Sheraton Boston Hotel
September 11-13, 2017 | Boston, 2018 x2, MA

Why healthcare cybersecurity cultures need to reengage their inner hackers | #HITsecurity

By Michael Figueroa, CISSP

Michael Figueroa, CISSP, serves as Executive Director of the Advanced Cyber Security Center (ACSC) in Boston. Figueroa, a featured speaker at the Healthcare Security Forum on Sept. 12, shared his insights about the current state of cybersecurity in the health sector.

Get involved. Join us for our #HITsecurity Twitter chat on Aug. 24, 2 p.m. Central Time to discuss your cybersecurity insights and connect with other industry experts.

Add Chat to Calendar

How do you increase cybersecurity awareness among non-IT staff in your organization?

The notion that non-IT staff are unaware of cybersecurity is a myth, which makes it easy to shift accountability to those people least able to affect positive outcomes. What we have found in our discussions with ACSC member organizations is not that people are unaware, but that we typically demand every user be a security expert. Health sector organizations do not expect IT staff to understand how an MRI machine functions to support patient care when connected to the network. It similarly follows that they should not demand doctors understand the detailed indicators of the newest email-based phishing campaign.

Phishing is a great example of misplaced blame. It has been a persistent topic of discussion in threat sharing discussions amongst ACSC members in 2017. In one recent discussion, a security executive described how a successful phishing training program that seemed to have pushed response rates down to single-digit percentages saw response rates balloon to 50% levels by making one small change in the testing strategy.

Rather than persistently blame the human for the current troubled state of cybersecurity, we need to act like hackers again and shift our perspective. Taking a community-oriented security strategy changes the rules of the game, relieving users from the burden of past assumptions and allowing us to reassess what is possible to help them protect their environments. It is well past time that security professionals accept the need to change course, reengage their inner hackers, and hack security.

How are you building a culture of holistic security within your organization?

As a federally registered Information Sharing and Analysis Organization (ISAO), the ACSC helps its member organizations improve how they conduct the business of security. Our community-oriented approach bases on the premise that security is improved more through the identification of effective practices than through out-of-band efforts. For example, the ACSC Collaborative Cyber Defense initiative aims to define what a mature and effective “collaborative defense” looks like and to provide strategies and tools that make it a reality. In 2017, we are examining how large organizations build cybersecurity collaborations across internal organizational silos and with their third-party service providers, vendors, and partners, to develop a benchmark for effective defense and response relationships. The initiative collects feedback on the use of existing cyber networks, such as ISAC’s, ISAO’s and commercial vendors, as well as feedback on existing effective practice networks such as the Corporate Executive Board and CISO networks. We expect to share initial findings at the ACSC Annual Conference on Nov. 2.

Find out how other industry leaders are creating proactive cybersecurity cultures at the Healthcare Security Forum in September.

View the Agenda


Learn more about the 2020 Event


Subscribe for updates