Cyber evangelist and Clinical Cyber Defense Systems CEO Saif Abed, MD examines the current state of cybersecurity in the healthcare sector and ways analytics can reduce cyber risk.
Cyber criminals are continually improving the effectiveness of their attack methods and will leverage any means to financially benefit from these attacks. For healthcare, cybersecurity still remains a challenge: many providers have not reduced their cyber risk.
Healthcare is increasingly being targeting with social engineering and email spoofing to target human nature – one of the sector’s greatest vulnerabilities. In the course of the past month alone, reports have shown ransomware attacks disrupting patient care, unsecured medical databases, and even targeted attacks on healthcare websites.
Saif Abed, MD, Clinical Cyber Defense Systems has spent the bulk of his career working to translate healthcare cybersecurity as a patient safety risk, as well as educating the industry on the risk of cyber warfare.
Want to publish your own articles on DistilNFO Publications?
Send us an email, we will get in touch with you.
HealthITSecurity.com tapped Abed to shed light on the state of healthcare cybersecurity and how analytics can help organizations improve their cyber posture and better protect their networks.
AS ONE OF THE MOST OUTSPOKEN CYBERSECURITY LEADERS ABOUT CYBER WARFARE AND THE NEED FOR HEALTHCARE ORGANIZATIONS TO, FRANKLY, DO BETTER, HOW WOULD YOU RANK THE CURRENT STATE OF CYBERSECURITY IN THE INDUSTRY?
It’s easy to point the finger and judge so I try to avoid doing that. What I will say is that it’s clear that the topic of healthcare cybersecurity as we know it today is still relatively nascent, and there is still much variability in what I call ‘security maturity’ between hospitals and health systems. There are some providers that are global pioneers and many doing a great job with limited resources. Of course, there are others who haven’t prioritized the subject yet.
I would say this applies also to healthcare IT suppliers which can also be concerning if healthcare providers don’t have transparency into the best practice compliance status of their suppliers. The vendor community needs to be more proactive in investing in its own documented security processes, but in a way that demonstrates they understand the idiosyncrasies of healthcare operations and clinical risks.
WHAT NEEDS TO SHIFT IN ORDER FOR PROVIDERS’ CYBER POSTURE TO IMPROVE? AND WHAT’S AT STAKE IF THE LANDSCAPE AND PACE OF CHANGE CONTINUES?
The most important thing we need is for a culture change to happen at the highest levels of management. Sustained C-level engagement is a must if healthcare systems are going to improve their posture, but also maintain that maturity against an ever-evolving threat landscape.
“There’s nothing more demoralizing than seeing a risk profile that never changes.”
Further, the engagement of clinical leadership is also going to be critical if we want to shift the cybersecurity conversation from being purely technical to one that’s directly linked to patient safety and organizational resiliency. I really can’t stress this enough: Even if management’s primary concern is the financial and regulatory repercussions of a cyber-attack, this will all stem from the extent and type of clinical and organizational disruption.
It’s for these reasons that the bulk of my career has been spent engaging with all the different types of hospital executives in partnership with CIOs and CISOs rather than discussing security in a silo.
WITH THE NUMBER OF TARGETED ATTACKS AND THE EXPANSIVE THREAT SURFACE, HEALTHCARE PROVIDERS ARE CONTINUALLY LOOKING FOR WAYS TO SHORE UP THEIR DEFENSES. WHERE DO ANALYTICS FIT IN AN ORGANIZATION’S TOOLKIT?
Healthcare providers are being inundated by requests to view the latest and greatest tools the market has to offer, so I can definitely see why it can be difficult to identify the signal from the noise. Artificial intelligence and analytics are areas in particular where it can be difficult to discern what’s useful and what isn’t. I say this from the perspective of a physician who has spent countless hours reviewing health IT security offerings for the better part of a decade.
The key therefore is identifying a solution or platform that provides you with insights that are actually meaningful and actionable based on data that is derived from the existing security products a provider has invested in. Simply being shown graphs and charts of correlations of CVSS scores and technical behavior trends is not good enough.
Instead, I recommend healthcare providers focus on outcomes-based analytics: solutions that can correlate technical findings with actual clinical and business metrics. If a solution can chart, forecast and predict whether patient harm will happen or whether services will be shutdown, then it’s a solution able to capture the attention of hospital executives at the highest levels irrespective – of their technical acumen.
This type of granular insight can be extended to financial loss and regulatory compliance predictions and ultimately shows that the supplier you are working with truly understands your organization and its metrics of success.
WHAT ARE SOME BEST PRACTICE TIPS FOR IMPLEMENTING ANALYTICS?
Implementing an analytics platform successfully is more about people and processes rather than the technology itself. Having dedicated super-users, regular review meetings, a findings response plan and C-level engagement – especially collaboration between informatics and clinical leadership – are critical for success.
There’s simply no point investing in an analytics platform if there isn’t stakeholder buy-in into the benefits of the solution and even less so if you do not have any intention of acting on the trends and insights that emerge. There’s nothing more satisfying than seeing risk analytics improve because of actions you have directly taken. Similarly, there’s nothing more demoralizing than seeing a risk profile that never changes.
From a practical perspective, it can be tempting to deploy an analytics platform to assess all your endpoints across your entire estate through one ‘Big Bang’ go-live. My recommendation is to take a more incremental approach onboarding endpoints for analysis gradually either by type, department or institution.
“Engagement of clinical leadership is critical if we want to shift the cybersecurity conversation from being purely technical to one directly linked to patient safety and organizational resiliency.”
The reasons for this are two-fold. First, any analytics provider focusing on outcomes worth their salt will want to optimize their analytical models for your environment and should use their first few onboarding phases to do that. The second is that the teams responsible for interpreting and acting on the analytics need to get used to it no matter how intuitive it is. An incremental approach provides the time to do that and adjust planned processes to best fit the reality of a deployment as it goes live.
RANSOMWARE ATTACKS HAVE MORE THAN DOUBLED THIS YEAR, HOW CAN ANALYTICS DETECT THESE TYPES OF ATTACKS (I.E. BRUTE-FORCE, CREDENTIAL COMPROMISE)?
Analytics can work in a number of ways, but at a very high level there are two options: vulnerability-based and threat-focused solutions. Each of these have huge numbers of variations and subcategories, but broadly speaking threat focused analytics look for patterns of behavior that indicate an attempted or active attack within a network and its assets.
Vulnerability-based platforms are looking for the presence of weaknesses that enable successful attacks to happen ranging from unpatched CVEs to zero days and misconfigurations. Accordingly, analytics solutions of each type can be used to either identify precursors that could enable ransomware attacks or detect the ransomware malware suites themselves.
However, it’s my view that this is quite a restrictive way to look at the challenge. Instead of asking how likely we are to be hit by ransomware, we should again have an outcomes-focused approach. We should ask questions like – “How likely are we to lose access to our CT scanner and what does that mean for our clinical workflows?” or “How likely are we to lose access to our EMR system and what will that cost us?”
By taking this approach you then have a basis to identify priority assets that are required to maintain critical operations ensuring that you are performing analytics-based on actual clinical and business needs. This method will also often highlight a range of assets that are more pivotal to clinical and organizational workflows than previously thought.
WHAT’S THE ONE THING YOU WISH HEALTHCARE ORGANIZATIONS BETTER UNDERSTOOD?
Again, focusing on senior management, it’s that cybersecurity is patient safety issue and a direct, measurable business risk. It isn’t just a technical IT problem. This is easier said than done because it means cybersecurity data has to be presented using clinical and business outcomes language.
The more we can support informatics leaders to adopt that approach by default then the greater traction and funding we will see in cybersecurity measures.
There is no technology that’s a silver bullet when it comes to cybersecurity. Leadership of all backgrounds have to invest, with a long term view, in developing people and processes that are optimized to make the most of the technology and data they have.
This interview has been lightly edited for brevity and context.
Source: Health IT Security