Richard Staynings and Michael Archuleta address the Rocky Mountain Health IT Summit today. |
Thanks to everyone who attended our presentation today at the Healthcare Informatics Rocky Mountain Health IT Summit in Denver, where Mike Archuleta, CIO of Mt San Rafael Hospital, and I greatly enjoyed sharing our thoughts and advice on how to secure Healthcare IT and IoT.
Unfortunately, today we live in an era of escalating cyber threats from bad actors and nefarious nation states intent on the disruption of our business and personal lives. Regrettably, this also includes life-sustaining healthcare technologies. If this weren't enough, the healthcare industry is also in the process of transforming to a near complete reliance upon information technology and internet of medical things (IoMT) technologies. In fact Healthcare IoT (HIoT) devices are growing at 20% per annum according to some sources which means the problem is getting bigger and bigger each and every day! This includes a proliferation of medical devices, pharmacy and surgical robots, AI-augmented labs and diagnostic systems, and networked connected hospital building management systems like elevators and HVAC systems, without which the modern day hospital cannot function for long. This provides hackers with a very large attack surface upon which to exploit a weakness or vulnerability and establish a beachhead for more nefarious purposes - perhaps the theft of medical records and personal identities, or to ransom hospital data or patients.
Effective cybersecurity has always been about the combination of people, process and technology and that still holds true today. However the perpetrators of cyber-crime are hell-bent on exploiting every weakness regardless of the patient safety issues of their actions. As cyber defenders we need to employ the best processes, skilled security resources, and best technologies in the defense of our diagnostic and clinical systems. It also means that old out-of-date and end-of-life systems should be replaced, while all other systems are updated regularly with security patches, especially if your hospital still runs some version of Windows. The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!
As a first step hospital CEOs and their boards need to gain an accurate understanding of their risks and that means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about. Remediation of identified risks then needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. That will require discipline, established and documented processes, and quality resources whether people or tools, or a combination thereof. Above all it requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.
Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. This allows them to offer more profitable and cost-efficient services to patients via among other services, secure online portals, telehealth and telemedicine, just proving that security does not need to be advanced rocket science, just the combination of good people, process and technology to add value to a business.
For anyone interested our deck can be downloaded here. Please feel free to leverage our content for your own CEO and Board presentation.
Effective cybersecurity has always been about the combination of people, process and technology and that still holds true today. However the perpetrators of cyber-crime are hell-bent on exploiting every weakness regardless of the patient safety issues of their actions. As cyber defenders we need to employ the best processes, skilled security resources, and best technologies in the defense of our diagnostic and clinical systems. It also means that old out-of-date and end-of-life systems should be replaced, while all other systems are updated regularly with security patches, especially if your hospital still runs some version of Windows. The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!
56% of Health Providers Still Rely on Legacy Windows 7 Systems
As a first step hospital CEOs and their boards need to gain an accurate understanding of their risks and that means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about. Remediation of identified risks then needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. That will require discipline, established and documented processes, and quality resources whether people or tools, or a combination thereof. Above all it requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.
Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. This allows them to offer more profitable and cost-efficient services to patients via among other services, secure online portals, telehealth and telemedicine, just proving that security does not need to be advanced rocket science, just the combination of good people, process and technology to add value to a business.
For anyone interested our deck can be downloaded here. Please feel free to leverage our content for your own CEO and Board presentation.
Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.