Healthcare cybersecurity – building a better burglar alarm
• Healthcare cybersecurity is deliverable in increments.
• you can start by solving the easier problems.
• The more you solve, the more you dissuade bad actors from attacking you.
Healthcare is part of a nation’s critical infrastructure, and along with other parts of that infrastructure like education, it’s become an ever more popular target for bad actors with cybersecurity breaches on their mind.
Because ethical vacuums exist and have bills to pay, that’s why.
In Part 1 of this article, we spoke with Deryck Mitchelson, Field CISO at Check Point Research and former CIO within the UK’s NHS Scotland, about why healthcare organizations frequently and mystically fail to find the funding to adequately protect their patients’ – and their staffs’ – data from this plague of unethical but annoyingly effective toe-rags.
In Part 2, we explored how cyber-professionals can make the case to get the funding they need within an extremely sensitive clinical field like healthcare, and as importantly, what to ask for.
That’s important because lots of healthcare providers have a toddler’s grasp of cybersecurity – “Shiny product, clicky buttons, want it!” – a significantly more mature and strategic approach is needed if they’re ever to get serious about bolstering the cybersecurity of their healthcare organization.
We even went into some detail about what the prescription for healthcare cybersecurity should look like, and how its progress could be subsequently measured against a targeted list of high-impact deliverables.
Spoiler alert: you need a strategic plan owned by the board (so it becomes an actual top priority on which they have to take action), and a solid, comprehensive cybersecurity risk assessment, so you know what problems you have, how urgent each of them is, and what the most effective ways are of solving them in the right order.
Not rocket science, perhaps, but that begs the eternal question of why more healthcare organizations don’t actually do it.
It was a question we put to Deryck.
Healthcare cybersecurity – what’s the problem?
THQ:
Why don’t more healthcare organizations just bite the bullet, get the strategic plan in place and do the necessary risk assessment?
DM:
It’s a strange one. It shouldn’t be too expensive, but it’s not something they likely have the skills to do in-house, so they have to lean on partners. And it’s one of those things where you don’t know you have to lean on partners if you don’t have the plan of what you should be doing… so it doesn’t get done.
As you say though, from a cybersecurity point of view, it’s odd, because there’s a lot that can be done with automation tools these days, which certainly didn’t exist in previous eras of healthcare. There are tools that will do a “good enough” job of telling you what your risk posture is, which you can then augment with expertise from individuals who can use the data and understand what it’s showing them.
Oh, those firewalls…
I imagine a lot of the IT managers probably know where they’ve got the weaknesses, too. I’m not convinced that these things are always especially open and transparent, though. When you ask them, “Have you got firewalls in place?” they’ll say “Yes, yes. We’ve got tools in place protecting the perimeter. Yes, absolutely.”
Okay. So you need to know enough to you ask things in a different way. “Are these next-generation firewalls that are doing intrusion protection, intrusion detection?” And the answer’s usually no, either because the IT managers haven’t thought they’re under that level of threat, or because they’ve known as much, but as we discussed in Part 2, they haven’t been able to get their board to understand what they’re talking about or what the urgency is, because they speak geek-threat, not clinical consequence.
These next-generation firewalls are AI-capable, they’re able to look at the behavioral context of what’s coming in – or trying to come in – and what’s sitting behind them, in order to react and see if unfriendly things are happening.
There are different levels of understanding the risk, and that’s what some of the tooling will do nowadays, it will actually show that you’ve got a level of protection, but it probably isn’t enough for critical national infrastructure systems and medical data.
I don’t need to tell you that medical data needs the best level of protection you can get, do I?
THQ:
Indeed, you do not. Especially when it comes to groups that shouldn’t be victimized but are – women making reproductive health choices, trans people getting gender affirmation care and so on. But also on a more general level, no-one wants their medical data out there wild in the world.
DM:
Exactly, so in healthcare cybersecurity, we need to continually assess that, to say “Is it good enough? Has it got vulnerabilities? Have they been patched on time? Are we keeping on top of the maintenance and management? Are we keeping on top of user access?”
THQ:
So we’re likely looking at commercial entities being brought in to do this kind of assessment?
DM:
The thing is, I don’t think doing this type of risk assessment is specifically nuanced to healthcare. I think it’s quite sector-agnostic. When I was in healthcare cybersecurity, the way I managed it was the same as it was when I was in oil and gas – the risks remain the same.
But yes, there are organizations that can do this in healthcare. They have consulting, architecture, risk assessment based on international standards. And getting that different lens looking in is important.
The power of specific data in healthcare cybersecurity calls.
Boards like that, too – the idea of independent expertise and analysis tends to drive investment, funnily enough. If you get somebody independent coming in, it’s more difficult to ignore than just having a risk on a risk register and assessing its priority. If someone from the outside actually says you’re vulnerable, you tend to check, and you tend to strengthen up your posture.
That’s especially true if it’s specific feedback. If you can say “We’ve got 12 reds, five criticals, and what that means is that the likelihood of being breached through this particular vector is fairly large,” it tells your board there’s a good chance that you will be breached within the next 12 months through that vulnerability, or that weakness, unless they do something about it. Boards like that type of language – danger, likelihood, probable deadline, and an impact on the healthcare facility explained in clinical or business terms.
THQ:
Specific data drives the incentive to invest money?
DM:
It does. And it also sets up a plan to deliver return on investment. When boards get to see a return on investment coming through, when they start to see their healthcare cybersecurity is in a better position, they know that you know what you’re talking about, and they know that the organization you brought in to solve the problems is delivering on the promise you said it had.
That makes it far easier to then go and make the next case that says “Now we need to do this other thing, and we need to do it because of this clinical risk, and we need to do it within the next 12 months, and it’ll take this many sacks of cash, thank you.”
THQ:
A cycle of trust, investment, and measurable improvement that justifies both the original trust and the next one?
DM:
Yeah.
And here’s the other thing. The type of threat actors who are targeting healthcare cybersecurity are always looking for the easiest way to go in and make the biggest impact for them.
The better burglar alarm.
So as you start to mature your cybersecurity posture by doing some of the easiest things, what I find in practice is that they tend to go off and start to target others that aren’t doing that. So you get a double win. Your maturity goes up and your risk goes down.
Very, very quickly, you find that you’re actually off the radar, because they don’t want to go up against organizations that have got fully patched firewalls, organizations that are not vulnerable.
THQ:
The burglar alarm principle. Make it work by all means, but also make it obvious that it exists, and the chances are, most burglars will go looking for the house without a prominent burglar alarm?
DM:
Exactly. If you have a solid strategy in place, and a risk assessment, and you’re starting to address your biggest vulnerabilities, it shows that you’re taking your healthcare cybersecurity seriously – and while there are still organizations that aren’t, a lot of bad actors will go and hassle them instead.