Oct 14 2021

Q&A: Gary Gooden on How Healthcare Organizations Can Defend Against Evolving Threats

Cybersecurity attacks are becoming more sophisticated and frequent. In incident response planning, technology and training must come together to protect patient data.

The healthcare industry has experienced a historic increase in the number and severity of cyberattacks over the past two years. Attacks against healthcare organizations rose by 55 percent in 2020 compared with the previous year, according to cloud security firm Bitglass.

Gary Gooden, chief technology and security officer at Seattle Children’s, spoke with HealthTech about the growing threats and how healthcare organizations can mitigate risk through training and technology — key defensive strategies in incident response planning.

Click the banner below to dig deeper into incident response with planning guidance from CDW.

HEALTHTECH: Why is healthcare such an attractive target for cybercriminals?

GOODEN: Protected health information is coveted. It’s worth a lot of money on the dark web, even more than the traditional sources of predation such as credit cards, personal information and Social Security numbers. Health information has all of that and is very valuable to bad actors.

HEALTHTECH: What sort of threats are healthcare organizations facing? Can you give some examples?

GOODEN: I would say about 85 percent of all attacks against healthcare organizations are delivered through email as the primary vector. Most of that is some form of ransomware. There are also brute-force attacks and drive-bys, where they stage attacks against the firewalls and external perimeter. For the most part, the primary attack vector is through email.

EXPLORE: Learn why layered security is essential to incident response planning.

HEALTHTECH: We often hear that humans are the weakest link in cybersecurity. What is social engineering, and how are criminals using it to breach systems?

GOODEN: You have lures. Humans are curious. Bad actors are creative and always thinking of interesting ways to get credentials from you. They’ll have you click on a link that will take you somewhere you shouldn’t go, or a file that will download something to your endpoint device. It’s all based on human curiosity. Social engineering feeds on that and creates lures that seem attractive or necessary to interact with.

HEALTHTECH: What can healthcare organizations do to assess their risk and identify vulnerabilities?

GOODEN: Every organization is different. The first thing to do is ensure you have the basic blocking and tackling technologies. Do you have firewalls? Do your email systems run through a gateway that filters threats? Are you tracking how data is moving through your system? Are you looking at where data is going in the cloud? Are you looking at where attackers may be coming from? If you have the base components in place, you want to spend your time looking at the security controls that are deficient. You’re essentially looking at fitting in the big rocks and then filling in smaller pebbles in the bucket.

Click the banner below for more security and incident response planning content from HealthTech.

HEALTHTECH: Why is organizational culture such an important component of cybersecurity?

GOODEN: Because of the social engineering component. The lures that are sent in emails, those can go to everybody. It’s not just about senior executives; these lures can go to anyone who has active credentials. There are individuals who, by virtue of bad practices, become an internal threat to themselves. Cybersecurity starts with the end user, and education and awareness are essential. You can have the best technology and penetration testing in place, but staff simply becomes the vector in your attack chain without a security awareness training program.

HEALTHTECH: What sort of cybersecurity do you have in place at Seattle Children’s?

GOODEN: We have next-generation firewalls and methods to look at traffic moving through the environment. We run 24/7 security operations looking for any potential anomalies. We also have managed endpoint technologies that actively look for anomalies on the endpoints and infrastructure, such as potential malware. We manage our email coming in through the corporate email gateways, marking potential threats. We also monitor Internet of Things and medical IoT devices.

In addition, we have a cyber-physical security practice that monitors our physical security control systems. This is in addition to the standard security controls that you should have in your environment. It is a fairly comprehensive suite of technologies and processes that operate 24 hours a day, 365 days a year.

GET THE WHITE PAPER: Find out why there's a need for effective incident response.

HEALTHTECH: How does a healthcare organization qualify the performance of its cybersecurity efforts?

GOODEN: There are a couple of different ways. You can run annual or biannual penetration testing against your environment and have external audit groups that audit the effectiveness of the security controls. They can report on what they call governance, risk management and compliance, or GRC, to consider the maturity of the security controls and how you score against that. From an operational perspective you can use that set of security controls to run reports on the effectiveness of the program.  

HEALTHTECH: Why is it important for healthcare organizations to continually reassess their risk and evolve?

GOODEN: Advanced persistent threat groups are constantly innovating. They have an organizational structure, operate as for-profit businesses and are constantly evolving. It’s much easier for them to attack than it is for you to defend. We regularly must ensure we are investing in appropriate next-generation technologies, that we are constantly auditing and testing the controls we have in place, and that we know who is actually attacking us. Reinvestment is a constant theme. If you understand who is attacking you, then you can put the controls in place and adapt them over time. Training staff and other personnel and maturing processes are also constant themes. The bad actors only have to get this right once. We have to get it right every single day, 100 percent of the time.

gorodenkoff/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.