HIMSS24: 3 Key Cybersecurity Takeaways for Healthcare Organizations

1. Apply the Lessons Learned from a Previous Cyberattack

“If you’re standing still in cyber, you’re getting left behind,” Hackensack Meridian Health CISO Mark Johnson said during a session.

The New Jersey-based health system experienced a ransomware attack in 2019 and shared firsthand lessons from its aftermath.

The attack prompted increased cybersecurity funding and a more proactive security approach from leadership, Johnson said. The health system also implemented third-party risk management.

LEARN MORE: Follow these best practices to improve cyber resilience in healthcare.

Hackensack Meridian Health is pursuing innovation in artificial intelligence and machine learning, so it’s crucial for it to prioritize security in bringing the next generation of healthcare to patients, said Christopher Jurs, director of identity governance and cybersecurity planning.

Implementing zero trust while deploying AI solutions has required Johnson’s team to upskill, offering cloud and SANS Institute cyber training to foster long-term career growth for staff.

“Every leader in every organization is a risk manager. They make risk decisions every day,” Johnson said.

Both underlined the importance of testing incident response plans. Johnson, who said that his health system runs tabletop exercises twice a year, urged other healthcare organizations to make incident response a living, adaptable process.

2. Find Clarity in a Fast-Changing Landscape

A panel discussion between Dr. Zafar Chaudry, senior vice president and chief digital and information officer at Seattle Children’s, and Erik Decker, vice president and CISO at Intermountain Health, highlighted the difficulty of balancing strict security protocols while improving clinician workflows.

The human aspect of cybersecurity is especially crucial to manage, Chaudry said. For instance, medical researchers want to easily share their data, so they may initially see an added authentication tool as a nuisance.

Malicious actors exploit this tension to gain access to credentials. For this reason, Seattle Children’s makes cybersecurity and AI training mandatory for all employees and uses an adaptive exam to ensure that the concepts are understood.

DIVE DEEPER: Catch up on the HIMSS24 keynote address on the future of care.

Active Directory management remains another major challenge for healthcare organizations.

“What is the right level to protect any of this?” Chaudry asked. “It seems like it’s always changing, so how can I even get ahead?”

Decker, who also chairs the Health Sector Coordinating Council’s Cybersecurity Working Group, which works closely with the U.S. Department of Health and Human Services, stressed the importance of baking security into healthcare processes. Unlike safety measures used in operating rooms, end users can always find ways around cybersecurity guidelines.

That has to change, especially since social engineering is so effective in healthcare. Decker traced the path of a potential cyberattack: A social engineering attempt on an organization’s service desk (“I have a new phone and I need to re-enroll it”) can easily lead to a bad actor gaining access to Active Directory. Organizations must adopt an “adversarial mindset to risk-based posturing,” Decker said.

Click the banner below to learn how to get the most out of your zero-trust initiative.

3. Manage the Devices and Network of Your Connected Environment

Among the thousands of identities that healthcare IT teams must manage, they also need to know what devices are accessing their networks. That’s hundreds or even thousands, of devices, from MRIs, glucose monitors and infusion pumps to smartphones and tablet devices.

Lawrence Smith, deputy CISO of California-based El Camino Health, discussed the importance of microsegmentation and monitoring east-west network traffic. “You need to be doing continuous network inventory,” he said.

El Camino Health has more than 30,000 endpoints, Smith said. It’s not enough to know the IP addresses of the devices; the organization has established a baseline for expected device behavior. He also highlighted the importance of teamwork among those who handle the devices, from clinical engineering specialists to IT workers.

“Our community is about collaboration,” he said, adding that healthcare organizations strengthen their cybersecurity when all departments work together.

EXPLORE: Here's how health systems are using telehealth and data to transform access to care. 

At a separate session, Stanford Health Care experts discussed the benefits and difficulties associated with mobile devices such as smartphones and tablets, as well as the management and adoption hurdles that they present.

“Make the technology simple so that it’ll be utilized. That’s really the key,” said Helena Findikaki, senior manager of technology and operations at Stanford Health Care. Of course, IT teams don’t want to impede workflow, but these devices require “stringent security review,” she said.

She also noted the importance of sustainability and reducing e-waste where possible. Could older devices be appropriate in certain settings? “How can we work to really extend the life of that device?” she said.

Loss prevention remains a challenge, so it’s important that device management teams act quickly in the first hours after a device is reported missing, added Steven Banaban, lead system engineer at Stanford Health Care.

“Healthcare has specific needs. We need to be enterprise-ready,” he said.

Keep this page bookmarked for our ongoing coverage of HIMSS24. Follow us on X (formerly Twitter) at @HealthTechMag and join the conversation at #HIMSS24.