If there’s one constant in healthcare cybersecurity, it’s change.
From the ever-evolving tactics to the Whack-a-Mole of hacker groups, health system cybersecurity leaders must remain vigilant to protect their organizations today while preparing for tomorrow’s threats.
“The key to planning the future of healthcare cybersecurity is to stay proactive, agile and constantly ahead of evolving threats,” Kristin Myers, executive vice president and chief digital officer of New Hyde Park, N.Y.-based Northwell Health, told Becker’s. “As tactics and threat actors continue to change, cybersecurity must be fully embedded into enterprise risk management, patient safety, and operational strategies.”
She recommends a “layered” defense approach, combining “zero trust,” network segmentation and AI-powered threat detection across EHRs, clinical systems and cloud platforms.
“Equally important is building a strong culture of cyber awareness through continuous education across the organization,” she said. “Long-term resilience requires people, process and technology to work together to defend against increasingly sophisticated attacks.”
Despite the ever-shifting cybersecurity landscape, “you absolutely can prepare,” said Erik Decker, vice president and chief information security officer of Salt Lake City-based Intermountain Health.
“A lot of the job is being ready to be responsive and reactive,” he said. “There are a couple of core principles that will persist no matter what the future holds, like having really good cyber hygiene such as MFA [multifactor authentication] for applications directly exposed to the internet.”
He said it’s about having a strong cybersecurity foundation in place and making sure it stays “whole without cracks,” identifying future threats through routine strategic planning sessions. Cybersecurity should also be part of health systems’ AI governance policies.
“The more attackers change their techniques, the more important it is to focus on fundamentals of both cybersecurity and overall digital excellence,” said David Heaney, chief information security officer of Somerville, Mass.-based Mass General Brigham.
That includes focusing on asset management, access controls, patching and end-user training, he said.
“Whether it’s the use of AI, a new specific technique or something we’ve seen before, remaining relentlessly focused on our core actually allows us to pivot quickly to ensure our efforts have the greatest impact on our ability to defend against attacks and keep our patients safe,” he said.
Tremayne Smith, chief information security officer of Columbus-based Ohio State University Wexner Medical Center, said preparing for the future of cybersecurity demands “vigilance and adaptability.” That includes a multilayered approach: continuous risk assessments, vulnerability management, and partnering with secure vendors who provide services like advanced threat detection and AI-powered defenses.
“We also recognize that our people are our strongest defense. We foster a culture of cybersecurity resilience through ongoing, comprehensive training for all staff, empowering them to identify and report suspicious activity,” Mr. Smith said. “We also maintain a rigorous incident response plan and robust data backup and disaster recovery protocols to ensure we can quickly and effectively address any potential breach, minimizing impact on patient care.”
Chris Stucker, deputy chief information security officer of Milwaukee-based Froedtert ThedaCare Health, said he and his team focus on the controllables.
“We don’t try to predict what the bad guys are going to do. We can’t control what they’re going to do. We can’t control their preparation. We can’t control their TTPs [tactics, techniques and procedures],” he said. “What we can control is how we prepare. So what we try to do is build systems that are resilient, that are adaptable. We try to build teams that are resilient and adaptable and empowered, teams that have the ability to react to whatever the adversary brings to us.”
Mr. Stucker, an Army veteran, also takes a military mindset to cybersecurity. He quoted Sun Tzu: “If you know yourself and you know your enemy, then you don’t need to fear the results of battles.”
“I know what my shiny things are. I know what my networks look like. I know what my segmentation does or doesn’t look like. I know what my gaps are. I know what my issues are. So now, if I were an enemy that knew that perfectly, how would I attack it?” he said. “And then we try to proactively put controls in place, build layered defenses, build in that segmentation at a network level, even at an identity level, that will make any attacker who comes to try to get our shiny stuff have to go through more defenses, make more noise, go slower, giving us more opportunity to see what they’re doing.”
With the increase of social engineering schemes, like fraudsters calling up IT help staff trying to ascertain log-ins and passwords, Froedtert ThedaCare Health provides help desks with technical tools and checklists to help validate employees, Mr. Stucker said.
Cybersecurity leaders also need to stay abreast of geopolitical events and “hacktivists” who might try to target healthcare to further their agenda, he said.
Wayman Cummings, vice president and chief information security officer of New Orleans-based Ochsner Health, compared his work to that of the physicians at his health system.
“You use your telemetry data, just like you would for a patient,” he said. “We monitor the health of the network, we monitor the health of the systems, and we can identify when something is anomalous. A physician may see blood pressure going up and down in a patient. We see a particular type of traffic that’s coming through, and we know it’s associated with this type of attack model or this threat actor and that allows us to at least have an idea of what’s coming and get ahead of it.”
As large health systems have become more secure, hackers have turned their attention to smaller hospitals and health systems, said Brad Reimer, CIO of Sioux Falls, S.D.-based Sanford Health. So his health system works to extend cybersecurity help to rural facilities in its market, as many of them are linked to Sanford through Epic’s Community Connect program and other data-sharing programs.
Otherwise, Sanford Health focuses heavily on continuous education of employees to keep them aware of the latest cyber threats and tactics. Email phishing is still the main way hackers try to gain access, but deepfakes are an increasing threat, with cybercriminals using AI to impersonate health system employees.
“They’re trying to find vulnerabilities in human judgment,” Mr. Reimer said. “So it’s not something where you can put a lot of technical controls in place. So we have been doing some intentional education around phishing and impersonation.”
