Cybersecurity in the doctor’s office: How we can safeguard lives by building resilient healthcare (Q&A)

Healthcare chief information security officers (CISOs) face the complex challenge of navigating a changing regulatory landscape, embracing collaboration, and using modern technology to stay ahead of evolving threats. Unlike other industries, where breaches often result in financial loss or data compromise, healthcare cybersecurity failures can also directly impact patient safety and lives.

The recent White House report on Cyber-Physical Resilience serves as a stark reminder of the critical role cybersecurity plays in healthcare. The report's central message is clear: We must build resilience. As part of improving healthcare cybersecurity resilience, Google has committed to improving cybersecurity at rural healthcare organizations.

We also believe that ongoing communication and discussion are vital to building a modern, more resilient healthcare ecosystem. To advance that conversation, we brought together CISOs from ChristianaCare, Highmark Health, Northwell Health, and Novant Health on Tuesday, Sept. 18, to hear their advice on how security and business leaders in cybersecurity and healthcare can learn from the past, drive industry change, and embrace the future with optimism.

The stakes have never been higher, but together we can build a more secure tomorrow for the healthcare sector.

What follows is an edited transcript of the conversation.

Taylor Lehmann: Let's start with the White House report. It addresses vulnerabilities in critical infrastructure, but how does this translate to the CEO of a healthcare organization? What are your top priorities regarding resilience, and how do you communicate those to your leadership teams?

Kathy Hughes, CISO, Northwell Health: Cybersecurity is a major concern for all industries, but especially healthcare. We're a prime target because of the wealth of patient and employee data we store, and threat actors know our systems are critical for patient care.

Ransomware, phishing attacks, and often outdated infrastructure are major concerns. Plus, we have networked medical devices that can also be compromised. There's a lot to secure! And you're right, prevention is key.

To communicate these risks to leadership, I frame them in terms of business impact: patient safety, financial implications, and reputational damage. I also align them with regulations like the White House strategy and use data to illustrate the risks. Open communication is key.

Sanjeev Sah, CISO, Novant Health: Resilience is crucial for ensuring continuity of care, even during cyber events. We need strong cyber practices and procedures, and effective recovery plans. Threat actors are becoming more sophisticated, and recent industry incidents have shown where weaknesses exist. In addition to continued strength in our defenses, we must focus on plans for recovery and resilience in our technology and operations.

Taylor Lehmann: Greg, how do you see the intersection of human behavior and technology contributing to resilience? What behavioral changes do we need to encourage?

Greg Barnes, CISO, Highmark Health: I believe the most crucial human element we need in healthcare cybersecurity is a competent Cyber Defense Corps. Healthcare organizations often operate with tight budgets, making it harder to attract, keep, and train top-notch defenders. This issue becomes even more pronounced for organizations "below the cybersecurity poverty line" — often smaller, rural, or inner-city hospitals. Attracting and retaining talent is tough even for well-funded organizations, and healthcare often lags behind other sectors in this regard.

One way to address this is through membership in the Health-ISAC. By joining, organizations gain access to thousands of analysts focused on the same challenges. While not a complete solution, it's a definite step in the right direction. I urge every organization, healthcare or otherwise, to join their sector's ISAC and prioritize building a highly competent cyber defense team.

Taylor Lehmann: How can we leverage public-private partnerships to enhance cyber resilience across the sector?

Anahi Santiago, CISO, ChristianaCare: I see this in terms of economies of scale. When we work in silos, we can't leverage talent or share resources effectively. Joining organizations like Health-ISAC creates an industry-wide community. We lift each other up, share threat intelligence and solutions, and learn how others are tackling problems. These partnerships boost our internal capabilities and improve the whole industry.

The Healthcare Sector Coordinating Council (HSCC) is another great example. Over 400 organizations collaborate on things like strong cyber defenses, incident response plans, and contract language. We're not reinventing the wheel; we're building on shared knowledge. These public-private partnerships have really helped the industry advance.

I remember when HSCC first formed; it was much smaller. Studies showed the industry wasn’t collaborating effectively, which hindered our progress in cybersecurity. But over the years, we've strengthened those connections. I'm optimistic that by continuing this collaborative work, including with our federal partners, we can collectively improve our cyber posture.

Right now, I'm working with a group focused on underserved provider communities. We're identifying the challenges faced by small, mid-sized, and inner-city organizations – those who might be living under the cyber poverty line, as Greg mentioned. We want to understand their needs and provide the tools and support to level the playing field.

Ultimately, the key to improving cyber resiliency across our industry is working together and collaborating with our government partners.

Greg Barnes: To add to that, partnership is essential, but the government's typical operating procedures aren't geared towards rapid, adaptable responses to evolving cyber threats. This isn't news to anyone. They've helped develop guidance, but in emergencies, we need to adapt quickly. The private sector must advocate for solutions that allow for these surgical, adaptive responses, and we need the government to develop those capabilities — and change.

Think back to recent events. The ink was barely dry on the sector’s cyber resilience plan when one of the last big incidents happened. Healthcare payers had to quickly establish loan programs to help struggling providers. That demonstrated the need for agility and immediate action.

During this incident, many providers were on the verge of not making payroll because they couldn't process claims. While some companies stepped up to help, the overall response was slow, confusing, and insufficient. We didn't see enough assistance from the public sector.

If another major event happens, we need stronger collaboration. The healthcare sector can't be expected to handle everything alone. We need to advocate for better support from our government partners and work together to improve our response to these events. We can definitely do better.

Sanjeev Sah: There are two things to consider here. First, how do we make knowledge, education, and tools available to the entire healthcare community? As Anahi mentioned, not everyone has the resources they need for robust cybersecurity. The HSCC cyber working group has made great strides in the last five years. The number of participating organizations has grown significantly.

Second, basic cyber hygiene remains crucial. We need to prioritize it regardless of regulations, simply because it's the right thing to do to protect our organizations and patients.

If you look closely at recent incidents, often a basic control was missing, like multi-factor authentication, that could have prevented the impact. It's not that organizations don't have these tools; it's about ensuring they're implemented effectively. We need to double down on cyber hygiene while expanding resources and partnerships across the industry.

Taylor Lehmann: The root causes of these cybersecurity events are being studied, and we're learning from them. We absolutely need strong security controls, but we don't need more data to show that its challenging to maintain them flawlessly every second of every day. Focusing on hygiene and prioritizing the most critical health infrastructure, like those that directly play an intervening role in life or death situations, is key. In healthcare, this means protecting systems that save lives.

Organizations must do the basics well and consistently, though that's easier said than done. We also need to start studying what works broadly at defeating threats proactively - before we learn them the hard way. Industry needs to produce more data about threats, defenses, infrastructure and others to inform our strategies better than today.

As Kathy mentioned, healthcare organizations must protect a wide range of assets: medical devices, desktops, systems for prior authorizations, claims processing, and more. Everything in the supply chain is crucial. Recent events have exposed vulnerabilities in our supply chains and highlighted our dependencies.

This brings me to the importance of diversification. I'd like to hear your perspectives on supply chains. How are you gaining visibility into your supply chains and dependencies? Have recent events changed your approach to procurement and security strategy?

Kathy Hughes: Including security teams in procurement decisions is crucial for ensuring that vendors meet our security standards. Contractual language should include assurances of vendor resilience, disaster recovery plans, and appropriate cybersecurity measures.

Sanjeev Sah: Incidents involving external partners can significantly impact one’s operations. We're all part of an interconnected ecosystem. It is crucial to diversify suppliers and establish resilient supply chain strategies.

Anahi Santiago: Recent events highlighted reliance on key partners. We're now assessing single points of failure in our supply chain and working to diversify. The industry is realizing that cybersecurity is an ecosystem, and we need to partner with clinical and business leaders to understand and address organizational risks.

Greg Barnes: Imagine the impact if a company with a more pivotal role in the healthcare ecosystem had been the target of one of these recent attacks. This is not something any single entity can solve alone. We need to understand these risks and respond collectively.

Taylor Lehmann: We need to define unacceptable impacts and plan accordingly. We need to prioritize critical functions and plan for resilience in our supply chains.

Kathy, what initiatives are you implementing at Northwell to adapt to the changing landscape and foster continuous learning?

Kathy Hughes: We can't be complacent. We must constantly monitor threats and learn from incidents, both within healthcare and other sectors. We need to be proactive and invest in threat detection and response. Technologies like AI and machine learning are crucial, as is a zero-trust approach. We also can't forget the basics, like patching systems, investing in security awareness training, and conducting exercises and assessments to identify and address gaps.

Taylor Lehmann: What are you optimistic about, and what areas should we focus on in the future?

Sanjeev Sah: I'm excited about the potential of public-private partnerships and the positive impact they can have. We're learning from our experiences and developing more resilient architectures. I'm also optimistic about the potential of AI, as long as we use it responsibly and ethically.

Greg Barnes: It's easy to get caught up in recent events, but we need to maintain perspective. We are making progress. Looking ahead, AI-generated misinformation and disinformation are major concerns. We need to develop solutions and regulations, similar to how we addressed non-repudiation for online banking. I'm optimistic that we can find solutions, perhaps something like a digital signature to identify AI-generated content.

Collaboration is the key to build resiliency

The insights shared by these CISOs highlight the critical nature of cybersecurity in healthcare. The evolving threat landscape demands that we prioritize adapting, innovating, and collaborating.

As we move forward, let's heed their advice, learn from each other's experiences, and collectively build a more resilient healthcare ecosystem. With our collaboration, and a relentless pursuit of innovation, we can safeguard patient safety, protect sensitive data, and ensure the future of healthcare is both secure and resilient.