Listen to the article
This audio is automatically generated, please let us know if you have any feedback.
Cyber leaders at a panel hosted by Google Cloud on Tuesday said supply chain vulnerabilities are a top priority for healthcare organizations following an attack on technology company and insurance claims processor Change Healthcare earlier this year that disrupted the healthcare industry for weeks.
Chief Information Security Officers at Novant Health, Highmark Health and Northwell Health; ChristianaCare participated in the event, increase cyber- Threats to the industry, including major suppliers to the health system.
While cybercriminals are attacking hospitals directly, health systems are also vulnerable to cyberattacks on their vendors, and outages on some suppliers could have a direct impact on patient care, Greg Burns said. Chief Information Security Officer Based in Pittsburgh Highmark.
The CISOs argued that healthcare organizations need to share information to address cyber threats, especially smaller, less-resourced health systems that struggle to invest in cybersecurity.
“This is not a problem that any one company can solve,” Burns said. “It’s not a problem that government can solve alone. But it’s a problem that we need to understand very quickly and start responding collectively.”
Mitigating Risk with Hospital Vendors
The healthcare industry has become a popular target for cybercriminals, panelists said, as it is rich in valuable patient data that cybercriminals know is key to hospital operations.
Health systems also rely on many third parties, from cloud service providers to electronic medical record vendors to laboratory service companies. In one example, a blood center serving hundreds of hospitals in the southeastern U.S. was targeted in a ransomware attack this summer, affecting patient care and forcing some hospitals to implement blood storage protocols.
Many health systems want to use fewer vendors to streamline operations, said Sanjeev Sah, chief information security officer at Novant, based in Winston-Salem, North Carolina. But having backups in place could be beneficial if a cyberattack affects one of the company’s key suppliers.
“We’re finding that we need to bring in complementary services from multiple partners in case one partner is disrupted,” he said. “This is essentially about business continuity.”
Cathy Hughes, chief information security officer at Northwell Health in New York, said hospitals should bring their cyber team to the negotiating table when partnering with vendors. Cyber experts can help ensure contracts with suppliers include provisions on cybersecurity and disaster-recovery plans in case of an attack.
Health systems can base their risk assessment on the vendor’s role, Sah says: For example, is the vendor responsible for handling protected health information? Does it handle sensitive systems?
He said partners are often willing to work with health systems to close security gaps, but when they can’t, health systems may need to consider other options.
“Given all the risks we’ve seen over the last few months and years, organizations can’t afford to have any loopholes in their security,” Sarr said. “A single misstep can have major consequences.”
Sharing information to stretch limited cyber resources and manpower
Having a strong, capable cybersecurity team is a key component to better defending healthcare organizations against attacks, panelists said. But attracting such talent to the healthcare sector is easier said than done, given an existing global shortage of cybersecurity talent.
Healthcare systems tend to have low profit margins, making it even more difficult to hire and retain talented cybersecurity talent, Burns said.
“I think this problem becomes even more acute when you talk about people who live below what we call the cybersecurity poverty line,” he said. “Small hospitals, rural hospitals, even inner-city hospitals. It’s hard enough to attract and retain talent, even with funding, but I think it’s fair to say healthcare is at the very bottom of that escalator.”
Panelists said joining the Health Information Sharing and Analysis Center (Health-ISAC) could be a first step for smaller healthcare organizations to band together with other healthcare organizations to share resources and threat information.
Another helpful resource is the Health Sector Coordinating Council, an advisory group that includes healthcare organizations, industry associations and government agencies, said Anahi Santiago, CISO at Wilmington, Delaware-based ChristianaCare.
The group has produced guidance on how to build cyber defenses, how to develop industry response plans, and model contract language for third parties.
“I think what came out of the Change Healthcare incident was a realization among organizations that just having a cybersecurity program in place is not enough to protect your organization,” Santiago said. “It’s really an ecosystem, and you have to really partner with clinical and business leaders to understand the organization-wide risks of cybersecurity.”
