Cybersecurity for business decision makers: elements of a successful plan

By Bill Siwicki
08:16 AM
Share
For threats ranging from data leakage to ransomware to credential-stealing malware, healthcare executives must develop strategies for before, during and after attacks.

A cybersecurity strategy is a must-have today for every hospital to protect patient information. But that doesn’t mean developing one is easy, or that there is a recipe infosec and business leaders can follow.

The NIST Cybersecurity Framework and the HITRUST CSF are good places to start. These frameworks can be used by hospitals to better understand the policies, technologies and people skills necessary to secure data, safeguard the availability of IT infrastructure and stay compliant with law.

"In order to protect patient health information, healthcare provider organizations are working hard on cybersecurity strategies that safeguard this critical information," said Susan Villaquiral, chief information security officer at Fundación Valle Del Lili in Cali, Colombia. "However, a focus only on prevention is not enough, and today’s threats have shown us that."

Ransomware attacks such as WannaCry and NotPetya exposed the weaknesses and vulnerabilities that can come with an insider attack, she said, so all the efforts from executives  should be focused on cyber-resilience that proves how fast a hospital can recover from a successful attack.

With a newly patient-centered care strategy – patient experience, patient engagement, patient journey – adopted by hospitals, and patient safety being the No. 1 concern, a cybersecurity incident that affects medical devices could put patient treatment at risk, as well as the reputation of a hospital.

"Just a few months ago in our hospital, we suffered a WannaCry infection that entered through a medical device, and even when the threat was contained, it affected us in many ways, including our Internet’s reputation," Villaquiral said.

"We learned from that infection that it could be a lot worse and that medical devices become a vulnerability and an open door that cannot be removed from the equation, so solutions like isolation, visibility, inventory and contract requirements mitigated our risk," she added.

According to the 2018 HIMSS Cybersecurity Survey, the top three potential threats are breach/data leakage, ransomware, and credential-stealing malware. That means that security awareness for healthcare staff should be formalized and intensified, Villaquiral insisted.

"The ransomware and credential-stealing trends prove that a prevention strategy is not going to be enough – today’s hackers, outsiders or insiders, search for login, and that means that once achieved, they can corrupt even your disaster recovery infrastructure, leaving you with nothing once the attack is perpetrated," she explained.

The National Cyber Strategy recently released by the federal government shows that the field of battle is much bigger than everyone thinks, and that this could drive to a fully compromised strategy, especially as healthcare provider organizations become a much clearer target for hackers, she said, adding that cybersecurity efforts must not lose strength over time.

"With the lack of appropriate cybersecurity staff and financial resources being the biggest barriers when a cybersecurity incident occurs, CIOs should justify cybersecurity budget to the board members through patient safety," Villaquiral suggested.

"With more medical devices connected over time, patient safety concerns should not be separate from cybersecurity, because the availability and integrity of the patient’s information are as important as the prevention of harm to the patient."

A risk assessment conducted inside the organization is a good way to show several cybersecurity risks related to clinical processes that a CIO could present not only to the board members but also as a requirement to the medical equipment vendors as a part of the acquisition process in order to be aligned with the hospital cybersecurity strategy, she added.

"The lack of specialized staff should be remediated through training; a CISO’s team is not easy to find, but with the right amount of effort, you can create your own team that is not only going to be specialized but also aware of the responsibility that they have in their hands: our patients’ safety," said Villaquiral. "Always include training as a main part of your IT budget."

Villaquiral will present at HIMSS19 in a session titled, "Building a Cybersecurity Strategy in a Hospital," scheduled for Wednesday, February 13, from 1-2 p.m. in room W320. 

HIMSS19 Preview

An inside look at the innovation, education, technology, networking and key events at the HIMSS19 global conference in Orlando.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com