Healthcare cybersecurity: risk management posture with patient care at the center
Posted 5th June 2019 by Joshua Sewell
Denise Anderson is president of the Health Information Sharing and Analysis Centre (H-ISAC), USA. She spoke to us about her perspective on Healthcare Cybersecurity, the value of information sharing, and the paradigm shift the industry requires in light of new risks brought about by rapid innovation.
What are the biggest challenges facing healthcare cybersecurity?
Looking at healthcare cybersecurity globally, I think the biggest challenge is us. We become an obstacle when we don’t share information with each other.
Organisations can form beneficial collaborative communities to improve their risk management posture. There is so much value in sharing because one person’s defence is going to become everyone’s offence: one encounters a threat and can share lessons learnt with colleagues. If and when they encounter the same threat, they can already have protection in place through collaborative sharing.
Coming from the world of information sharing, I would love to see everyone share freely. Too often we put restrictions in place which make sharing difficult when it is so easy to do: it’s free and so beneficial! We see so many times that when information is shared, people are protected. We need to embrace sharing across the health sector, as well as other critical infrastructure sectors.
How does your day-to-day work promote this information sharing?
The H-ISAC is a community for sharing information around both cyber and physical security within critical infrastructure, particularly healthcare.
Our stakeholders are anyone that is in the healthcare environment that directly deals with patients: small to large hospitals; doctors, chiropractors, dentists; manufacturers of pharmaceutical or life science products, manufacturers of medical devices; the insurance companies; as well as labs, biological, radiological, university, academic research centres, etc.
What we do is provide a forum for our members to share information: so that when they see incidents or threats within their environment or best practices that they want to share, they have a context to do that. Also when an incident breaks, we can share information very quickly across the membership and the centre, so we are all able to prepare adequately for any particular cyber threats we may face.
What paradigm shift would you like to see across the industry?
I think we need to have paradigm shifts in three major areas:
Enterprise Risk Management: We need to shift from looking at just cybersecurity to looking at all risks across an entire organisation. Often there too much focus on ‘cybersecurity’ when really cybersecurity is just one piece of the whole enterprise risk picture. When you look at the critical components and functions of an enterprise and decide how long the organization can live without them, you can then determine what needs to be protected and how. Then factors such as threat trends, actor motivations and tactics, vulnerabilities and cascading impacts can help inform strategies. Again, cyber is just one component of organizational risk.
To whom the CISO reports can also help in informing risk. In a number of healthcare organizations, the CISO reports to the Chief Information Officer (CIO) and they often tend to be in direct conflict. The CIO has an interest in managing IT while the CISO is typically managing security more broadly. This conflict is mitigated when operating with a more expansive enterprise risk picture.
In the financial sector, this is something that has been happening for a while. Many financial organisations are combining physical and cyber security under a Chief Risk Officer (CRO). This changes the focus from a compartmentalised threat to one of protecting the most critical asset(s) of the enterprise.
The Role of the CISO: A number of organisations within the sector have a culture where the CISO is perceived as a ‘naysayer’; the person who often says no to initiatives and technology in the interests of security. I propose that CISOs strive to be seen as business enablers; helping to inform and educate on associated risks and then have the business unit/owner assume that risk. Ideally, both teams can work together to develop beneficial security programs that are acceptable/workable for all and ultimately the organization.
Workforce Criteria: Many healthcare organizations suffer from a lack of qualified security personnel. But maybe what we need to do is examine what ‘qualified’ means. Technical skills can be taught and many enterprises have proprietary or customized systems that require training regardless of skill. Rather, employers should look for basic qualities that will make employees good security assets: attention to detail, analytical skills, a curious and questioning mind that will search for patterns and anomalies or connections among oher things. These potential employees may come from non-traditional security roles such as journalists, ivestigators or detectives. We need to think outside the box when it comes to hiring.
What is the next step forward you would like to see in the industry?
The key component to this all is viewing all the threats that we’re seeing within the physical and cyber realm through the lens of patient safety. There is too much focus on data privacy, and while privacy is a good thing, it has taken the focus off operations and patient safety.
As we’re seeing in the current threats to healthcare – e.g. ransomware like WannaCry – it is fundamentally a patient-based issue when care can’t be delivered to these patients. Our focus should be on the overall risk posture with patient safety being the primary focus in healthcare.
Denise Anderson is president of the Health Information Sharing and Analysis Centre (H-ISAC), USA.
Presentations and reports concerning this area of healthcare are available for free on the Blockchain and Cyber Security resources page – take a look here.
Leave a Reply