Topics:
Successfully navigating cybersecurity inside a healthcare delivery organization (HDO) is an unsure, high-stakes path. Hospitals continue to be targeted by ransomware gangs and extortionists to the tune of millions of lost dollars, and potentially negative impacts on patient care.
And that’s the real shift in the sector, the dotted-line connection between cybersecurity and patient care, says Austin Allen, Sr. Director of Global Solutions Architecture at Airlock Security, in this episode of the Nexus Podcast.
“It really has become about patient care,” Allen said, pointing out that hospitals not so long ago put a lot of emphasis on containing brand reputation in the event of an incident. “Now it’s about preventing downtime and outages, and what that does to patient care, the ER systems; it’s really about patient care and lives, which is where it always should have been but now there’s a real scrutiny on that.”
Allen said hospital boards of directors understand the necessity for the shift, and cyber insurance providers have reinforced that change in direction, making coverage a challenge for some HDOs, especially rural hospitals with smaller staffs and operating budgets.
“Some are self-insuring, setting aside a bucket of money to cover themselves because they have no cyberinsurance to cover themselves,” he said.
Regulations, meanwhile, despite the heavy influence they have over cybersecurity programs within HDOs, act as a framework for programs, Allen said.
“There’s only been two major iterations to HIPAA since it came out 20-something years ago,” Allen said, referring to the proposed updates to the HIPAA Security Rule still being considered. “That’s insane. … We’re talking over 20 years of regulation, so there’s no way we’re keeping up with it.
“It’s really: ‘What are you doing to keep up with the minimum amount of regulation?’ versus ‘What are you doing to be secure?’” Allen said. “It’s the adage that compliance is not necessarily security.”
In the meantime, hospital CISOs’ and other cybersecurity leaders’ risk management efforts are stuck between reducing risk and compliance red tape, especially around vulnerability and patch management. Hospitals bear the brunt of exposures in the event of a critical vulnerability while medical device manufacturers push fixes through the FDA’s mandated review process for any security-related changes to connected devices.
“In highly regulated sectors like healthcare when it comes to things like patient safety, I think they want to get more direct guidance. In a lot of cases, particularly in the medical device sector, vulnerabilities have no patch. It leaves the hospitals left with the liability because these vendors who create these tools and put out the software, they're not held accountable for patching and being secure by default with what they’re putting out into the hospitals. It puts an unfair burden on the healthcare system to figure out how to control and secure that.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
