'Wartime' Security Mindset Means Being PreparedHighlights From ISMG's Healthcare Security Summit
What are the critical elements of developing a "wartime" mindset to deal with the serious cyber threats facing the healthcare sector?
Information security leaders gathered in New York Nov. 1-2 to address this important question at Information Security Media Group's Healthcare Security Summit. Here are a few key takeaways from keynote presentations, CISO panel discussions - and attendees as well.
Avoid a Checklist Approach
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, wants organizations to go far beyond casually checking off compliance boxes to mitigate cyber risks, said keynote speaker Deven McGraw, OCR's director of health information privacy. Doing a risk analysis that identifies vulnerabilities - but then delaying the implementation of mitigation steps - is an example of a poor security practice that's all too common, she said. And the surge of ransomware attacks is a reminder to ensure your organization's contingency plans are regularly updated to deal with new threats and potential disasters, she said.
Be Aware of Bad Guys' Tactics
While cyber threats are becoming more sophisticated, the tools to launch attacks are becoming cheaper and easier for the bad guys to get their hands on, warned keynote speaker Jay Kramer, supervisory special agent at the FBI's cyber division. For instance, dark web sites sell ransomware kits for as little as $30. Kramer urged attendees to seek out help from law enforcement, including the FBI, after a breach. But for the FBI to aid in the investigation, your organization must be prepared to provide details on the map of your network - as well as network logs, he advised. Too many organizations - especially those that have gone through mergers and acquisitions - don't know all the places where patient data resides, he noted.
Take Medical Device Risks Seriously
Threats to medical devices are real and have to be taken seriously, says speaker Kevin Fu, associate professor at the University of Michigan Archimedes Research Center for Medical Device Security. Keeping your medical device software updated can help, but be forewarned that even those updates can also contain malware, he said. He also stressed the importance of reporting device vulnerabilities to the appropriate federal agencies so they can be evaluated and then, if verified, publicized.
Prepare for Ransomware Attacks to Continue
Ransomware attacks will plague the healthcare sector in the years to come, speakers and attendees agreed. To avoid a potential shutdown of the ability to deliver patient care, organizations must be ready with a solid approach to defending against any type of malware. That includes being up to date with anti-malware and software patching as well as having recent data backups that are also free of malware.
Avoiding becoming a victim of ransomware - and other types of cyberattacks - also requires having cyber-aware staff who won't be tricked into opening an email or other files containing malicious code, becoming your organization's weakest links.
Test, Then Test Again
Even with the best defenses, sooner or later, most organizations are going to have a data breach or other security incident, whether it's caused by hackers or insiders. Response and recovery to those events require preparation and practice. Don't expect that your organization will know how to react to a breach unless you've tested - and retested - your plan.
Use a Framework
Several CISOs in attendance stressed that using a security framework, such as those from the National Institute of Standards and Technology or the Healthcare Information Trust Alliance, helps build confidence among CEOs and other senior leaders that organizations are making right decisions on cybersecurity, which leads to approval of the right investments.
If you were unable to join us for the summit, note that we'll make all the presentations available on our website soon. Plus, we'll post video interviews with many of the presenters.