HIMSS21: ‘Anticipate the Threat’ to Enhance Healthcare Cybersecurity

How Healthcare Pivoted During the Pandemic

“The biggest issue that we all had to deal with was just the element of surprise,” said Kathy Hughes, vice president and CISO of Northwell Health in New York. “How do we continue to operate in this world? How do we continue to be productive? How do we communicate with each other more effectively, because you can’t just walk down the hall now and speak to people? And how do we collaborate?”

Hughes and Stephen Dunkle, CISO of Pennsylvania-based Geisinger Health, came together for a digital session on securing the hybrid health system. They discussed their experiences during the start of the pandemic.

Hughes said there was heightened pressure, especially with healthcare frequently targeted in cyberattacks. Fortunately, her department had already planned for remote work before the pandemic, in preparation for weather-related emergencies, such as staff being unable to come into the office during a snowstorm or hurricane and needing to work from home.

So, when the pandemic hit, it was a matter of increasing capacity and communicating and extending that model to other areas of the organization, she said. Hughes called the process “pretty much seamless,” and although there were some adjustments with using Microsoft Teams and handling phone calls remotely, staff members felt largely positive about the move.

The speakers during the “Securing the Hybrid Health System” session at HIMSS21 Digital.

For other departments, especially for clinical work, Hughes said there is always space to learn and grow, especially in improving virtual care services.

“There’s more productivity and a better, more efficient use of time that comes out of being able to do things virtually,” Hughes said, and Northwell employees, clinicians and patients should all be able to benefit from that as the system’s capabilities expand.

At Geisinger, Dunkle said there is now better listening and communication across the organization. For example, the business side always engages the security team.

“Our organization came together in an astonishing way. My department, the information security side of the organization, was definitely engaged. We were part of the team, and for once we didn’t have things like politics, which happen in all organizations, so we got into a can-do mode as an organization,” Dunkle said.

So, how should healthcare systems prepare for tomorrow’s crisis?

“Write it down,” Hughes said, emphasizing the need to create a living document of all actions taken during the pandemic so they can be reviewed and practiced regularly.

Dunkle advised planning ahead. “Anticipate the threat. Work hard on threat intel,” he said. “You win in this game by being ahead of the curve as much as you can.”

MORE FROM HIMSS21: Tips on how to power and protect digital health strategies.

Strong Partnerships Within Healthcare Systems

In another digital session, LifeBridge Health Senior Vice President and CIO Tressa Springmann and CISO Richard Miller spoke about their experiences at the Maryland-based healthcare organization.

Miller is the first CISO at LifeBridge, and Springmann discussed how that role came to be. She had been at LifeBridge for 10 years, and the organization had grown considerably in that time.

“Security was someone else’s job, someone else’s interest. HIPAA came about, you had a chief security officer named, but in fact rarely was that someone whose whole mission and purpose was coming to the organization every day thinking about that forefront and foremost,” Springmann said.

As LifeBridge grew, she said, it became apparent that security needed its own focus, so the organization brought on a dedicated CISO in early 2019.

Speakers during “CIO & CISO Spotlight: How to Build a Solid Working Relationship.”

Springmann said Miller has gotten the team focused on addressing risks as LifeBridge expanded and as the cybersecurity landscape grew more complex.

“It’s a team sport, first of all, and as a leader, I need to create a healthy environment for healthy debate. Rick can’t be constrained in fully articulating his concerns,” Springmann said. “A lot of the things that we need to achieve to make our IT infrastructure and organization safer aren’t things that can be enabled out of the office of the CISO.”

When he arrived, Miller said, there had already been a significant shift to focus on cybersecurity, including a completed third-party cybersecurity risk assessment. That served as a roadmap for him to strategize and address LifeBridge’s security deficiencies.

Miller stressed the importance of bringing people together and creating an environment of understanding for all stakeholders. When LifeBridge needed to improve its two-factor authentication, for example, educating people about the security risk helped immensely with the adoption process, he said.

Staying Resilient Against Cyberthreats to Healthcare

During a panel discussion, Adm. Michael S. Rogers, former National Security Agency director and former head of U.S. Cyber Command, answered a question on whether healthcare organizations should pay a ransom during an attack.

“I always say let’s step back. They first thing I say is, ‘What does the law say?’ There’s no broad legal prohibition in the U.S. for companies to pay a ransom, with one noticeable exception: It is illegal in the United States for a company to pay a ransom to a group, an individual, a nation-state or an entity that has been sanctioned either by the United States, the United Nations or any other broad internationally recognized effort,” he said.

It’s important for lawyers to be involved, he added, and the conversation about whether a health system should pay should be separate from the conversation about whether to communicate with the malicious actors to buy more time to respond or to gain insight into the attack’s effect on the organization. Although his preference is not to pay, Rogers acknowledged that it could be the only choice, especially when it’s a matter of life or death.

He said healthcare organizations need to plan ahead for a ransomware crisis and develop their own decision-making criteria, noting that a blanket “don’t pay” solution won’t apply to every situation.

Cybersecurity expert Alex Stamos, the former CISO at Yahoo and former chief security officer at Facebook, said that although paying a ransom may make sense in the moment, he thinks ransom payments should be outlawed, since it’s the best way to disrupt the economics for the attackers.

So, how can healthcare organizations prepare for a cyberattack? Stamos said they need to plan for a security incident and build a culture so that a breach is not a career-ending moment but rather the moment when the security team shines.

Rogers similarly emphasized changing the culture around cybersecurity and doing more than just “throwing money on the problem” by investing in new technologies. Organizations should start with the basics, such as understanding their own network structure or endpoint topography.

“It’s about resilience, resilience, resilience, driven by a risk-based approach,” Rogers said. “You can’t do everything, so it’s about focusing on your resilience.”

Keep this page bookmarked for our ongoing virtual coverage of HIMSS21. Follow us on Twitter @HealthTechMag and join the conversation using the hashtags #HIMSS21 and #CDWHIMSS.