Will Weider’s Post

Simply saying double your cybersecurity spend is a vast oversimplification. You have to have the right leadership and team in your IT security teams to take a holistic and reasonable approach. Merely throwing money at a problem will not guarantee security. As for better contracts that is a MUST not just to hold the vendor accountable but to also FORCE your inclusion to their cybersecurity (and business continuity/disaster recovery) practices. Annual reporting on both cybersecurity and business continuity/disaster recovery by every vendor is critical. It is not enough to take their word they have these areas covered.

The security landscape for any industry including healthcare is currently such that you have to find the risks/weaknesses in your environment before the bad guys do it. It could be anywhere, vulnerable software, vulnerable hardware, 3rd party tools/software/access, vulnerable and unpatched vpns/firewalls and other high risk systems, an ignorant user succumbing to a phising attack, weak access control practices to just name a few. Finding your weaknesses and mitigating that risks in a timely manner is currently a good defensive mechanism.

Most importantly - have an incident response and recovery plan that prepares clinical staff to maintain a safe patient environment when critical systems and workflows become unavailable. Ultimately, this is about patient safety and technical safeguards are only one part of the equation. In healthcare unless we bridge the divide between IT, cyber and clinical then even the best technical response will not be enough for an organisation to maintain appropriate clinical services.

Will Weider, you highlight valid considerations. However, when I read reports about unpatched servers, the Change Healthcare saga underscores the critical need for healthcare organizations to adopt a proactive mindset toward cybersecurity. The compromised server, which had not been patched, highlights a glaring gap in basic hygiene practices. Healthcare organizations must prioritize principles of security by design and privacy by design, ensuring that security measures are integrated into every aspect of their operations from the outset. A lot of attention is being directed towards the new shiny object, aka AI, and budget battles. Those issues will sort themselves out if organizations truly adopt this new mindset of Security and Privacy by Design.

We need to focus on a different approach. The fact that technology consumers still need to patch software vulnerabilities themselves and identities can still be stolen (or are even still needed) are root issues that need to be addressed. Until we make progress there, we will continue to chase our tails. As consumers, we need to force technology vendors to do better and not continue to be scapegoats for their inadequacies.

3 things I don't hear being talked about enough: Vulnerabilities of Medical Devices and being able to hack them to threaten patients' health/lives remotely - sure, don't leak data is a great goal, but be mindful not to make it easier to do even more malicious acts then just shutting down access to notes, orders, results, etc.. Sure, protecting the data is important, but the mindset should be about protecting lives and the patients' health, the protection of data will follow. Don't forget about what you or your leadership will be able to testify to in a deposition - can you prove you've made enough efforts and put in place enough safeguards to protect your patients to minimize your risk and liability when OCR comes knocking? Know what that will be like and be ready for that part, too. Thinking backwards from that perspective can help you better plan to use that additional "double it" budget.

Considering that in 2023, 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), cybersecurity should be a health systems number 1 priority. 2023 set a new record for security breeches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day. https://www.hipaajournal.com/security-breaches-in-healthcare/

This is very well said. Total agreement on all points. Regarding #3 from the POV that most companies, especially healthcare, are underfunded from a cybersecurity perspective. The bottleneck [IMO] seems to be that organizational stakeholders are good with presenting budget requests around pain that can be felt today- i.e. slow apps, let's upgrade the servers; slow network, let's upgrade the switches/ISP/Routers/etc. Cybersecurity budgeting is figuring out how much to spend on different types of whack-a-mole tools for unknown types of future threats, so qualification and quantification are inherently more difficult. The other challenge is for stakeholders to be able to evaluate tools for both efficacy and true coverage- whether they are effective autonomously, or whether efficacy is delivered through configuration and fine tuning. The later requires work and expertise, and its difficult work. I see a lot of companies with top shelf security products with minimal configuration maturity, and well marketed vaporware everywhere. I guess what I'm saying is spend wisely, and configure diligently :/

Thanks for the insights 👍🏼 can you expand on #3? It seems like every new user (emails, credentials, etc.) and every remote access (ex. screenconnect, teamviewer) are the major breach points recently, but you point out software snippets first. Can you clarify? Thanks!

I would add to consider a different security posture and embrace Zero Trust Runtime Defense. You have to assume breach of your perimeter and defend against insider threat (stolen credentials). This attack is likely very similar to MGM - we know it is the same group. Learn how a different approach can help you. https://www.virsec.com/resources/blog/mgm_attack_analysis_2023