Change Healthcare. Dell. AT&T. CrowdStrike.
Those are just some of the cybersecurity attacks that have happened in the past year. It is, undoubtedly, a scary time.
“There’s been a couple of giant wake up calls for healthcare organizations,” said Teresa Tonthat, VP and Associate CIO at Texas Children’s. Not necessarily about the damage that cyber incidents can incur, but rather, the need to ensure CISOs have the tools and support required to keep data – and more importantly, patients – safe. It’s a critical balance that consists of three main components: awareness, resiliency, and collaboration, according to a group of leaders, including Tonthat, who shared their expertise during a recent episode of Unhack the Podcast, hosted by Drex DeFord (President, 229 Cyber & Risk Community, This Week Health) and Shawna Hofer (CISO, St. Luke’s Health System).
Awareness
In an industry as dynamic – sometimes even volatile – as healthcare, staying on top of the latest information isn’t just important, it’s table stakes. “Staying ahead of the curve and having a pulse of what’s going in the industry is super critical,” said Steven Ramirez, CISO at Renown Health. That could be through podcasts, news sites, webinars, LinkedIn feeds, or a host of other resources.
Greg Garneau
For Greg Garneau, CISO at Hospital Sisters Health System, it means “I’m constantly reading. I’m constantly learning new things. I’m always, it seems, glued to my computer or listening to a podcast.”
One of those resources is H-ISAC, a non-profit organization that offers a community and a forum for “coordinating, collaborating, and sharing vital Physical and Cyber Threat Intelligence and best practices with each other,” according to the website. The goal is to enable members to use the information to “extend their security operations team and to create situational awareness, inform risk-based decision-making and mitigate against threats.
It also offers slack channels focused on specific areas like vendor outages, which can be extremely helpful, said Ramirez, who also frequently visits HHS’ 405(d) hub for cyber-hygiene resources and best practices.
Garneau agreed, adding, “it’s really important to plug into organizations like the HSCC and the American Hospital Association, and frankly, do your best to get as much information as possible from your federal partners.”
And that means not just signing up for alerts from CISA and the FBI Cyber Division Cyber Division, but receiving those alerts and taking action. “It’s your professional network of CISOs around the country, especially in health care,” he said. “Stay dialed in to your colleagues. Most of them will share information or other resources for you to go and explore that will help you be a better leader and a better cybersecurity practitioner.”
Other resources cited by the panelists include The Hacker News, Threat Post, Dark Reading, according to Tonthat, who also tunes into Krebs on Security, as well as DeFord’s Unhack the News and 2-Minute Drill.
The downside of having so much information available, however, is that it can start to feel like noise, said Joy. “It can be hard to focus on what I need.” Her recommendation? “Scale it down and get a little more intentional” based on your needs.
Resiliency
Increasingly, one of the biggest needs is boosting resilience, which has been a core objective at Texas Children’s. “One thing we’ve talked about is how do we continue maturing our cybersecurity program from a people, process, and technology standpoint, while never losing sight of why we do it,” Tonthat noted. The reason, she stated, is to ensure operations can keep running. “The resiliency of taking care of our patients, taking care of our members, is why we exist. It’s not just bringing up new technology.”
And so, she continued, “If we keep the patient in the middle of everything we do, we really need to recognize that technology is never going to be 100 percent up and running. Whether it's a cybersecurity incident that causes a ransomware attack, or a technology that has a bug, we're at the mercy of that partner to bring their systems back up and running.”
Teresa Tonthat
Therefore, a critical part of her team’s strategy is to conduct business continuity planning and simulation exercises at least once a year, and devise specific procedures. “Who’s in charge of communicating? Who makes the decision of flipping over to disaster recovery? Who makes the decision if we pay the ransomware or not? Those are the people and process conversations that we need to be ready for.”
Tonthat also has a resilience team within Texas Children’s that meets with clinical partners to review downtime procedures and conduct simulations. Failing to do so, she believes, can prove quite costly. “If any organization has not yet started working in partnership with their emergency management or resilience team, they definitely need to do so because the average health care downtime due to a ransomware attack is anywhere between 20 or so days,” she cautioned. However, it can take more than 40 days to fully restore systems, which can undoubtedly impact patient care.
For that reason, Tonthat highly recommends including other departments in the conversation. “Threat intel doesn't just start and stop with our cybersecurity team,” she said. The entire technology team, from infrastructure to networking, contributes to the process by obtaining insights from vendor partners and sharing them with security operations to ensure that the IT team is working together holistically to stay ahead of threat actors.
It’s an approach that Hofer found to be extremely strategic, and hopes to see other organizations adopt. “Everyone needs to be focused on cybersecurity, including IT partners.”
Collaboration
It leads into the final, and arguably the most important aspect, of the evolving CISO role: an increasing reliance on collaboration within the cybersecurity community.
“We always have each other’s back,” said Joy Poletti (CISO, Mosaic Life Care) of her “CISO friends,” a group that has grown steadily over the years and become increasingly important. It can be as simple as reaching out to ask, “‘Have you seen this vulnerability? What did you do? How did you approach it?’” she noted. “To me, that’s more beneficial than just reading an article, because I'm getting real time conversation. I know that they're in healthcare. I know what size their hospital is. I know what scale it is for them, so I can really apply it to my own environment.”
Steven Ramirez
The difference in having a bonafide CISO community, Poletti continued, is that “we’re using the same language. We have a lot of the same cyber tools, business applications, and medical applications. The risks are similar, as well as the approach.”
And the conversations don’t have to happen in a structured environment. In fact, sometimes it’s better that way, according to Ramirez, who has met a number of CISOs at 229 Project events that have become trusted sources for information. “In a lot of the group chats, we get a lot of real-time information, sometimes within minutes,” he added. “It’s great to have each other – not only to bounce off ideas,” but to stay aware of what’s happening, while also feeling a sense of kinship.
“We’re all in healthcare,” he added. “We’re fighting the same fight.”
© Copyright 2024 Health Lyrics All rights reserved
