A strong cybersecurity posture has become a top concern for healthcare executives in recent years, as massive systems suffer data breaches and cybercriminal organizations target healthcare organizations hoping for financial payout or to damage a geopolitical rival.
To learn more about the complicated world of healthcare cybersecurity, Becker's interviewed Stoddard Manikin, chief information security officer of Children's Healthcare of Atlanta.
Question: Do pediatric hospitals face any unique cybersecurity challenges?
Stoddard Manikin: Pediatric hospitals must maintain the same level of cybersecurity protection as any adult health system that connects to the internet.
One unique aspect is that pediatric patient data may be considered more valuable to hackers who plan to commit identity theft. This is because many pediatric patients have not established credit histories yet, so their identity can be used to open new lines of credit without the victim becoming aware for many years until they reach adulthood. Also, children can often be more medically fragile, increasing the urgency to keep systems available.
Q: Is there a particular cybercriminal organization you believe poses the greatest threat to healthcare?
SM: We face numerous adversaries with various motivations. There is no single criminal organization that poses the greatest threat, but ransomware cybercriminals as a category do pose the greatest threat. This type of attack can result in a dual threat, including significant availability outages and data breaches. Even for an organization that pays the ransom, there is still the very real risk that criminals may sell your data and "get paid twice" or simply expose the data. This is further complicated because even less sophisticated cybercriminals can launch successful ransomware attacks.
Q: How do you prepare your staff for a potential ransomware attack?
SM: As in providing healthcare, the single most important preparation step is prevention. For general users, phishing awareness training with periodic simulation emails is one of the best prevention methods available. Once symptoms present, staff can behave like human sensors in your overall ransomware detection program, so it's also important to train staff on how to report potential cybersecurity incidents like phishing messages or strange computer behavior.
For IT staff, additional training is needed because these people need to be prepared to prevent and handle ransomware incidents. For example, staff with privileged user access need additional training to ensure they know how to safeguard these credentials. They also need to fully understand the ransomware incident response procedures should an incident unfold.
Q: How can a cyberattack disrupt care?
SM: From emergency department ambulance diversions to downtime of key IT systems, availability of care is the primary disruption. Surgeries can be canceled. Clinics can be closed. Lab systems may be offline, making results unavailable. Blood types can't be checked in the EHR. Paper charting can be necessary, and many providers are less familiar with nonelectronic patient workflows, slowing patient care.
Q: What cybersecurity innovations are you most excited about?
SM: Cybersecurity tools generate massive amounts of data — more than a human being can quickly and accurately review. Tools that automate data correlation and orchestration of response activities are a force multiplier for your security staff.
Q: How do you see the CISO role evolving in healthcare in the next decade?
SM: Healthcare CISOs have already begun migrating from compliance orientation to a heavier focus on cybersecurity. In the short term, healthcare CISOs need to adapt to the trend of cloud IT. Longer term, the next shift seems to be headed toward device security, especially medical and IoT devices, and a true focus on securing healthcare operational technologies as they expand. For example, we are building a new hospital and installing a huge amount of networked building management systems with their associated sensors. This increases the attack surface — it generates more data to monitor, more devices to secure, and more potential failure points for our care. Healthcare CISOs need to tackle this.