Tom Ridge talks Trump’s cyber team, the ongoing digital war, and why patient safety is an infosec problem
After the terrorist attacks on September 11, 2001, President George W. Bush appointed Tom Ridge as the nation’s first Assistant to the President for Homeland Security. Then in 2003, Ridge took over as the first Secretary atop the Department of Homeland Security.
Ridge, a two-time Republican governor of Pennsylvania recognized for driving advancements in healthcare and technology during his terms, is currently the chairman of Ridge Global. He’s slated to draw on his unique experience to deliver the opening keynote at the HIMSS and Healthcare IT News Healthcare Security Forum, in Boston, Sept. 11-13, 2017.
Healthcare IT News Editor-in-Chief Tom Sullivan spoke with Ridge ahead of the event about the new threat even greater than terrorism, why President Donald Trump must listen to his cybersecurity advisors and where hospital security leaders should be headed, strategy-wise.
Q: Let’s talk Trump. Is the new administration making cyberspace safer for citizens and hospitals?
A: Well, the President — and regardless of whether it was Hillary Clinton or Donald Trump — the President inherited a far more perilous world not just in terms of the expansion of global terrorism, but sovereign nationalism in the form of Chinese and Russian leadership, the emerging crisis in South America along with the Iranian nuclear deal. This country is facing a much greater set of both traditional national security challenges and the ever-expanding role of terrorism in disrupting the Western World. Trump’s response was the appointments of three highly regarded Generals and what appears to be a strong Secretary of State. He’s put in place a national security team that has the global experience that will serve him well — as long as he listens to them.
Q: Even though it’s tempting I won’t derail this too far into politics and away from healthcare security …
A: That’s a fact. It’s important for the President to seek and heed the advice he is going to get from the very qualified people around him. Critically important.
Q: We have seen healthcare security go from a stream of data breaches predominantly caused by lost or stolen phones or laptops with unencrypted data, then a string of one-off ransomware attacks and now wiper malware and ransomworms designed to destroy data rather than give it back. How can hospitals prepare for the next big attack when there is literally no way to know what it might be?
A: Hospitals’ missions are so critical to the quality of life in this country and sometimes I think that the average American doesn’t appreciate that quality when the constant public debate is about cost. And while we ought to continue to do everything we can to reduce costs, it is unquestioned in my mind that there is no superior healthcare delivery system in the world. It’s critical that we understand what it does for, and within, our country. Having said that, patient safety in terms of healthcare, patient safety in terms of protecting their data, given the advent of medical technology, much of which has been accessed through the Internet, has become far greater to the healthcare industry than ever before.
Q: Many security executives are saying or starting to catch on to the idea that patient safety is an infosec issue. Protect patients first and it follows that information security is one piece of that …
A: The most important thing to the healthcare system is to understand they have been and always will be a target. They need to understand the nature of the threat, like every other industry they need to understand there is a digital war going on and not just nation-state to nation-state. Organized crime. Hackativists. Hospitals need to build a resilient enterprise, they need to do threat assessments and they need to do the same things with their IT systems, by and large, as financial services, telecom and energy have done.
Q: That’s an interesting point and healthcare often looks to retail and finance as being more advanced in security. So where should hospitals be headed right now in terms of their security strategies?
A: You have to build a culture of resiliency, you have to be pre-emptive not reactive. Anticipate you are going to be attacked and based on the notion that there are X number of days you’re going to be attacked, do that assessment to find out how vulnerable you are and then you can begin to put in place defensive capabilities. Identify those extra dollars where you can replace old equipment, where you can build a stronger IT platform and run continuous threat assessments that are necessary to create a resilient enterprise. I can’t think of anything more important to patient care than securing their IT network. They’re under great restraint, I get that. They have to be very focused in their financing and accept responsibility that they can’t afford not to invest more in IT security.
Q: So what’s the biggest emerging threat hospitals need to prepare for right now?
A: The biggest threat is that we are now living in a digital world that creates both opportunity and vulnerability and I don’t think enough people understand the second half of the equation.
Q: Realizing of course that your involvement in healthcare, government and security pre-dates the Department of Homeland Security what has changed throughout the course of your career?
A: I believe the most significant change, even more than the threat of terrorism — terrorism is a new phenomenon that is global, permanent and a very significant change — but the most important change in the world writ large is what I call the digital forevermore. Does it affect defense? You bet it does. Does if affect our economy? Certainly, it does. Does it affect our daily lives? No question about it.
The challenge we have is to accept that we live in the digital forevermore and the digital sun, not only is it never going to set, it’s just going to get hotter and hotter. There are going to be more opportunities, information exchange, better healthcare. You and I both know how important data application and aggregation is to the healthcare industry, how important it is to the environment, to the corporate sector to provide efficiency to business. All these prospects of a better life in the digital world that unfortunately wasn’t designed to be a secure system and every opportunity creates a vulnerability. That’s the plus side, we just have to pay more attention to the downside that people will exploit in many different ways because the opportunities for misuse are legion.