Winning cybersecurity warfare is the ultimate millstone for CISOs

The healthcare sector is a major target of organized cyber attacks, as has been evident almost every day over the past decade. The urgency of contingency planning has finally been made clear, from the boardroom to the situation room, exam rooms and administrative back rooms.

The healthcare system’s chief information security officers are at the forefront of one of the healthcare industry’s biggest challenges: providing patient care despite regular attempts at network intrusions and complete system shutdowns.

Like the role of the CIO, the CISO’s job description has steadily evolved in recent years—and changed dramatically as hackers have added the ability to monetize business disruption through ransomware attacks.

“It started out as ‘data security’ or ‘information security,’ with a strong emphasis on ensuring the confidentiality, accuracy or integrity, and availability of the data,” explains Erik Decker, CISO at Intermountain Health.

While “data has always been the center of the conversation,” bad actors have now created marketplaces where data, access and privileges are bought and sold, drawing organized crime into the digital ecosystem – forcing CISOs to take the adversarial approach.

In the age of ransomware, negotiating with hackers is like fighting.

Decker will moderate an upcoming panel on personal liability, budgetary pressures and challenging business climates HIMSS 2024 Healthcare Cybersecurity Forumscheduled for October 31 – November 1 in Washington, DC

The panel will discuss how the role of the CISO is evolving as organizations expect to be interrupted by cyberattacks but must find ways to maintain patient safety and healthcare operations despite disruptions.

Rethinking the response to intruders

According to Darren Lacey, CISO at Johns Hopkins University and John Hopkins Medicine for more than 18 years, smash-and-grab exploits will likely continue to plague healthcare systems.

“It’s not hard to steal a spreadsheet, and a spreadsheet can contain as many as 100,000 names,” he noted.

Lacey, who will join Decker, Kate Pierce, senior Virtual CISO and executive director of government affairs at Fortified Health Security, and Dee Young, CISO at UNC Healthcare, for the discussion, said the bigger challenge is stopping system attacks – like the Change Healthcare ransomware attack in February that affected healthcare systems across the country for months.

The scale of that attack caught the attention of many lawmakers this year, who want to see more efforts to prevent debilitating disruption in the crucial sector.

“Governments and industry will continue to ramp up efforts to thwart these attacks, which will hopefully provide impetus to support needs-based organizations and mandate minimum cybersecurity standards in healthcare,” Decker said.

Lacey said he believes the way health care systems respond could make the problem worse in certain cases.

“I think we need to rethink the way we trust systems,” he said.

The typical response to system intrusion is to assume “all chaos,” Lacey explains. “Assuming there is a breach, we plan as if the breach is a tornado.”

However, in that stance, “we do not assume there is a breach,” the industry veteran said.

What healthcare IT teams assume is that somewhere on the network a computer or account has been compromised, and so systems on the network cannot be trusted and must be shut down.

“So the blast radius, even though the attack is quite low, is enormous,” Lacey said.

“It’s understandable because what we’ve been doing over the last 20 years is consolidating administrative data into a much smaller number, making them more secure.”

“But we need to figure out ways where our self-imposed blast radius is significantly less damaging and more resilient than the current model.”

When healthcare IT teams think about cybersecurity events, incidents and breaches, “we think of them as extraordinary events: a comet hit us, a tornado,” he said. “But the tornadoes that sweep through the data center are much more common than people allow themselves to believe.”

Limit damage downstream

Lacey suggested that organizations start by “asserting a breach” to reduce “downstream harm.”

“It could be how we set up administrative accounts,” he said. “It could be how we log; it could be a recalibration of our risk analysis and things like that where we don’t have a simple binary, trusted system and untrusted system.”

His point is that changing the way trust is managed can maintain resilience and ensure better continuity of care, according to this line of thinking.

“We would come up with different strategies if our main goal was to maintain resilience,” he said.

“How many systems at Change Healthcare have actually been compromised?” Lacey asked rhetorically.

In that attack, which had a seismic effect on healthcare operations nationally, the number of systems affected was not excessive – it was the complex web of administrative account dependencies, he explained.

“It became super difficult to unpack the whole thing and fix it,” Lacey said.

If it’s impossible to have any idea about how the adversary is behaving at the time of data transactions, then broadly shutting down systems probably makes sense, Lacey acknowledged, but understanding data integrity at the time of a attack could help improve healthcare resilience.

What is unclear in an attack is the likelihood that the integrity of the data has been altered – “not that the data has been lost.”

Relying on data that may have been stolen doesn’t necessarily put the patient at risk for a poor medical outcome at the time of an encounter, although it could risk a form of identity theft later, Lacey said.

“If you had a better understanding, what (incident response) behavior might be appropriate?”

“It’s really about the integrity of the data – and it’s not hard to imagine how you can know the integrity of the data so that you can be 99.99% confident that it hasn’t been tampered with,” said he.

The role of AI in healthcare cyberwarfare

Artificial intelligence is a cyber weapon that anyone can use now: cyber adversaries or cyber defenders.

“AI will be used both offensively and defensively; it remains to be determined which side will have the advantage,” Decker said.

Which group will have the advantage is divided, Lacey said.

Healthcare cybersecurity teams will be better off than the attackers at what he called “the first level,” where there is a limited understanding of cybersecurity.

“It gives us more tools than it gives them, because our data will be able to figure out more complicated relationships between data than we would otherwise,” he said.

But AI technology means that “we will be buried in disinformation,” he said, setting CISOs concerned with preventing disinformation. The ability to deal with these risks in the current state of cybersecurity “we are not prepared for in any way,” he said.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.