HEALTHTECH: How has the cybersecurity landscape for healthcare evolved in recent years?
NATARAJAN: We’re seeing cybersecurity evolve in two ways. We’re seeing changes to the adversaries, which were traditionally large nation-state actors or large cybercriminal organizations, and we’re seeing a lot more actors in the landscape. There are now cybercriminals and cyberterrorist organizations of all sizes.
We’re also seeing an evolution in threats like Ransomware as a Service, which allows anybody to be a potential adversary. You used to have to recruit a team and have the expertise. Now you just need money and somebody you don’t like, and you can create your own cyberattacks against a new victim set.
Where we’re seeing the other part of the evolution is in the victim space. It used to be a perception that cybercriminals only targeted large corporations and large governments. If I’m a small rural hospital or a small rural school district, I didn’t have to worry about a nation-state adversary coming after me. But we’re seeing that’s no longer true. We’re seeing victims across the nation that are large and small, public and private, rural and urban. Anybody can be a potential victim of this new threat of adversaries.
This combination of the increase in frequency, volume and sophistication of attacks by a growing adversary base, with a growing base of potential victims, really is changing the landscape in healthcare and beyond.
There was also a perception for a long time that healthcare was exempt. Even if you go back to traditional war and conflict, you never bomb a hospital. But we’re seeing hospitals are not exempt anymore. We’re seeing cyberterrorists, cybercriminals and nation-state actors going after healthcare facilities and having an impact.
It’s not just about revenue and financial gain. At the end of the day, a cyberattack against a hospital becomes a patient safety issue, and so that impact is felt and reverberates throughout those communities. Even in urban areas where there are a lot of healthcare providers or a lot more hospitals, the impact of the loss of any one institution for any period is still felt. Those forces — the evolution of the adversary and victim base over the past several years — will continue to evolve in the years to come. That’s what has me most concerned.
EXPLORE: Three tips for healthcare organizations to guard against vishing and smishing.
HEALTHTECH: Are there certain factors that make healthcare especially vulnerable to these types of attacks?
NATARAJAN: I’m really excited about the advancements in healthcare. We look at where healthcare is going to go in the next three, five, seven years, and it’s just amazing. But with that comes an expanded attack surface. The convenience of connecting to the internet brings an additional vulnerability. When we look at healthcare, there was a surge of technology adoption at the beginning of the pandemic. An increase in telemedicine and telehealth capabilities appeared almost overnight. That’s not going away and, arguably, it’s going to continue to increase and evolve over time.
That’s going to make it more complex for the healthcare sector, not just based on the volume, scope and growth of challenges that we have seen in the past couple of years from COVID-19, but also from what we will see in the years to come. The fact that those impacts can be felt at the bedside truly is concerning.
Implementing the five pillars of #zerotrust security architecture can help #healthcare organizations mitigate cyberthreats. @CISAgov Deputy Director Nitin Natarajan shares cybersecurity best practices at #HIMSS23: pic.twitter.com/0OCrY3ieM1
— HealthTech Magazine (@HealthTechMag) April 18, 2023
HEALTHTECH: What types of strategies or technologies can healthcare organizations deploy to improve their cybersecurity posture and mitigate risk from these cyberattacks?
NATARAJAN: There are a few things. We still ask folks to revert to the basics: having strong passwords and multifactor authentication. Those capabilities, as well as updating and patching software regularly, are critically important.
Another avenue that we focus on is the Secure by Design, Secure by Default model for technology products. How do we secure by design? How do we insist that manufacturers are truly using things like memory-safe languages and looking at vulnerability disclosure programs and other measures to ensure that what we are purchasing is secure? How do we make sure that, as consumers, we are insisting on that from our vendors and that they are really being asked those tough questions?
Then, how do we ensure as consumers that what we’re purchasing and what we’re buying is secure by default? How do we ensure that, right out of the box, it has a certain level of security built into it and that we don’t have to necessarily pay extra for a secure model versus an unsecure model?
Finally, within our institutions and healthcare, how do we take this discussion away from CISOs and CIOs and really elevate them to CEOs and boards? For years, all too often we’ve expected the CISO or the CIO to protect the entire enterprise. Often, when they’re speaking about cybersecurity challenges and vulnerabilities with CEOs and boards, it’s just not understood — it’s a foreign language. How do we change that dialogue from asking CISOs to just accept the risk, change the landscape and protect the organization to, instead, elevate that conversation to CEOs and boards? How do we really instill a sense of corporate cyber responsibility among those who are accepting the risk?
To me, it’s a three-legged stool. We spend a lot of time on risk identification and risk mitigation. We forget the third leg of that stool, which is risk acceptance, and that risk acceptance truly is with CEOs and boards. How do we make sure that they understand the risk that they’re accepting at the end of the day? We always accept some risk. We’ll never mitigate everything, but making sure that risk acceptance is as well-informed as it can be at the highest levels of the organization is really where we need to get to.
READ MORE: As cyberthreats grow, can zero trust protect healthcare organizations’ data?
HEALTHTECH: How else can healthcare organizations strengthen their security culture and ensure that everyone has security in mind?
NATARAJAN: It’s about getting everybody involved. It’s about taking this from being an IT solution to an organizational solution and ensuring that not just the CEOs and the boards are aware, but, frankly, that everyone is aware. That includes every clinician, every employee in that facility who supports clinical care and the downstream supply chain. You also need to ensure you’re not introducing new vulnerabilities.
I mean, we know some hospitals are dependent on just-in-time delivery and a number of third-party vendors, sources and contracts. How do you make sure that everybody you’re dealing with is secure and that they’re, frankly, practicing the level of cybersecurity that you want them to? You also need to ensure that you’re asking them those questions, that you’re choosing products and vendors that have a strong cybersecurity focus, and that you are using cybersecurity to help guide your decision-making.
It truly does take everybody. People joke about who would click on phishing links, but people will click on anything. Computers are so prevalent and available in healthcare these days, and many people still think they might get a million dollars via email. So, we need to take that instinct away and make sure that people are thinking with a cybersecurity mindset in every role throughout the organization. We shouldn’t just expect our CISOs and our IT and cybersecurity teams to solve this for the organization. Everybody has a role to play, and everybody needs to play their part.