your own CEO and Board presentation.

Read More