Safe & Sound with Marianne Kolbasuk McGee

Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response

'Wartime' Security Mindset Means Being Prepared

Highlights From ISMG's Healthcare Security Summit
'Wartime' Security Mindset Means Being Prepared
Deven McGraw of OCR

What are the critical elements of developing a "wartime" mindset to deal with the serious cyber threats facing the healthcare sector?

See Also: The Hidden Costs of Free: Are Microsoft 365’s Native Security Features the Value They Seem?

Information security leaders gathered in New York Nov. 1-2 to address this important question at Information Security Media Group's Healthcare Security Summit. Here are a few key takeaways from keynote presentations, CISO panel discussions - and attendees as well.

Avoid a Checklist Approach

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, wants organizations to go far beyond casually checking off compliance boxes to mitigate cyber risks, said keynote speaker Deven McGraw, OCR's director of health information privacy. Doing a risk analysis that identifies vulnerabilities - but then delaying the implementation of mitigation steps - is an example of a poor security practice that's all too common, she said. And the surge of ransomware attacks is a reminder to ensure your organization's contingency plans are regularly updated to deal with new threats and potential disasters, she said.

Be Aware of Bad Guys' Tactics

Jay Kramer of the FBI

While cyber threats are becoming more sophisticated, the tools to launch attacks are becoming cheaper and easier for the bad guys to get their hands on, warned keynote speaker Jay Kramer, supervisory special agent at the FBI's cyber division. For instance, dark web sites sell ransomware kits for as little as $30. Kramer urged attendees to seek out help from law enforcement, including the FBI, after a breach. But for the FBI to aid in the investigation, your organization must be prepared to provide details on the map of your network - as well as network logs, he advised. Too many organizations - especially those that have gone through mergers and acquisitions - don't know all the places where patient data resides, he noted.

Take Medical Device Risks Seriously

Threats to medical devices are real and have to be taken seriously, says speaker Kevin Fu, associate professor at the University of Michigan Archimedes Research Center for Medical Device Security. Keeping your medical device software updated can help, but be forewarned that even those updates can also contain malware, he said. He also stressed the importance of reporting device vulnerabilities to the appropriate federal agencies so they can be evaluated and then, if verified, publicized.

Prepare for Ransomware Attacks to Continue

Ransomware attacks will plague the healthcare sector in the years to come, speakers and attendees agreed. To avoid a potential shutdown of the ability to deliver patient care, organizations must be ready with a solid approach to defending against any type of malware. That includes being up to date with anti-malware and software patching as well as having recent data backups that are also free of malware.

Avoiding becoming a victim of ransomware - and other types of cyberattacks - also requires having cyber-aware staff who won't be tricked into opening an email or other files containing malicious code, becoming your organization's weakest links.

Test, Then Test Again

Even with the best defenses, sooner or later, most organizations are going to have a data breach or other security incident, whether it's caused by hackers or insiders. Response and recovery to those events require preparation and practice. Don't expect that your organization will know how to react to a breach unless you've tested - and retested - your plan.

Use a Framework

Several CISOs in attendance stressed that using a security framework, such as those from the National Institute of Standards and Technology or the Healthcare Information Trust Alliance, helps build confidence among CEOs and other senior leaders that organizations are making right decisions on cybersecurity, which leads to approval of the right investments.

If you were unable to join us for the summit, note that we'll make all the presentations available on our website soon. Plus, we'll post video interviews with many of the presenters.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.