HEALTHCARE SECURITY FORUM: A HIMSS EVENT
San Francisco, CA - June 11 - 12, 2018
By Lee Kim, JD, CISSP, CIPP/US, director of privacy and security, HIMSS North America
The cyber-threat landscape is rapidly evolving, as always, but in our recently updated Healthcare and Cross-Sector Cybersecurity Report we discovered the “old ways” of compromising systems still are highly effective as well. Thus, getting a foothold can be a relatively easy task – especially for those organizations that choose to be “willfully blind” to the cyber-threat.
But, even when we look at organizations that have fortified their defenses, we need to keep in mind that the attacker only needs to be right once and the defender needs just to make one mistake (or, open the door just a little so that there is a point of entry).
Newer is not always better. As the complexity of our systems grow and more systems need to communicate with each other (which is especially true in healthcare), the challenge of good defense grows exponentially as well. Accordingly, many healthcare organizations turn to vendors for assistance.
These vendors oftentimes provide crucial products and services that help healthcare organizations run more smoothly, with less disruption (e.g., from cyberattacks) and all else. But, as with anything in life, there are always latent dangers. What happens if a vendor’s credentials are compromised? Perhaps there will be a successful “phishing” expedition. What does the vendor do with the data that is collected or analyzed on behalf of one’s healthcare organization? There are many interesting questions that can arise in the course of such transactions. Nonetheless, there is no better time than now to understand that cybersecurity is indeed a shared responsibility and that there are risks (both patent and latent). We, in the healthcare and public health sector, need to disabuse ourselves of the notion that it is only up to the vendor to keep our systems and information secure.
For example, one might rely on a vendor for a cloud-based (e.g., SaaS) service, but the onus is still on us to secure our endpoints and our own infrastructure. In other words, beware of client-side attacks (as an example).
Instead of thinking, “Oh, there’s an app for that.” We should be thinking, “Oh, there’s an exploit for that.”
There is so much that we can do together as a sector to increase our collective security baseline by practicing basic cyber hygiene (such as updating your applications and operating systems). But, many of us don’t do that. We are way too busy and there is very little time to patch our systems (which I understand, as I used to work as an IT administrator for healthcare systems).
But, we need to make time for things which are important. We are quickly running out of the luxury of time. Cybercriminals, nation-state actors, non-state actors, and others (like the script kiddies) are always innovating. Unfortunately, we invest relatively little in our time, resources, and budgets to get to where we need to be with our cybersecurity programs. Cybersecurity is often just an afterthought.
The attackers will soon force us into a new reality – we need to become more sophisticated, knowledgeable, and smart about what we are doing or else we all will be “pwned.” Not just in healthcare, but across all other critical infrastructure sectors and industries. This is a global problem. Attacks will continue to grow across the supply chain, too, and we may lose control of our systems. (The Orangeworm attack group is just one example.)
We need to expand our thinking, too, in terms of why our systems are being attacked, how they are being attacked, and what’s next. We are way too myopic in terms of our optic into what’s happening and what’s next. We don’t share information enough. We make self-limiting assumptions.
As an example, have we ever given thought to who the “other” threat actors may be, aside from the nation-state and non-state actors, cybercriminals, and script kiddies? Here’s a clue: intelligence is valuable and can be used in many ways – monetary and non-monetary.
We need to see beyond our normal take on things (which, oftentimes, is akin to “whack a mole”) and see through the looking glass – and perhaps predict into the future in terms of our analysis of the present and past.
Want to hear more insights? Attend the Healthcare Security Forum in San Francisco June 11-12. The title of my talk is “Through the Looking Glass: What’s Happening Now and in the Future” from 11:15 – 11:35 am PT.