Oct 16 2023

Q&A: A Security Expert Discusses the Importance of Healthcare Cybersecurity

Pam Nigro, board director of professional IT governance association ISACA, explores the challenges and changes health systems face in addressing cybersecurity concerns.

As malicious actors from organized enterprises to state-sponsored groups continue to target healthcare, cybersecurity remains top of mind.

The Cybersecurity and Infrastructure Security Agency’s theme for October’s Cybersecurity Awareness Month is “Secure Our World,” urging the public to stay safe on connected devices by using strong passwords, turning on multifactor authentication, updating software, and recognizing and reporting phishing attempts.

These tips remain relevant whether users are on their personal devices or working on company-issued laptops.

“Smaller to medium-sized healthcare companies used to believe they couldn’t be targets because they’re not the big guys, but we’ve seen that change. Unfortunately, when it comes to phishing and those sorts of attempts, the size of the organization doesn’t matter. Anybody can click on a bad link and give away the keys to the kingdom,” says Pam Nigro, board director of professional IT governance association ISACA.

Nigro, who is also the vice president of security and security officer at the digital care management company Medecision, talks with HealthTech about changes in third-party risk management, understanding the importance of security assessments and how interconnected healthcare environments have become.

Click the banner to get the expertise you need to strengthen your ransomware protection.

HEALTHTECH: How have healthcare cybersecurity expectations evolved over the years?

NIGRO: Third-party and vendor management has really exploded in the last three to five years. Organizations are starting to realize the interconnectedness of their environments and how the security of a small vendor can impact a larger organization. I see a very concerted effort to manage third parties. The contracts have changed. I can’t tell you how many contracts I’ve reviewed that have started to put stipulations for security incidents down to the hour, which may be more aggressive than what the reporting requirements are for HIPAA. From my experience, these past few years have substantially changed third-party risk management.

HEALTHTECH: When it comes to ransomware protections, what areas do you think healthcare organizations are still struggling to address?

NIGRO: When we think about hospital organizations, the emphasis has been on the latest medical technologies to enhance patient care and not necessarily on the latest security practices to protect environments. A lot of hospitals can only make a limited number of investments, and they have to choose where they want to put those investment dollars.

But where organizations are starting to make an effort is in educating their workforces. It’s spending a lot more time on phishing training. You have to go through a certain amount of training anyway to make sure you’re compliant as a HIPAA environment every year, but adding phishing training really enhances an organization’s security outlook.

A major challenge area is the fact that legacy technology is everywhere in hospital settings and doctor’s offices. But, as interoperability becomes a requirement, that’s forcing organizations to upgrade their systems. With limited resources, they may have to make decisions around IT versus patient-centered technologies. Do you buy robotic surgery equipment that can save lives? Or do you convert your mainframe or your AS/400 or whatever legacy system that’s running your organization? Those are the kinds of trade-offs that healthcare organizations will continue to be challenged by, especially smaller hospitals.

READ MORE: Learn how security partners can help fight ransomware.

HEALTHTECH: How should healthcare organizations approach security assessments? How can these assessments become more embedded in a stronger security culture?

NIGRO: It’s really important to build relationships in security. I sit down with all my clients on a partnership basis and walk through what’s going on in our organization from a security perspective, I share that with the leadership team, and I start to really communicate that everyone has a part to play in security.

That’s where the assessments can pivot to not just what you’ve done wrong but what you’re doing right, and how you and a partner can work together to have a solid security foundation. That really changes the culture. It changes the tone when you come to the table as a consultant, not as an auditor, so to speak.

It is a difficult and bitter pill to swallow when you’re constantly barraged with, “Here all the things that are broken in your environment.” But when you start building that trust with your third-party vendors, your partners, there’s a better understanding that your organization is doing what it can to improve security, that you’re not putting it off and that you may be able to come together to start prioritizing.

Security assessments like penetration testing will uncover areas that need improvement. But then, have the conversation around prioritization with your partners and be transparent about, “This is what we're doing as a result of that and how we're continuously improving.”

HEALTHTECH: What is a major security lesson learned in healthcare over these past three years?

NIGRO: No one company is an island. It’s no longer putting a fence around your organization, locking the door and staying safe. That’s not how we do business or function well anymore. You have to be able to share information.

I remember, as a young person, my mom had my immunizations on an index card and used to walk around with them as I went to different doctors. That’s changed. There’s a lot more mobility from a patient perspective. How do you make sure that you’re securing that data and exchanging that data appropriately?

People don’t usually stay with the same doctor they saw when they were kids or when their parents were kids. Information has to work across so many different organizations, and that interoperability, those medical records, are so important. Even within one hospital setting, a patient’s X-rays have to go from one department to another, and all of that has to be done in a way that is secure and accessible. Patients are also expecting quick responses, that “email expectation,” so the minute something happens, it’s up on a screen.

EXPLORE: See how virtual CISOs collaborate to raise cyberdefenses.

HEALTHTECH: What do you think cybersecurity priorities will be for 2024? How should healthcare organizations prepare for the next year?

NIGRO: More government mandates. Think of the 2021 executive order on improving U.S. cybersecurity, the push for a software bill of materials to address supply chain security concerns. All of that is starting to really bubble up and become a big challenge for hospitals or anybody who does business with the government. SBOM is gaining more of the spotlight, and I think that’s going to be one of the bigger challenges for 2024, because who has any insights into how “the sauce” is made?

I would also like healthcare organizations, especially smaller ones, to understand that there are different ways to solve a problem that you don't necessarily need a new tool for. Yes, tools are important, and the right tool can give you a lot of value, but there are other ways to strengthen security. I want to encourage smaller organizations to enhance their own security posture by just taking a look at what they already have and raising it up a notch.

They don’t have to go from the bottom to the top of the hill. It’s about being able to take the next step. I really want organizations to think differently about security, not in terms of the shiniest new tool they can buy but by enhancing the stack they already have. A lot of people have Microsoft, for instance. Microsoft has some available tools, so how can you leverage that? Those kinds of things. I really want people to think differently, especially hospitals.

sturti/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.