Q&A: CISA’s Nitin Natarajan on Strengthening Cybersecurity in Healthcare

The Cybersecurity and Infrastructure Security Agency’s deputy director explains how healthcare organizations can improve their security posture amid a rapidly evolving security landscape.


Your browser doesn’t support HTML5 audio

In the first half of 2023, more than 41 million people were reportedly impacted by data breaches at healthcare organizations, according to the U.S. Department of Health and Human Service’s Office for Civil Rights breach portal.

The number of breaches reported was 319, down from 337 in the first half of 2022. While fewer breaches have been reported year over year, healthcare organizations of all sizes are still at risk as launching cyberattacks becomes easier.

HealthTech spoke with Cybersecurity and Infrastructure Security Agency Deputy Director Nitin Natarajan during HIMSS23 about how the cybersecurity landscape is changing for healthcare, how organizations can better protect themselves, and how security assessments can help them improve their security posture.

Click the banner below to explore zero trust and its benefits for healthcare.

HEALTHTECH: How has the cybersecurity landscape for healthcare evolved in recent years?

NATARAJAN: We’re seeing cybersecurity evolve in two ways. We’re seeing changes to the adversaries, which were traditionally large nation-state actors or large cybercriminal organizations, and we’re seeing a lot more actors in the landscape. There are now cybercriminals and cyberterrorist organizations of all sizes.

We’re also seeing an evolution in threats like Ransomware as a Service, which allows anybody to be a potential adversary. You used to have to recruit a team and have the expertise. Now you just need money and somebody you don’t like, and you can create your own cyberattacks against a new victim set.

Where we’re seeing the other part of the evolution is in the victim space. It used to be a perception that cybercriminals only targeted large corporations and large governments. If I’m a small rural hospital or a small rural school district, I didn’t have to worry about a nation-state adversary coming after me. But we’re seeing that’s no longer true. We’re seeing victims across the nation that are large and small, public and private, rural and urban. Anybody can be a potential victim of this new threat of adversaries.

This combination of the increase in frequency, volume and sophistication of attacks by a growing adversary base, with a growing base of potential victims, really is changing the landscape in healthcare and beyond.

There was also a perception for a long time that healthcare was exempt. Even if you go back to traditional war and conflict, you never bomb a hospital. But we’re seeing hospitals are not exempt anymore. We’re seeing cyberterrorists, cybercriminals and nation-state actors going after healthcare facilities and having an impact.

It’s not just about revenue and financial gain. At the end of the day, a cyberattack against a hospital becomes a patient safety issue, and so that impact is felt and reverberates throughout those communities. Even in urban areas where there are a lot of healthcare providers or a lot more hospitals, the impact of the loss of any one institution for any period is still felt. Those forces — the evolution of the adversary and victim base over the past several years — will continue to evolve in the years to come. That’s what has me most concerned.

EXPLORE: Three tips for healthcare organizations to guard against vishing and smishing.

HEALTHTECH: Are there certain factors that make healthcare especially vulnerable to these types of attacks?

NATARAJAN: I’m really excited about the advancements in healthcare. We look at where healthcare is going to go in the next three, five, seven years, and it’s just amazing. But with that comes an expanded attack surface. The convenience of connecting to the internet brings an additional vulnerability. When we look at healthcare, there was a surge of technology adoption at the beginning of the pandemic. An increase in telemedicine and telehealth capabilities appeared almost overnight. That’s not going away and, arguably, it’s going to continue to increase and evolve over time.

That’s going to make it more complex for the healthcare sector, not just based on the volume, scope and growth of challenges that we have seen in the past couple of years from COVID-19, but also from what we will see in the years to come. The fact that those impacts can be felt at the bedside truly is concerning.

HEALTHTECH: What types of strategies or technologies can healthcare organizations deploy to improve their cybersecurity posture and mitigate risk from these cyberattacks?

NATARAJAN: There are a few things. We still ask folks to revert to the basics: having strong passwords and multifactor authentication. Those capabilities, as well as updating and patching software regularly, are critically important.

Another avenue that we focus on is the Secure by Design, Secure by Default model for technology products. How do we secure by design? How do we insist that manufacturers are truly using things like memory-safe languages and looking at vulnerability disclosure programs and other measures to ensure that what we are purchasing is secure? How do we make sure that, as consumers, we are insisting on that from our vendors and that they are really being asked those tough questions?

Then, how do we ensure as consumers that what we’re purchasing and what we’re buying is secure by default? How do we ensure that, right out of the box, it has a certain level of security built into it and that we don’t have to necessarily pay extra for a secure model versus an unsecure model?

Finally, within our institutions and healthcare, how do we take this discussion away from CISOs and CIOs and really elevate them to CEOs and boards? For years, all too often we’ve expected the CISO or the CIO to protect the entire enterprise. Often, when they’re speaking about cybersecurity challenges and vulnerabilities with CEOs and boards, it’s just not understood — it’s a foreign language. How do we change that dialogue from asking CISOs to just accept the risk, change the landscape and protect the organization to, instead, elevate that conversation to CEOs and boards? How do we really instill a sense of corporate cyber responsibility among those who are accepting the risk?

To me, it’s a three-legged stool. We spend a lot of time on risk identification and risk mitigation. We forget the third leg of that stool, which is risk acceptance, and that risk acceptance truly is with CEOs and boards. How do we make sure that they understand the risk that they’re accepting at the end of the day? We always accept some risk. We’ll never mitigate everything, but making sure that risk acceptance is as well-informed as it can be at the highest levels of the organization is really where we need to get to.

READ MORE: As cyberthreats grow, can zero trust protect healthcare organizations’ data?

HEALTHTECH: How else can healthcare organizations strengthen their security culture and ensure that everyone has security in mind?

NATARAJAN: It’s about getting everybody involved. It’s about taking this from being an IT solution to an organizational solution and ensuring that not just the CEOs and the boards are aware, but, frankly, that everyone is aware. That includes every clinician, every employee in that facility who supports clinical care and the downstream supply chain. You also need to ensure you’re not introducing new vulnerabilities.

I mean, we know some hospitals are dependent on just-in-time delivery and a number of third-party vendors, sources and contracts. How do you make sure that everybody you’re dealing with is secure and that they’re, frankly, practicing the level of cybersecurity that you want them to? You also need to ensure that you’re asking them those questions, that you’re choosing products and vendors that have a strong cybersecurity focus, and that you are using cybersecurity to help guide your decision-making.

It truly does take everybody. People joke about who would click on phishing links, but people will click on anything. Computers are so prevalent and available in healthcare these days, and many people still think they might get a million dollars via email. So, we need to take that instinct away and make sure that people are thinking with a cybersecurity mindset in every role throughout the organization. We shouldn’t just expect our CISOs and our IT and cybersecurity teams to solve this for the organization. Everybody has a role to play, and everybody needs to play their part.

We shouldn’t just expect our CISOs and our IT and cybersecurity teams to solve this for the organization. Everybody has a role to play, and everybody needs to play their part.”
Nitin Natarajan

Deputy Director, Cybersecurity and Infrastructure Security Agency

HEALTHTECH: Many healthcare organizations have limited resources and a limited budget. How should healthcare organizations prioritize where they focus their cybersecurity dollars?

NATARAJAN: I’d say do something, each day, each week, each month and each year to invest somewhere to continue to raise that resilience.

CISA just recently released Version 2.0 of our Zero Trust Maturity Model, in which we talk about these five pillars. To me, the five pillars are almost like five different dimmer switches that we can move up. Not every facility is going to be able to go from zero to 100, and not every facility is going to be able to move all the dimmer switches together. However, I would offer that any healthcare organization, large or small, rural or urban, public or private, can move one of those switches up each year, each month, each week in some way, shape or form. So, doing something to continue to move that forward and doing something to invest where you can, when you can, is really what’s going to help.

It also helps to look at services that are free. At CISA, we have a number of free services such as cyber hygiene scanning, vulnerability scanning and others that we offer for organizations that are target-rich and cyber-poor, whether that’s because they don’t have the money to invest in cybersecurity or, frankly, because they don’t choose to invest in cybersecurity. We have some services that we can offer, as do other partners across the federal government and even in the private sector.

CISA has 600-plus people in regions and communities throughout the nation who can help provide that link back to our scalable services and support, where you can have those conversations about how you can move your needle forward.

In some parts of the nation, groups have gotten together to tackle this jointly with partners in their area. Our folks can help tie organizations into these pre-existing partnerships and help identify new ones if people want to be that proactive.

DISCOVER: How a managed security service provider can support your organizational needs.

HEALTHTECH: How can CISA help healthcare organizations advance their cybersecurity programs?

NATARAJAN: The biggest part is in having the conversation. We want to be that trusted party.

The beauty of CISA as an agency is we’re not a law enforcement agency. We’re not the intelligence community, and we’re not the military. We work very closely with all three of those groups, but we are truly a federal agency that just wants to help. So, if people are attacked or have questions, they can come to us and have that discussion and that dialogue.

The most important thing that people should do is to reach out. The best thing they can do is to have that conversation with us, both before something happens as well as after something happens. Because at the end of the day, we just want to help our nation’s critical infrastructure stay resilient, stay up and be able to serve its mission to the American people.

HEALTHTECH: What’s the major takeaway you have for healthcare organizations?

NATARAJAN: If I could say one thing to everybody, it’s “Do something.” You all have a role to play in your personal life and in your professional life.

Personally, if I’m going to choose a new bank, do I choose a bank that uses a multifactor authentication? Do I use a bank that doesn’t? If I’m going to buy a software or hardware product for my organization, have I done my due diligence to understand the potential risks or vulnerabilities the product may have and how it ties into my ecosystem?

The biggest thing people can do is realize that each and every one of us has a role to play in cybersecurity and we need to intently play that role.

Click here to watch Natarajan speak on cybersecurity trends at HIMSS23.