With ransomware attacks now an epidemic across healthcare, and IoT/IoMT devices highly vulnerable, providers continue to make cybersecurity investments to protect their patient data and organizations. But is it enough?
With this explosion of cyberattacks, it also behooves hospitals and health systems to get better at developing threat analyses, more enthusiastic about cross-industry collaboration and more vigilant about basic cyber hygiene, says Taylor Lehmann, director of the Office of the CISO at Google Cloud.
Lehmann previously served as the chief information security officer at Wellforce (now known as Tufts Medicine) and was CISO at athenahealth, and is a cofounder of the Provider Third Party Risk Management Council and a board member of the Health Information Sharing and Analysis Center, or Health-ISAC.
He spoke with Healthcare IT News to discuss cyberattack risks, collaboration and transparency, industry intelligence, Google’s Health-ISAC partnership and the responsibility to evolve and improve cloud security.
Q. The healthcare industry is under relentless attack. What needs to happen to fight back?
A. Healthcare, like many industries considered to be critical infrastructure, needs to prioritize building resilient system architectures, teams and processes to manage and continuously improve them.
As we’ve discussed in the Google Cloud blog on building resilience in healthcare, we believe efforts should focus on building visibility and structural awareness into systems, including software, and analyzing their risks.
Then, use threat models to identify and frame risks, which then inform defense strategies.
Finally, institute mechanisms to stress test and measure the effectiveness of those defenses using techniques like tabletop exercises, purple teaming and others.
Selecting and tracking improvements using a popular control framework, like the NIST Cybersecurity Framework, can also help manage progress. As part of these efforts, organizations should be looking for opportunities to automate the delivery of security controls and conduct continuance assurance.
Q. If the collaboration between industry leaders, government and tech companies is the path to defend against these attacks, what are the barriers to collaboration?
A. Collaboration is one of several important factors that can help the industry be more resilient.
In many cases, effective collaboration requires organizations to be deeply transparent with one another. This might include sharing threat models, highly sensitive information or indicators of compromise, which may reveal that the organization producing the intelligence has been successfully attacked.
This may perk the attention of and inspire other threats to the organization to become active.
Building trust-and-verify mechanisms also takes time, is often expensive and can be difficult to scale. This is why organizations like the Health-ISAC exist to help their member organizations more automatically and safely share information.
Q. Given your experience in healthcare cybersecurity, what is your overall vision for baking cybersecurity into healthcare systems?
A. The healthcare industry employs some of the most sophisticated technology known to man. Few other industries produce technology that is implanted inside of humans to sustain their life – the stakes are high.
We’ve talked about it in our blogs, but to summarize quickly, we need to understand the threats facing the industry organizations, understand how they work and achieve impact, and learn from these events to drive increasingly data-driven approaches to risk management programs and defense strategy.
Organizations should carefully evaluate the trust they place in vendors and partners, and ensure they are acquiring better and better security as they onboard new technologies these organizations push.
Finally, I see a future where vendors and partners play a more active role in helping healthcare organizations achieve a high-security bar versus continuing to hide behind the shared responsibility model that has made cloud security difficult to understand.
Q. Can you tell readers about the Health-ISAC partnership and how healthcare systems will benefit from the partnership?
A. The Health-ISAC partnership is a great venue for organizations to share intelligence about the cyberthreats they see and how they fight back against them.
Cybercriminals want healthcare organizations to stay in silos, because that makes it more likely that an attack on one health system works on another.
However, if all health systems are constantly communicating what they’re seeing and how they’re fighting back, everybody is more prepared and better able to defend against attacks
As a new ambassador, we’re working closely with the Health ISAC to identify a set of resources, including people and technology, Google Cloud can provide and make available to the Health-ISAC.
Q. With regard to medical devices, what threats should healthcare IT and information security leaders prioritize as they prepare to integrate and protect device healthcare data?
A. MITRE has published great guidance on this topic. Using a structured methodology for threat modeling should result in a fairly consistent set of realistic and important recommendations to address findings of a threat-modeling exercise.
Healthcare IT specialists should become very familiar with how medical devices are created, tested, shipped and monitored. They should gather deep visibility into the hardware and software, including cloud services providers, and decide priorities from there.
Threat models should be produced and regularly updated as threats change and throughout the actual useful life of a medical device, piece of machinery or a system that handles health records.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS publication.