A lot changes in technology in five to 10 months, let alone that many years. But to see what's happening now, you often need to stop and take a look at the distant past.
Becker's recently asked the chief information security officers of several health systems what's changed about healthcare cybersecurity in the last five to 10 years.
Note: Their responses have been lightly edited for clarity.
Erik Decker. Assistant Vice President and CISO of Intermountain Healthcare (Salt Lake City): The major change over the last 10 years has been the damage that can be caused by an impactful cybersecurity attack. Ten years ago, the primary concern was related to data security and managing the privacy of patient records.
Healthcare has jumped on the digital rocket to solve very real problems, such as interoperability and patient access. Because of this digital convergence, the impacts of a cyberattack could cause operational disruption as well as patient safety challenges. The cybersecurity profession is quickly pivoting to ensure patient safety, operational resilience, patient privacy and data security.
Todd Greene. Vice President and Enterprise CISO of Atrium Health (Charlotte, N.C.): The biggest change has been the relentless nature of attacks against hospitals and health systems. Cybersecurity has quickly grown into a key business risk that now has routine board-level visibility. Hospitals and health systems have seen growth in investments in new cyber technologies as well as growth in people to manage those solutions. Cybersecurity has gone from something in the backroom in the 2010s to the boardroom here in 2022.
Michael Kearns. CISO and Director of Infrastructure of Nebraska Methodist Health System (Omaha): Healthcare has become a much bigger target in ransomware — this point can't be overstated.
Email is our weakest link, but the bad guys have figured out that they are better off going in through the loading dock via third-party vendors like SolarWinds or Exchange. We are seeing more threat actors using vendors to get a foothold in your network.
Products like Ordr and Medigate are not a luxury but required. How can we protect our environment if we don't know what is out there?
Anahi Santiago. CISO of ChristianaCare (Wilmington, Del.): At ChristianaCare, we have adopted the highest information security standards to protect the information of our patients and caregivers. Cybersecurity at health systems like ours has expanded dramatically during the past decade to support the growth in the interconnected nature of the health information ecosystem.
This growth has expanded the amount of healthcare items — including medical devices, electronic health records, mobile gadgets and more — that are vulnerable to cybersecurity attacks. Interoperability drivers and virtual care capabilities have also increased the complexity of implementing effective security, while the sophistication of threat actors has grown exponentially. As the threat environment increases, our organization has continued to adapt and enhance our safeguards. Our commitment to the security of our patients' personal health information is as important to us as our commitment to their health.
Aaron Weismann. CISO of Main Line Health (Berwyn, Pa.): In my opinion, the most stark change is that the entire threat landscape is completely different from five and 10 years ago.
Ten years ago, the major cyberthreats were still trojans and worms, and the first major data breach in the U.S. (at least in general public discourse — Target in 2013) hadn't yet happened. Five years ago, banking trojans designed to skim user credentials (like Emotet) seemed to be all the rage; WannaCry had just taken down most of Western Europe's healthcare infrastructure, which highlighted how ill-prepared healthcare was for both state-sponsored and ransomware attacks; and ransomware attackers were asking for a whopping $500 to restore enterprise systems.
Now, ransomware seems to be the primary threat, with attacks focused on healthcare providers and their downstream service vendors, plus ransoms being levied in the millions and tens of millions of dollars.
Patrick Wilson. CIO and CISO of Contra Costa County (Calif.) Health Services: Patients a decade ago used to bring diagnostic images on CD; now images are accessed across the internet. Patients used to call for lab results, and now they see them immediately. I mention those two to shine a light that cyber protection used to be just for internal workloads. That is no longer the case.