I have a very fascinating and rewarding job: I help our large, busy and diversified healthcare system keep everyone and everything secure. I spend my days, along with my talented and dedicated colleagues, surfacing hidden risk and cybersecurity threats inside our organization.
It’s a tough job, and I’m glad I get to do it. But I have to say, it does force you to start with a negative mindset and to assume the worst. I start with the assumption that there is a cyber-threat somewhere in our organization, and if I don’t find it, chaos—or worse—will ensue.
But by starting with the principle of “assumed breach,” it becomes very clear, very quickly the high stakes at play. After all, all you need is one compromise, one lapse, to let the bad actors inside the fortress and do their dirty work. When that happens, data is compromised, patient care is impacted and lives are put at risk.
What Makes Healthcare a High Cyber-Risk Environment
Complexity is the genesis of cyber risk, and few—if any—industries present more of a complexity-driven risk profile than healthcare, which I think of as a huge, organic spaghetti ball of systems, networks, applications and devices that must work together. As an industry, we’ve done a good job in streamlining and simplifying everything, but we still have a lot of work to do in order to reduce our risks.
At an academic medical center like UCLA Health, we experience it first-hand. We teach, conduct research and deliver healthcare, all under the same roof and sharing many of the same infrastructure and services. It represents a dynamic and diverse threat landscape; we certainly have a very broad mandate when it comes to finding risk and cyber-threats across our environment.
That spectrum includes a lot of large, intertwined and mission-critical applications. We’ve got Electronic Health Records (EHRs), imaging systems, business applications and more; but we also have to support commodity devices (not just servers, PCs, tablets and smartphones) connected into our networks. The device breadth and diversity is staggering, so it’s easy to imagine the many potential nexuses of risk.
And, because we teach and conduct research here, the need for collaborating and data sharing is paramount. All of our people need real-time, often unfettered access to systems and common access to data sets.
We have a lot of very smart, technically savvy people working at UCLA Health, but I don’t expect them to be experts on spotting risk and identifying cyber-threats. They are often using their own personal devices (BYOD) and standing up their own cloud services. And, because of the irreversible trend toward more remote work, threats from outside our traditional physical environment have greatly multiplied. It forces our security teams to spend a lot of time chasing after the ever-evolving threat landscape and on cyber-hygiene and awareness topics….
As if the cyber-threat landscape wasn’t a big enough concern, add to that the explosion of connected devices that proliferate the Internet of Things (IoT) and, specific to healthcare, the Internet of Medical Things (IoMT). These connected devices expand technology touchpoints to the individual level and are being used to accomplish phenomenal things throughout our industry, but they carry substantial risk, as well. Right after the ever-growing number of cyber bad actors and their evolving tactics, techniques and procedures (TTPs), the thing that keeps me up nowadays is all those connected things. I’m not just talking about infusion pumps, heart monitors and sensor-based medical instruments, either. My worries extend into the cyber-physical with connected devices such as elevators, power plants, HVAC, fire-life-safety systems and the like.
Spotting and Thwarting Risks
This trend toward shadow IT may not be unique to healthcare, but it carries unique risks for our healthcare institution and for our entire industry. Medical professionals, educators, researchers and business users all demand technology to do their jobs and serve our patients, so it’s hardly unusual to have them decide to do their own thing—even when they lack in-depth knowledge about spotting and combating cyber risk.
When leadership asks what we need to do our job of risk detection and mitigation effectively, there are a few things that jump to the top of my list:
- Enterprise digital asset management is essential for effective and resilient cybersecurity in healthcare. The continuing proliferation of devices, applications, services, workflows and access modalities means you need a comprehensive and dynamic view of what’s out there under your purview. Remember: You can’t protect and defend what you can’t see.
- Visibility, in general, is a huge problem across industries, but especially in healthcare. Healthcare is a 24/7 operation and directly impacts people’s lives. To be resilient and to provide strong safeguards, we must ensure we provide comprehensive signaling and telemetry for critical infrastructure, systems, and services in order to detect and respond to threats before they permeate our systems and impact people’s lives.
- Healthcare organizations need a strategic view of IT security risk management, and I’m not just talking about protecting the brand, preventing lawsuits or avoiding compliance violations. Risk management must be a part of the culture of IT and infused in the way we design and build technology and deliver patient care.
- As we continue to transform our IT organizations, the DevSecOps mindset needs to be a model for traditional and emerging cloud-based IT. IT security can no longer be a bolt-on afterthought, but must be by design and “shift left” as close to conception as possible.
- Finally, so much of our success and failure is shaped by how well and consistently we practice the fundamentals. Proper cyber-hygiene is just as important as washing our hands to prevent infection. If we can do even 80% of the basics, each day, we will all be in better cyber-shape. That will also make it far easier for the defenders to focus on the “big, hairy unknown” problems lurking around the next corner.
Questions Healthcare Stakeholders Need to Ask
As a cybersecurity professional, I believe it is essential that our executives, stakeholders and customers are asking us tough questions. IT Security is every bit a ‘team sport’ and we need to encourage others to get in our business and ask probing, high-gain questions.
Here are a few questions I think should be asked on a regular basis:
- How are our crown jewels being protected today in order to ensure the highest possible resiliency, avoid regulatory flare-ups and ensure the highest quality patient outcomes and satisfaction? (In other words, show me the data!)
- What is our process for identifying and mitigating risk? Are we being proactive, or are we just responding to everything without prioritization or discrimination? Executives must know if their organization is truly on the hunt when it comes to rooting out threats, or are simply playing whack-a-mole.
- How are we educating our employees, caregivers, and patients so they are better protected against cyber-badness, identity theft, data loss and personal harm.
- What does our internal and external threat landscape look like? How is it changing and where is the next attack likely to come from, and from whom?
- How are we building cybersecurity awareness and ensuring cyber-hygiene is a shared responsibility?
As the healthcare industry continues to emerge from the pandemic and adapt to the new normal of remote workforce, increasing cyber-attacks and the exploding threat landscape, we can’t let our guard down for one millisecond.
The most successful IT security teams will be those that proactively engage and partner with customer and stakeholder groups, leverage a combination of defensive and offensive cybersecurity practices, and create a culture of strong cyber-hygiene in all aspects of IT and in the delivery of patient care.
Jim Collins is a senior cybersecurity leader at UCLA Health and an Advisor of the Global Healthcare Industry Council at Palo Alto Networks.