Chicago-based CommonSpirit Health has been dealing with a large-scale IT security incident this week that has been shutting down EHRs and canceling patient appointments at its hospitals across the country.
CommonSpirit is the nation's second-largest nonprofit health system, with more than 140 hospitals and 1,000 care sites across 21 states. One cybersecurity expert called the incident "unprecedented."
Becker's reached out to chief information security officers after the incident to ask how the size of their organization affects their cyber strategy. Here are seven who responded.
Anahi Santiago. CISO of ChristianaCare (Newark, Del.): A health system's approach to cybersecurity is directly related to the complexity of that organization. Important factors include size, certainly, along with intellectual property, research, and merger and acquisition activities. For example, the larger the system, the greater the number of entry points — both physical and virtual — to be considered, managed and protected.
Joe Susai. CISO of Washington University School of Medicine in St. Louis: Enabling solid cybersecurity controls within sizable integrated health delivery organizations does require different models of approach. These large institutions usually provide a broad spectrum of services such as inpatient, outpatient, health insurance, home care and others with unique business operations, compliance requirements and risk appetite. These organizations also collaborate heavily with various external health systems and business partners, creating a challenging environment for all connected entities to maintain, manage and sustain a good cybersecurity program.
Robert Perry. CISO of Carilion Clinic (Roanoke, Va.): In an ideal world, the size of the organization wouldn't change the approach to cybersecurity. But the reality is smaller health systems have budget constraints and fewer resources to dedicate to cybersecurity.
When budgets and resources are constrained, cybersecurity initiatives should be focused on what delivers the best protection most efficiently. For example, adopting passphrases instead of passwords can improve cyber posture at no additional cost. Additionally, software patches are almost always free and should be applied as soon as they've been tested, especially for internet-facing systems. Multifactor authentication needs to be a priority for all systems regardless of size.
For larger health systems, there are usually larger budgets and resources, but complexity becomes an impediment to cyber resilience as more computers, locations and staff increases the "attack surface" for cybercriminals. Asset management is foundational — you can't protect it if you don't know about it. And standardization of computer configurations and security tools across the environment help close gaps that cybercriminals can use to get a foothold in your environment.
Jack Kufahl. CISO of Michigan Medicine (Ann Arbor): It is the complexity of our healthcare institution that factors more into our approach to cybersecurity risk than just its size. By looking through the lens of what differentiates a particular institution from another, you can learn a lot more about your more specific risk landscape beyond pure size — whether it be relatively large or small. The more you understand about your risk landscape, the more practical and targeted you can make your interventions.
Jeffrey Vinson. Senior Vice President and Chief Cyber Officer of Harris Health System (Bellaire, Texas): Being in a very large safety-net health system, I have to be more strategic when planning my cybersecurity budget and initiatives. I have to be able to align my cyber goals with the goals set forth by our CEO and our board of trustees. Then I have to take into account our clinical operations and forecast three to five years of the needs of the organization, while also protecting the organization in the current threat landscape.
My entire security and privacy programs need to be able to safeguard patient data and defend against cyberattack, which can be very costly. I have to drill down and prioritize my approach for maximum effectiveness to reduce the risk exposure of the organization while being mindful that we do not have an unlimited budget. It is paramount that we ensure the cybersecurity program is in lockstep with the business.
Aaron Weismann. CISO of Main Line Health (Berwyn, Pa.): Main Line Health is acutely focused on patient safety and improving the patient experience. From the bottom up and vice versa, information security is seen as part and parcel to that patient safety mission. When evaluating and building out our security program — especially in a COVID and post-COVID world — we focused on our system's size and day-to-day operational volume to develop a security program that both supported our workforce and protected our patients' data and care.
I, personally, think it's critical to right-size a security program to an organization. If you don't do enough, you're at higher risk for attack. If you overdo it — and you can never overdo it from a security practitioner's perspective, so this is coming from the operational leader in me — then you're being fiscally irresponsible. At some point, there are significantly diminishing safety returns on investments.
Todd Bell. Executive Director of IT Security and CISO of Valleywise Health (Tempe, Ariz.): For Valleywise Health, the scale, what we are protecting, and risk must be well-aligned based on the cybersecurity strategy we have developed. As cybersecurity complexity keeps growing, this increases the demands on the technical expertise and the additional monitoring of critical systems. Cybersecurity threats are a constant challenge that existing cybersecurity teams must attempt to keep pace with.
Cyber adversaries are a spectrum with some being quite intelligent, well equipped, and able to operate with agility. As the size of organizations grows, as well as their digital "footprints," enterprises need to attempt to keep pace with cybersecurity tools, solutions and the investment of training the organization's security engineers and security analysts. The constant challenge for organizations is that their cybersecurity teams must attempt to keep pace with the various cyberthreats in the various business sectors.
This creates a new paradigm. The continuous increased growth of a cybersecurity team is not the business answer. Robust architectures, controls, automation and the use of decision-making systems such as artificial intelligence are how future cybersecurity threats need to be dealt with as these solutions have the potential to scale while maintaining the economic efficiencies to support the enterprise.