Healthcare must move from risk to resilience, Tom Ridge says
BOSTON -- Tom Ridge, the first Secretary of the U.S. Department of Homeland Security, on Monday said that two new realities have set in since 2001: global terrorism and the proliferation of apps and devices in healthcare and other industries.
“The world is a far more perilous place today than it was on 9/11,” Ridge said at the Healthcare Security Forum in Boston. “The scourge of global terrorism is the reality of our life. The nation states we traditionally worry about are now front and center. Russia, China, Iran, North Korea.”
The second development is what Ridge calls the “digital forevermore,” the open, anonymous, ubiquitous internet that was never designed to be entirely secure.
“IoT will become the Internet of everything,” Ridge said. “Everything that makes healthcare more efficient, every access point, new device or algorithm, for every positive there’s a negative: risk and vulnerability.”
HIMSS Director of Privacy & Security Lee Kim echoed Ridge’s sentiments in saying that security will only become more important as new technologies emerge and the attack space becomes bigger.
“We’ll see a lot more cyber attacks, greater velocity, things to get past normal security controls,” Kim said. “We’ll see more tools that benign programs used against you.”
With that expanding cyberthreat landscape, Ridge recommended that hospitals and healthcare organizations shift their thinking from risk management to resiliency. That means being able to survive an attack and sustain operations and then move forward from there.
“We know that risks are sometimes surprise events but resilience should be a goal, an objective,” Ridge said. “It’s a 24/7 responsibility, every day, just like homeland security. It’s a continuous cycle of threats.”
Ridge suggested that hospitals incorporate participating in an information sharing and analysis center as part of becoming a resilient enterprise. The financial services ISAC, for instance, has some 9,000 members, while the National Health Information Sharing and Analysis Centers has fewer than 500, Ridge added.
“You can’t eliminate risk — manage the risk before it manages you,” Ridge said. “I don’t think we should be breathless about it. Accept reality, adjust, be fitter than the next enterprise, move from risk to resilience.”
Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach