If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right?
But, when missing devices, security issues, and friction caused by interoperability hits, we can’t expect a smooth operation.
This webinar will answer many questions surrounding the devices integral to keeping patients healthy. Joining us to talk about managing your unmanaged devices are guests Andrew Sutherland, CISO for Children’s Hospital of Los Angeles, Erik Decker, CISO for Intermountain Healthcare, and Jonathan Langer, COO of Claroty and Co-Founder of Medigate by Claroty. Understanding your device inventory can seem overwhelming, but these leaders will share what they have implemented and what can be next for your health system. Hear about the risk management techniques that they have found to manage the devices in their systems.
Before the webinar, check out the Briefing Campaign on our channel, hitting on five major topics about unmanaged devices in healthcare. Speaker Samuel Hill from Medigate by Claroty sheds light on challenges surrounding devices in healthcare and what can resolve them. How do you build zero trust security? How do you assess your technology successfully? Merger & Acquisitions; How do you manage your devices? Do you know where your devices are? Our conversations cover all of these questions and more.
So many devices. So little oversight. Be the change and listen now to honest conversations propelling healthcare forward! Find solutions and learn how your hospital system can progress without the everyday hindrances to which you’ve become accustomed.
If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right?
But, when missing devices, security issues, and friction caused by interoperability hits, we can’t expect a smooth operation.
This webinar will answer many questions surrounding the devices integral to keeping patients healthy. Joining us to talk about managing your unmanaged devices are guests Andrew Sutherland, CISO for Children’s Hospital of Los Angeles, Erik Decker, CISO for Intermountain Healthcare, and Jonathan Langer, COO of Claroty and Co-Founder of Medigate by Claroty. Understanding your device inventory can seem overwhelming, but these leaders will share what they have implemented and what can be next for your health system. Hear about the risk management techniques that they have found to manage the devices in their systems.
Before the webinar, check out the Briefing Campaign on our channel, hitting on five major topics about unmanaged devices in healthcare. Speaker Samuel Hill from Medigate by Claroty sheds light on challenges surrounding devices in healthcare and what can resolve them. How do you build zero trust security? How do you assess your technology successfully? Merger & Acquisitions; How do you manage your devices? Do you know where your devices are? Our conversations cover all of these questions and more.
So many devices. So little oversight. Be the change and listen now to honest conversations propelling healthcare forward! Find solutions and learn how your hospital system can progress without the everyday hindrances to which you’ve become accustomed.
What is Operational Technology? OT are the systems that keep hospitals running. Like Medical devices, these critical infrastructure items have unique characteristics that make securing them difficult. So, what are the common OT devices found in a hospital and what should we do about them? What is OT Security? Practices and technologies used to (a) protect people, assets, and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems. Talk to Medigate about their OT security solutions to help keep you operating https://www.medigate.io/demo
This is episode 5 of 5 in our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Holistic Assessments, and Improved Device Effectiveness. Thanks for listening!
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT
Every hospital has thousands of devices that cost thousands of dollars each, yet most of them are idle around 52% of the time. On top of all that, the nursing units are always asking for more! Having an up-to-date inventory, tracking utilization, and monitoring physical location can significantly improve effectiveness and will return millions of dollars back to the operational budget. To learn more about Clinical Device Efficiency, visit https://www.medigate.io/cde
This is episode 4 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Holistic Assessments, and Securing OT Assets. Stay tuned for more.
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT
What kind of problems arise as a result of starting on a security strategy without doing holistic assessments? We're all trying to improve cybersecurity across healthcare. It’s a never ending job, unfortunately, but knowing where you’re at across different mile markers or points in time, can really help guide you. How do you acquire the data that will allow you to evaluate and refresh your strategy as needed? What processes are in place? How do you bring new devices onto your network? How do you apply or enforce security policy? What processes can you vet or challenge? What technology do you have? Are you missing some key components or are there components that are not talking to each other? From a holistic standpoint, using an external third party can really help to find the gaps. That’s where Medigate comes in. They can help you to identify and quantify all of the threats and then manage those threats within and adapt your existing management structure. https://www.medigate.io/services
This is episode 3 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more.
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT
One of the hardest things to achieve in business is a Merger and Acquisition. Even with a successful M and A, there’s always challenges. There's always stress. And so many questions that must be asked. What technology standards do they operate with? What devices do they have in their environment? What best practices do they adhere to? I think everybody in the world assumes that the CIO knows all this and can identify all the devices and knows what patch version and what risk level etc. But that is not always the case. Connected devices bring complicated risks, so Medigate created a single platform to orchestrate and integrate HDO security throughout your environment, so you can connect with confidence. https://www.medigate.io/demo
This is episode 2 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Holistic Assessments, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more.
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT
Visibility is the foundation for zero trust. The reality is that threats in healthcare are getting much more complex. There’s a much broader attack surface. It’s extremely hard to know where all of our devices are. It was hard to know where they were before, which brings us to the question, is zero trust even achievable in healthcare? What does visibility look like and what does it mean? If you don't know what devices are out there or if you're not certain that they’re connecting to your network then it's really hard to apply any security techniques against those devices. Medigate created a single platform to help with visibility and understanding of what devices are there and what’s connecting to the network, so you can connect with confidence. https://www.medigate.io/
This is episode 1 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Mergers and Acquisitions, Holistic Assessments, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more.
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT
If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right?
But, when missing devices, security issues, and friction caused by interoperability hits, we can’t expect a smooth operation.
This webinar will answer many questions surrounding the devices integral to keeping patients healthy. Joining us to talk about managing your unmanaged devices are guests Andrew Sutherland, CISO for Children’s Hospital of Los Angeles, Erik Decker, CISO for Intermountain Healthcare, and Jonathan Langer, COO of Claroty and Co-Founder of Medigate by Claroty. Understanding your device inventory can seem overwhelming, but these leaders will share what they have implemented and what can be next for your health system. Hear about the risk management techniques that they have found to manage the devices in their systems.
Before the webinar, check out the Briefing Campaign on our channel, hitting on five major topics about unmanaged devices in healthcare. Speaker Samuel Hill from Medigate by Claroty sheds light on challenges surrounding devices in healthcare and what can resolve them. How do you build zero trust security? How do you assess your technology successfully? Merger & Acquisitions; How do you manage your devices? Do you know where your devices are? Our conversations cover all of these questions and more.
So many devices. So little oversight. Be the change and listen now to honest conversations propelling healthcare forward! Find solutions and learn how your hospital system can progress without the everyday hindrances to which you’ve become accustomed.
October may be National Cybersecurity Awareness Month, but the 2021 cybersecurity landscape has health IT leaders need to be wary of cyber threats every minute of every day.
This Week in Health IT founder and host Bill Russell first likened the healthcare cybersecurity landscape to a war, in 2018. If a foreign warship were anchored off the American coast, the US government would take action. Likewise, they must consider cyber threats. This was as the industry was still processing the back-to-back blows delivered the previous year by notorious cyberattacks “WannaCry” and “NotPetya.” Both attacks were sophisticated cyber-weapons that wreaked havoc on health systems.
Even before the uncertainties brought about by the novel coronavirus, health systems were still struggling to fill out their cybersecurity teams. Now, these challenges have continued. Meanwhile, COVID-19 has brought about higher vulnerability as online threats grow in volume and complexity every year. According to Forbes, the number of hacking incidents levied against health systems jumped by 42% from 2019 to 2020. These statistics marked the fifth year straits of increased healthcare data breaches.
Health systems continue to fight to keep safe in the fraught health IT cybersecurity landscape. Leaders must collaborate to bolster their understanding of the threats, vulnerabilities, and possibilities, postured Censinet's Chris Logan during a Newsday interview.
"We're all in the same fight. So at the end of the day, we all need to start working together to solve these problems. It's not about the haves and the haves nots. It's how can we share that best practice? How can we share those controls? I think that's going to be critical moving forward to solve the problem," he said.
As bad actors have increased their attacks, the cybersecurity conversation has continued to garner attention and urgency. As Cybersecurity Awareness Month comes to a close, This Week in Health IT gathered perspectives from some of the leading minds in health IT. Experts have weighed in on the cybersecurity landscape and actionable insights about how to navigate healthcare cybersecurity in 2022 and beyond.
David Muntz, Principal at StarBridge Advisors
While much has changed in the wider world since Russell made his first “war” comparison, health IT continues to grapple with the same obstacles. If healthcare cybersecurity is a war, the good guys need more recruits—and Russell’s guest on that 2018 episode, David Muntz, knows where to look.
Lack of personnel may be a big issue, but Muntz, a principal at Starbridge Advisors, explained that it’s easy to find IT professionals with the technical skills for cybersecurity. It’s harder to find prospective staff who understand the nuance of healthcare cybersecurity landscape—and are passionate about it.
Muntz emphasized the value of homegrown health IT talent. He explained how it’s sometimes better to leverage existing clinical knowledge to develop valuable cybersecurity team members.
“I’ve got plenty of people with technical skills,” Muntz said. “We populate our projects with the best of the people in the clinical areas. Once they go into healthcare IT, they aren’t touching one person at a time—they are touching hundreds or thousands at a time, and it’s easy to draw them over. You don’t need as much technical skill as you need human skills.”
To tackle the ever-growing threats that health systems face, it isn’t enough to have a fully-staffed IT department. Experts like Muntz, Russell, and Sirius Healthcare's Cybersecurity First Responder Matt Sickles all agree that homegrown IT staff are an advantage, provided they are committed to their work.
Matt Sickles, Cybersecurity First Responder at Sirius Healthcare
Dedicated IT teams will foster success by truly caring about the health of the organization, Sickles explained. These team members have “skin in the game.” They stand opposite to contractors who “get parachuted in to tell the CEO they’ve done a bad job” on security.
The optimal factor of success is constructive communication, Sickles explained. Staff must be willing to express the severity of the threats staring down their health system and receive attention when suggesting preventative measures.
“Say it out loud, say it often, repeat it. And make it part of the beginning of every discussion related to information,” Sickles said. “If it is information technology or information security, cybersecurity just has to be omnipresent in the conversation.”
During his tenure as a CIO, Russell explained how the chief security officer was designed to be a thorn in his side. Russell encouraged his CISO to consistently pipe up to alert the organization of deficiencies in their security.
“His role is to get in my face and say, ‘We’re not making enough progress in these areas. How are we going to move the needle?’“
Mitch Parker, CISO for Indiana University Health, was quick to answer what he perceived to be the largest gap in health cybersecurity.
Mitch Parker, CISO Indiana University Health This Week in Health IT
“Due diligence,” he said.
Health leaders should pay attention to the third parties that they use to provide IT services, he added. The risks are manifold. On one hand, a a cybersecurity breach can bring down clinical applications from third party providers if their services are compromised.
A more recent example illustrates the other risk: direct infection passed through a third party. During the SolarWinds breach in 2020, Russian hackers exploited vulnerabilities in the third-party software to gain access to victims ranging from US government agencies to the California Department of State Hospitals.
Parker believes true diligence means incorporating security teams into the procurement process. It can prevent uninformed decisions or panic-buying, especially in the wake of a newsworthy breach.
“I think the unintended consequence of SolarWinds has been that a significant number of third-party vendors took their marketing materials, added the word ‘SolarWinds’ to them. And they are now making a lot of money off of CIOs that don’t know any better,” Parker said.
Cybersecurity staff should be involved in vetting potential IT partners, Parker posited.
Ryan Witt, Managing Director and Resident CISO at Proofpoint
Attacks that have compromised trusted third-party enterprise vendors, as the NotPetya attacks did, can have catastrophic consequences that are out of the health system’s control. However, most attacks are less sophisticated. Ryan Witt, Managing Director and Resident CISO at Proofpoint, insisted that health systems address the easy routes first.
“I would argue the starting point would be your email gateway. People are essentially being attacked on email or other messaging channels,” Witt said. “You need to have a sophisticated gateway that blocks about 95% of the email that comes your way, so you’re keeping almost all of the bad email away from your users immediately. You’re not forcing them to make a judgment call.”
In addition to filtering outside emails, Witt suggested the use of domain-based message authentication, reporting & conformance (DMARC) capabilities to relieve the pressure on employees. These tools would allow health systems to verify the domain that users are sending their emails from, minimizing the risk of coworker impersonation that can result in serious data breaches.
Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare
Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare, agreed with Witt’s suggestions, but also endorsed reactive human intervention.
Her organization experiences a near-miss by hackers after they attempted to impersonate her company’s CFO. As a response, her organization created new rules. Team members must now only execute certain actions through verbal confirmation.
“We put a new control in place that basically said that no wire transfer would ever be approved via email,” she said. “We always work to validate that the information we’ve received is legitimate—so take it out of the digital communications and literally pick up the phone.”
Karl West, the Chief Information Security Officer for Sirius Healthcare, said that one of the simplest prevention techniques is staying up to date with the latest healthcare IT patches. Health systems must treat cybersecurity measures as preventative measures. Cybersecurity teams must enlist preventative tactics. Health leaders must treat these measures as the equivalent of a vaccination effort.
“What makes a system susceptible as if they forget to get their vaccines. This is not political and it’s not moral. Just get the vaccine and vaccinate your systems,” he said. “It’s called patch management. You need to be doing that.”
Even with strong preventive measures, incidents will continue to happen. West has understood that it’s vital that leaders take a measured approach to response and recovery.
“When you get hit, you must know the difference between detection, response, and recovery,” he said. “They are not the same. They’re not even close to the same.”
West has often seen a failure in understanding the full cybersecurity landscape. Organizations detect a breach and immediately fly into their response, not realizing that the strand they have detected may just be the tip of the iceberg.
Karl West, CISO at Sirius Healthcare
It may seem counterintuitive. However, he explained that it is better to pause for an analysis rather than launching into a hasty response and recovery effort. If an organization were to rush into response and recovery without fully understanding and eradicating the threat, they may find themselves facing a resurgent hack or malware operation.
“Don’t move until you’ve completely identified [the threat] in a good shop,” West said. “You should be measuring how long it took to detect and know that you have the threat vector completely understood. Measure how long it takes to respond, how long to recover.”
Health systems can also "sandbox" their systems to help contain a threat, West explained. Health organizations often run “flat networks” that are easy for bad actors to traverse. By segmenting technologies within the health system into sets with strong firewalls between, providers quickly shut down infected systems to prevent the spread of a breach—and potentially avert a full-scale system outage.
Brian Sterud, VP of IT, CISO, and CIO of Faith Regional Health
Other experts agree that long-term vision is vital to full recovery and future prevention.
“Everybody is prepared for the first 24 hours or less. Once you start getting past that threshold, things get a lot more complicated,” added Brian Sterud, who serves as both CIO and CISO at Faith Regional Health.
Sterud has tasked his team with planning contingencies based on key questions.
“How would we operate? How do we get bills out the door? Make sure that patient care is first and foremost, and then make sure that we can get bills out the door.”
Failure to implement simple preventive measures can spell disaster for patients and health systems. Attacks that compromise clinical care are a clear affront to healthcare’s mission. Dr. Eric Quiñones, Chief Healthcare Advisor at World Wide Technology, noted that providers are also responsible for being good stewards of their patients’ private data.
Dr. Eric Quiñones, Chief Healthcare Advisor at World Wide Technology
In the spring of 2021, mid-size provider Scripps Health in San Diego faced down a ransomware attack that forced many of their systems offline for three weeks. The incident cost Scripps a reported $113 million in lost revenue and left the health system legally vulnerable.
“It's very bad that any organization should be held to ransom and breached, but it’s another thing when information is actually stolen,” Quiñones said. About 147,000 patients had their health and financial information compromised in the attack. “It hurts [hospitals] from a credibility standpoint. There's that indirect cost as well. Do patients trust them now?”
Patients have now filed class-action lawsuits against Scripps, alleging that the health system should have done more to thwart the attack and protect patient data.
Unfortunately, the story of Scripps is not a unique one. Its larger neighbor, UC San Diego Health, suffered a breach that lasted from the winter 2020 into spring 2021. That event compromised about a half-million patient records and also produced a pending class-action suit.
“This breach was preventable—had UC San Diego Health had the right data protection protocols in place,” the plaintiffs’ lawyers argue.
Kristin Myers is the CIO of Mount Sinai Health System. She knows many bleak statistics about the 2021 cybersecurity landscape, but lists them without losing hope for the future of healthcare cybersecurity.
Kristin Myers, CIO at Mount Sinai Health System
“Twelve percent of all ransomware attacks are in healthcare, and downtime on average can be around 23 days,” she said. “Just think about being down for 23 days—you’ve got to be able to reduce the attack surface, but you also need to be ready in terms of an incident response. Looking at the backups, doing tabletop exercises with our executives, I think that is extremely important.”
Today, Myers said there is widespread executive support for the cybersecurity operations at Mount Sinai. She’s also hopeful about a new CISO hire brought in from outside the industry. Once past the learning curve of healthcare, she believes outside cybersecurity experts can bring new perspectives and skills to fill the gaps in health IT.
Still, she has understood the road to a healthier cyber future won’t be seamless. Improvement depends on simple best-practices, systemwide buy-in, and realistic expectations.
“It’s a journey,” she said. “There’s not going to be perfection with cybersecurity, it’s a maturity journey that everyone is on.”
Twelve percent of ransomware attacks are aimed at the healthcare industry. As the IT conversation hones in on these risks, Kristin Myers, CIO at Mount Sinai, shared her plans for healthcare IT cybersecurity, digital solutions, and the patient experience.
Ransomware attacks are not minor inconveniences for health systems; recent successful breaches have taken down organizations for the better part of a month, if not longer. Systems should both reduce the attack surface and have a plan for incident responses, according to Myers. Downtimes after a breach average approximately 23 days, which is not accounted for in many response plans.
Kristin Myers, CIO at Mount Sinai
At Mount Sinai, the system has begun to work towards an effective, long-term cyberattack response plan. According to Myers, they have begun to prepare backups and conduct tabletop exercises with executives to prepare.
Myers also emphasized overall healthcare IT cybersecurity programs. Mount Sinai recently brought in a new CISO, Rishi Tripathi, from outside the healthcare industry. Currently, he has been assessing Mount Sinai's program maturity and governance. According to Myers, the healthcare industry has fallen behind other industries in cybersecurity maturity. This has made outside expertise and insight a valuable resource.
According to Myers, a combination of the CISO and Chief Risk Officer have utilized an enterprise risk management framework at Mount Sinai. They have listed cybersecurity as a major risk. By having a governance structure of consistent meetings, reports, and committees, there has been more awareness and support towards preventative measures.
"I have to say everyone is extremely supportive of the cybersecurity program. I think it's a journey. There's no perfection with cybersecurity and it's a maturity journey that everyone is on," she explained.
According to Myers, recent digital solutions have come together to create a seamless and frictionless patient experience.
"Our patients are really used to being able to have very easy experiences in other sectors, whether it's retail or entertainment and we need to be able to bring that to healthcare," she explained.
Knowing this, Mount Sinai began looking for solutions like CRM, referral management, texting solutions, and more. The goal is to provide strong, unfragmented patient experiences. This has proved challenging, as it has been difficult to bring the experience together. According to Myers, it has been a slow process.
Mount Sinai determined their priorities from a combination of operations, clinical informatics, digital governance, and outpatient experience teams. Additionally, having direct patient input for digital solutions is an invaluable resource.
Additionally, Myers has shaped her philosophy for build versus buy. She explained that determining useful solutions starts by going back to the application portfolio. By identifying existing functionality and the enterprise roadmap, a team can identify if there is a point solution or if one must be built.
An example of this is in a text-to-chat for patients and physicians. For example, the My Mount Sinai application will begin to integrate this digital solution after discovering one of their applications had the current functionality for it.
As an academic medical center, innovation is expected. According to Myers, the Dean of their institution has newly appointed a department head for a division over artificial intelligence. As CIO, Myers has begun collaborating with the division with AI imaging. By combining clinical, claims, and social determinant data, there is a way to pinpoint outreach efforts for patients.
Currently, there are predictive models in place, and there is a desire to continue expanding its clinical data science team.
According to Myers, the system has begun to build an enterprise data strategy. This will serve as a foundation, providing additional self-service tools for groups across the health system.
"I think that we have a lot of data assets at Mount Sinai but we want to bring them all together and, as a research institution, make it easier for our researchers to get access to the data appropriately," Myers said.
Mount Sinai has begun to look across data centers post-pandemic to prioritize consolidation and an overall cloud strategy. According to Myers, there is a need for a multi-cloud strategy to provide various tools for genomics. The system will continue to stay multi-cloud. They have begun analyzing for a primary vendor to transition a majority of its business and clinical applications into.
Myers included data center facilities, cloud strategy, business continuity, and disaster recovery as upcoming priorities.
Beyond this, there are other transformation programs currently in the works. Mount Sinai now has live HR payroll for Oracle Cloud. Therefore, the system must move forward with financials, supply chain, access, and hospital billing. This has been a significant undertaking, according to Myers.
As they continue to roll out Epic, Mount Sinai has begun considering a unified communications strategy for its nurses and corporate team members. According to Myers, the cloud could potentially replace a number of telephones to streamline the number of devices.
"There's a lot going on. I'm sure there are at every institution. But again, cyber and digital are up there, as well as our enterprise data strategy, which we've been very much focused on and got funding for," she said.
© Copyright 2023 Health Lyrics All rights reserved
