Why Security Priorities Need to Shift to Safety IssuesCybersecurity Expert Joshua Corman on Addressing Risks to Patients
The healthcare sector's cybersecurity efforts need to shift from a focus on protecting patient information confidentiality to protecting patient safety, says Joshua Corman, co-founder of I Am The Cavalry, a grassroots, not-for-profit cyber safety organization. He's also chief security officer at software developer PTC and a fellow at the Atlantic Council.
"We make a joke in the Cavalry: I love my privacy; I'd like to be alive to enjoy it," he says in a video interview at Information Security Media Group's recent Healthcare Security Summit in New York.
The top security priority of most healthcare sector entities has long been protecting the privacy of patient information, Corman notes. But as ambitious new efforts, such as the national Precision Medicine Initiative, take shape, organizations also need to "focus on patient safety and the availability of critical resources," he says.
"It's not that privacy doesn't matter - we're failing miserably at it - and in a lot of ways, the toothpaste is out of the tube. But if you just design for privacy, you might encrypt things, but if you design for privacy and safety, maybe you design things differently," he says. "The threat models are more comprehensive. So there's significant work to do, and right now, if a hospital has to choose between protecting a patient record or protecting the patient ... there's no incentive to protect the patient, really. This is unchartered territory and we're out of time."
In the interview, Corman also discusses:
- The serious threats to patient safety posed by ransomware and other cyberattacks on the healthcare sector;
- Recent hacking simulations conducted by I Am the Cavalry involving emergency room physicians to study the potential safety impact on patients;
- The cybersecurity challenges facing especially small, midsized and rural healthcare providers.
In addition to his work at I Am the Cavalry, Corman is also chief security officer at software developer PTC, a fellow at the Atlantic Council, and a member of the Department of Health and Human Services' Cybersecurity Task Force. Corman formerly served as chief technology officer for Sonatype, director of security intelligence for Akamai and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems.