As ransomware attacks are shutting down healthcare services across multiple states, hospital cybersecurity leaders told Becker's that protecting healthcare from cyber threats requires total organizational buy-in.
"Healthcare systems and hospitals should be using a top-down and bottom-up approach to cybersecurity at the organizations to help defend from cyberattacks," Jeffrey Vinson, chief information security officer at Bellaire, Texas-based Harris Health System, told Becker's. "By that, I mean the cybersecurity strategy should have executive buy-in to truly be effective and validated. This strategy should include business resiliency plans and tabletop exercises to ensure you are prepared when the cyber event occurs."
A recent data breach at Nashville, Tenn.-based HCA Healthcare led to legal issues and the possibility that it could affect future earnings. If such incidents have any silver lining, it could renew efforts to bring cybersecurity awareness organizationwide.
"The CISO must gain support from hospital leadership to prioritize cybersecurity efforts and allocate adequate resources for technology, staff training, and incident response capabilities," said Michael Prakhye, CISO at Gaithersburg, Md.-based Adventist HealthCare. "Gaining support from hospital leadership is crucial for the success of cybersecurity efforts within a healthcare organization."
While cyberattacks at large systems, such as HCA, can create a legal headache for executives, for smaller hospitals, they can be disastrous. The average cost of ransomware has doubled in the past two years. For rural hospitals with tighter margins, the cost of taking their systems offline can be the difference between staying open and closing.
In June, Spring Valley, Ill.-based St. Margaret's Health became the first to close its doors due to ransomware.
In this increased threat environment, CISOs are reinvigorating their focus on deterrence and prevention rather than just response.
"My primary focus will always be early detection and containment. The quicker you can detect an anomaly and contain it, the better you can mitigate the impact," said Reno, Nev.-based Renown Health CISO Steven Ramirez. "This includes implementing endpoint detection and response and network detection and response, using Mitre as the framework. Supplementing this with continuing to fine-tune access management and understanding who needs what privileges and for what purpose."
The increased digitization of healthcare also leads to the possibility of more third-party data breaches and vulnerabilities. Russian-backed ransomware gang Clop claimed responsibility for the hacking of MOVEIt software that led to data breaches in at least six healthcare organizations, including CMS.
"Michigan Medicine has been investing in a formalized threat intelligence capability that allows us to be more proactive in our analysis and remediation activities," said Jack Kufahl, CISO of the Ann Arbor-based health system. "We have also turned to more quantitative digital risk assessments that are focusing on specific higher potential controls across the enterprise as opposed to exclusively depending on individual risk assessments on a technology-by-technology basis.
"This appears to have the added benefit of making practical sense to our IT-providing partners and third parties to break through the morass of frustration in the lower-value, checklist-style approach. The key is balancing your portfolio so that your team is investing more progressively in proactive and engagement threat remediation and not depending on incident response and your cyber liability insurance coverage too heavily."