Jump to Content
Security & Identity

Cloud CISO Perspectives: How Google is helping to improve rural healthcare cybersecurity

June 28, 2024
https://storage.googleapis.com/gweb-cloudblog-publish/images/2024_Cloud_CISO_Perspectives_header_no_tit.max-2500x2500.jpg
Phil Venables

VP, TI Security & CISO, Google Cloud

Taylor Lehmann

Director, Office of the CISO, Google Cloud

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

Welcome to the second Cloud CISO Perspectives for June 2024. In this update, Taylor Lehmann, director, Office of the CISO, shares remarks he made to the National Security Council this month on the steps Google is taking to help rural healthcare networks become more secure and resilient against cyberattacks.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

How Google is helping to improve rural healthcare cybersecurity

By Taylor Lehmann, director, Office of the CISO, Google Cloud

Healthcare organizations have wrestled for decades to protect complex and critical technologies that are vital to their core mission of helping sick people get better. The proper functioning of our society depends on the ability of people to receive timely healthcare, yet cyberattacks against healthcare organizations are making it harder — and the attacks are getting worse.

In the first half of just this year, attacks on hospitals and their suppliers have disabled payment systems, prevented patients from receiving the care they need, and in some cases, have made it unsafe to be a patient physically located inside an impacted care facility. Hospitals and clinics are pushed to the brink, with some being forced to permanently close.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Taylor_Lehmann_2.max-600x600.jpg

Rural communities across America are especially vulnerable to these threats. Estimates suggest more than 60 million people are served by 1,800 to 2,100 rural hospitals and clinics, many of which are critical access hospitals located more than 35 miles from another hospital.

Thirty-five miles might not seem like a long distance, but a cyberattack can force someone suffering from a catastrophic brain injury to be diverted from their closest hospital to one further away. The first 60 minutes after an injury or other health emergency can be vital to a patient’s survival, enabling diagnosis and rapid medical interventions. If they can’t get the care they need in that “golden hour,” then the likelihood that the patient will not survive the diversion trip from the nearest hospital to another facility increases.

For patients and staff who remain inside an impacted hospital and can’t be moved, their experience changes too. When computers deliver and coordinate care suddenly stop functioning, other services deteriorate. Radiology services needed to diagnose strokes, systems in the NICU that keep very sick babies under constant surveillance (and warm), bedside medication administration systems to ensure proper medication delivery and dosages, and even basic electronic medical records (EMR) for patients have all been degraded or stopped by cyberattacks.

Today, we are bringing these [secure-by-design] technologies to healthcare organizations, some substantially discounted and many others at no cost, to help improve their agility to defeat cyber threats, and mitigate cyber risks that may otherwise undermine their availability.

While clinicians do their best to keep track of everything with paper and pen during a cyberattack that takes down their EMR system, no access to patient medical records can slow or even halt simple procedures that saves lives. We don’t have to imagine these real-world consequences of cyberattacks against healthcare because we’ve seen them happen, repeatedly.

All of this presumes that a cyberattack isn’t impacting multiple medical facilities in the same vicinity, and hopefully, the hospitals to which patients are diverted are capable of treating patients with the same level of care.

The White House, Department of Health and Human Services, the Health Sector Coordinating Council, and others are putting significant effort into identifying systemic challenges, and working with organizations including Google to come up with real and defined solutions to improve cyber resilience for rural health facilities. We’re excited to see this new direction, and we’re here to support communities and health systems.

The Biden-Harris administration published a fact sheet on June 10 summarizing the White House response to these attacks. Recognizing the unique role that healthcare organizations play in their communities, regions, and across the nation, the White House emphasized the public-private partnership needed to better secure hospitals and other healthcare organizations.

As an early innovator and proponent of secure-by-design technology, Google has been working across industries to provide access to and onboarding support to implement the same security tools and practices that keep Google safe to organizations of all types. Today, we are bringing these technologies to healthcare organizations, some substantially discounted and many others at no cost, to help improve their agility to defeat cyber threats, and mitigate cyber risks that may otherwise undermine their availability.

Information sharing is a vital component of securing the healthcare sector. We need better mechanisms to capture and share information that include and surpass threat intelligence.

We support the White House’s efforts in achieving that outcome. We believe organizations, including Google, can help in a few different, unique, and important ways, and we welcome the opportunity to contribute.

1. Secure by design, secure by default

We know that many health systems have acquired and operate technology that was built for interoperability, but not with strong security measures in mind.

At Google, we develop secure by design technologies that have been engineered with security from the get-go, not bolted on afterwards. Fortunately, the U.S. government and other governments around the world have been encouraging and, in some cases, mandating shifts to secure by design and by default technologies. Critical to the security and resiliency of healthcare technology, secure by design and by default encourages four essential principles:

  • How customers actually use products, even when those uses are inadvertently risky;
  • How the developer ecosystem can encourage vulnerability and error prevention;
  • How grounding software in properties that remain consistent even when under attack can strengthen resilience; and
  • How understandability and assurance can verify those grounding properties, even at scale.

Technology that shows up in a hospital must be secure by design and by default. It must be increasingly easy to maintain, upgrade, patch, and eventually replace when needed. It must not add more complexity to already complex environments. It needs to work safely, after it has experienced an attack, or indeed, during an attack. The makers of these technologies know that the only way to achieve these outcomes is to ensure that protections are built in from the start.

2. Share information on threats, countermeasures, and successes

Information sharing is a vital component of securing the healthcare sector. We need better mechanisms to capture and share information that include and surpass threat intelligence. This includes data-supported conclusions about which practices work, and ensuring that they are informed — but not solely driven by — incidents and failures.

As part of Google’s pursuit of this goal, we have been developing partnerships with multiple information sharing and analysis centers, including the Health ISAC, across more than 10 critical infrastructure sectors — and we plan on doing more. We are eager to support organizations such as the Health ISAC and Sector Coordinating Council continue to get stronger at executing their key function: sharing information.

Google will put our own collaboration and security products into the hands of hospitals and healthcare organizations that need them, most at no or very discounted cost.

We need to reduce barriers to sharing information, too. More organizations should be sharing information at increasing levels of sophistication: It’s just not enough anymore to merely consume it. Organized, rapid intelligence-sharing, and verifiable responses can mean the difference between a successful defense and a vulnerable one.

3. Put Google’s security tools in the hands of hospitals

Google will put our own collaboration and security products into the hands of hospitals and healthcare organizations that need them, most at no or very discounted cost. We are offering products, implementation services, and support to eligible organizations to support their adoption. Organizations interested in more details on the following offerings should email rural-health@google.com.

Let’s take a look at what Google will be providing to healthcare organizations.

Chrome Enterprise Browser and ChromeOS can help health systems safely access and use internet-based and internal technology resources they use to operate their facilities and deliver patient care. Working together, Chrome and ChromeOS offer a more secure alternative than other browser and operating system combinations.

Google Workspace Enterprise Essentials Plus is also included in this program. Google Workspace, which supports compliance with HIPAA, is a collaboration platform that pairs productivity applications (including Docs, Slides, Sheets, and Drive), messaging applications (such as Gmail and Chat), identity platforms (Cloud Identity Premium), and a suite of sophisticated security tools to keep data safe. Workspace helps organizations simplify communication between administrators, clinicians, and patients securely.

4. Grow cybersecurity expertise through education

We also believe in training more cybersecurity professionals. Google.org grants help fund cybersecurity clinics at universities and colleges, which support rural and underserved hospitals in their communities. We are in the process of providing $25 million to 25 U.S. cybersecurity clinics.

We are also helping establish additional clinics at universities and colleges who put cybersecurity-focused students and faculty into their communities, to help them better secure their IT systems. Schools including the Eastern Washington University, Massachusetts Institute of Technology, Rochester Institute of Technology, Tougaloo College, Turtle Mountain Community College, and the University of Texas, are working to secure small, underserved, and rural healthcare systems and public health agencies through these programs.

To support education and training efforts, we’re making courses available from our Mandiant Academy program.

Google Cloud and Mandiant have built a program that up-levels the healthcare industry and key industry partners. Our offer includes:

Mandiant education and training courses

Education and training are crucial to securing rural and underserved hospitals and clinics. To support education and training efforts, we’re making courses available from our Mandiant Academy program.

We will be giving the Health ISAC 20 on-demand training courses, at no charge, that it can disperse to its members. We will also be giving the Health ISAC credits for 10 public, instructor-led scheduled courses that it can distribute to its members. Members will have the opportunity to earn certifications in incident response and threat intelligence following their training or through their own independent study.

Also from our Mandiant Academy, we’ll be offering discounts on three popular courses.

  • AIM for Health ISAC: In partnership with the Health ISAC, we are offering our Applied Intelligence Mentorship program (AIM). From Mandiant Intelligence, the AIM program is a four-week immersive mentorship designed to develop skilled cyber threat intelligence (CTI) practitioners through direct coaching and practical skills application.
  • ThreatSpace: Mandiant Consulting is also making its immersive educational experience ThreatSpace available to help incident response teams hone their skills against realistic APT-level attacks in a consequence-free environment.
  • Digital Forensics and Incident Response Bootcamp: This intensive, 10-day bootcamp teaches the fundamental investigative techniques needed to respond to today’s threat actors and intrusion scenarios. After eight days of classroom learning, students spend two days doing hands-on exercises that take them through adversary activity and the process of responding to a nation-state threat.

This is just the beginning. We’re developing no cost and discounted offerings of these technologies and services for organizations in need. To learn more, please email us at rural-health@google.com.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Project Naptime: Evaluating offensive security capabilities of LLMs: Security researchers at Google’s Project Zero evaluated the capabilities of foundation models to refine their testing methods, and found they could “significantly” improve vulnerability discovery. Read more.
  • Why hybrid deployments are key to secure PQC migration: We explore the advantages of a hybrid deployment in a world of post-quantum cryptography, take a deep dive into the reasons behind our recommendation, and offer guidance on how to implement hybrid schemes. Read more.
  • The empty chair: Guess who’s missing from your cybersecurity tabletop exercise: Tabletop exercises can help prepare organizations to face a cyberattack. But did you remember to invite your OT and ICS experts to the table? Read more.
  • Lightning-fast decision-making: How AI can boost OODA loop impact on cybersecurity: Long used in boardrooms, the OODA loop can help leaders make better, faster decisions. Make OODA loops even more effective with an AI boost. Here’s how. Read more.
  • Cloud KMS Autokey can help you encrypt resources quickly and efficiently: To help make CMEK configuration more efficient, we’re introducing Cloud KMS Autokey, which automates CMEK key control operations. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

  • Cloaked and covert: Uncovering UNC3886 espionage operations: Mandiant has released new research on UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

  • From bad IP to trafficking busts, meet the human side of threat intelligence: Threat intelligence is one of those terms whose meaning changes depending on the listener. Brandon Wood, product manager, Google Threat Intelligence, tells hosts Anton Chuvakin and Tim Peacock about what folks are getting wrong about TI. Listen here.
  • Cloud incident confessions: Top 5 mistakes that lead to breaches: Mandiant consultants Omar ElAhdan and Will Silverstone discuss securing hybrid clouds and how organizations misunderstand their own attack surfaces. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.

Posted in