Given the number of healthcare data breaches, what advice would you give health system leaders about preparing for and responding to cyberattacks?
Employee retention is number one. Your people are everything. You can’t defend your house if no one’s home. It’s just that simple.
We also have some cybersecurity pillars that are not often talked about. Things like asset management, vulnerability management, identity and access management, supply chain management, and third-party risk management are cornerstones of a security program, and they’re very hard to solve. Unlike email protection or endpoint protection, which are places where hospitals bleed out profusely if not addressed, these other pillars are not necessarily solved by products. They require people to run those solutions.
Providing that you have a good handle on some of these critical areas like email and endpoint security, it’s about creating that great foundation—starting with asset management—and building your program from there. Otherwise, if the foundation is not good, then the program will not operate at the skill level that it needs.
I think information shares are critically important, especially in organizations where you’re the sole cybersecurity full-time employee. You need to know someone else is out there going through what you’re going through.
Generating regional information shares has been so powerful for us. In New England, we have a regional information exchange among hospitals at the cybersecurity level. Hospitals can remain competitive. But for us to manage risk in hospitals, we can’t have any secrets around what’s working and what’s not working.
Do you expect the threat level to increase, decrease or remain about the same in the short term?
I think it isn’t going anywhere. The nature of hospitals is that we consolidate out of necessity for a number of reasons. When hospitals consolidate, they become more complex. And when hospitals become more complex, their attack surface increases, because there’s so many more things to look at and consider. Unfortunately, I don’t think it’s going anywhere, but as long as we have good folks ready to do the work, I think we’re well prepared for it.
What’s your message to everyone else working in healthcare? What can those outside of information and technology departments do to help promote cybersecurity?
Cybersecurity is a formal department in most hospitals, but it really is an embedded function of everyone’s job. Cybersecurity cannot happen unless everyone is doing it. We can certainly be the ones who process the signals of cybersecurity and understand when things are going sideways, but we can’t be secure if everyone does not adopt that mentality that they are a cybersecurity person, too. That is so powerful, and we see that in our organization. It’s a really important message that I think needs to pervade. Everyone working in hospitals: Cybersecurity is your job, too.
