Obama's cyber czar warns of 3 troubling security trends
BOSTON — Cyberthreats are getting broader, more frequent, increasingly disruptive, and not to mention dangerous.
That’s why hospitals need to create a cyber toolbox, according to Michael Daniel, who served as Obama’s cybersecurity coordinator from 2012 to 2016 and is now president of the Cyber Threat Alliance.
Daniel said there are three coming developments that trouble him the most.
“We’re going to see a move toward data corruption,” Daniel said Tuesday at the Healthcare Security Forum. “It’s far more damaging to corrupt it than destroy it. If you destroy data your target knows that, but if you corrupt it that’s a more difficult problem to solve because getting back to ground truth is incredibly difficult.”
While ransomware, ransomworms and wiper malware remain looming threats to hospitals, Daniel said new types attacks will emerge for other devices, such as driverless cars and insulin pumps. In those cases, cybercriminals could threaten to shut them down if not paid a ransom.
Bruce James, director of security architecture and engineering at Intermountain Healthcare added during a panel discussion that attacks against implantable devices are a scary situation.
“The concern is that a device could be used to harm a patient,” James said. “We’re getting to an age where these devices that could directly affect our health.”
Greater collateral damage is the third troublesome trend. To illustrate, Daniel pointed to a hospital in the northeastern United States that fell prey to the Petya/NotPetya attack through an existing relationship with a pharmaceutical company that conducted business with a company in the Ukraine. Because the hospital and the pharma company already had a trusted relationship there was not adequate authentication in place.
“The people who set off Petya were not targeting that hospital,” Daniel said. “We don’t understand at a fundamental level how all cyberspace fits together, what the tools will ultimately be able to do, and that kind of collateral damage is going to increase.”
Taking those three points into account, Daniel said that hospitals need to be thinking about new security models because the most common ones in place today are not up to the task of adequately safeguarding patients and their data.
“Cybersecurity is economic and psychological, it’s a human behavioral problem,” Daniel said. “The incentive we built in cyberspace is all wrong, we make security hard and the path of being insecure the easy one.”
Daniel recommended that hospitals create a cyber toolbox to introduce new models. The first step to building that cyber toolbox is changing the organizational mindset from thinking about infosec as a technical problem toward considering it a risk you have to continually manage.
After that, the second step is to get C-suite attention because providers that accomplish this see improvements, Daniel said, and the flip side of hospitals that fail to grab executive-level attention do not.
Third, hospitals need a holistic risk management framework, such as NIST, that includes the non-technical aspects and helps IT and security professionals at a baseline understand their network topology. If you don’t know what your network looks like and if you don’t have control over that, Daniel said you cannot secure it effectively.
“Cybersecurity is not impossible,” Daniel said. “But it’s not a simple task, it’s not a technical solution — and it’s not just ‘buy my snork fabulator.’ Security doesn’t work like that.”
Healthcare IT year in review
This was one of our most popular stories of the year.
Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach