Health Tech, Providers

5 Things to Know About the Sorry State of Healthcare Cybersecurity

During a fireside chat at MedCity News’ INVEST conference, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — shared some key ideas that people need to understand about the current state of cybersecurity in the healthcare industry. For instance, he reminded us that things won’t get better overnight, and that cybersecurity requires an all-hands-on deck approach.

From left to right: Arundhati Parmar, editor-in-chief at MedCity News, and Nitin Natarajan, deputy director at the Cybersecurity and Infrastructure Security Agency (CISA)

Cybercriminals across the world continue to use healthcare organizations as their target practice. It seems like there is a new healthcare cybersecurity disaster dominating headlines each month — with this month’s being an attack on Ascension that forced hospitals across several states to revert to paper recordkeeping.

During a Wednesday fireside chat at MedCity NewsINVEST conference in Chicago, Nitin Natarajan — deputy director at the Cybersecurity and Infrastructure Security Agency (CISA) — shared some key ideas that people need to understand about the current state of cybersecurity in the healthcare industry.

Everybody’s a target.

As cybercriminal activity continues to become more sophisticated across the globe, the victim landscape is changing, Natarajan said.

“We’re seeing attacks against K-12 schools in the heartland. We’re seeing attacks on healthcare facilities. In the past, healthcare facilities were always protected, even in kinetic warfare. We never used to attack hospitals — we never attacked a tent with the red cross on it. But we now see hospitals attacked on a regular basis,” he declared.

Healthcare providers getting attacked by cybercriminals is an inevitable fate, Natarajan remarked. 

Knowing this, providers have to work tirelessly to increase their resilience so they can bounce back from these attacks more quickly going forward, he noted. He also encouraged providers to start looking at third-party cybersecurity risks as part of their corporate planning.

Things won’t get better overnight.

On Monday, HHS launched a new cybersecurity program that will provide $50 million to develop better cybersecurity defense tools for healthcare providers. While it’s easy to put a “too little too late” stamp on the effort, Natarajan noted that all progress is good.

“I think a lot of people look at cybersecurity as a light switch. We’re going to flip the switch one day, and then we’ll be cybersecure. I think it’s more like a bank of about 500 dimmer switches — the changes we make each day to raise one dimmer switch up is going to get us closer to where we need to be,” he explained.

Cybersecurity requires an all-hands-on deck approach.

In order to shore up their defenses, healthcare organizations need to make sure that all employees have at least basic cybersecurity training, Natarajan said. 

This means training all staff members on how to do things like use two-factor authentication correctly or spot phishing emails, he explained. When it comes to cybersecurity, a company is often only as strong as its weakest link.

“It’s not just the CISOs and CIOs that need to do this — you have to get the entire workforce into a culture of being more cybersecurity-savvy,” Natarajan remarked. 

There are free tools that providers should be taking advantage of.

Money is tight for a lot of healthcare providers — and there are many who simply don’t have the money to invest appropriately in cybersecurity measures, Natarajan pointed out. However, CISA and other federal organizations offer tools that healthcare providers can adopt free of charge, he said.

“It’s not an ideal fix for a small hospital that’s figuring out how to make payroll and trying to deal with recruiting and retaining staff. But we are seeing more and more opportunities for them —  in what the government is creating, and we’re also seeing companies stepping up and offering the free version of their products,” he noted.

“Secure by design” is the future.

Natarajan thinks companies making healthcare technology need to move toward a “secure by design” approach.

“This means it should be secure by default. You shouldn’t have to buy additional packages or have a turn security on,” he explained. “It means that we’re designing our hardware and our software to utilize things like memory-safe languages, and we’re building the right security elements into software.”

Photo: Gabriela Golumbovici, Breaking Media