Compliance & Risks
Healthcare cybersecurity updated in HIMSS23
This update reports on the current state of cybersecurity in the healthcare industry from the CISA’s keynote in Cybersecurity forum of HIMSS23.
Save to Folio
HIMSS23, the world's largest healthcare technology event, was held in Chicago the week of April 17, 2023. This blog summarizes the latest status and prospects of cyber security in the healthcare industry from the keynote speech of the Cyber Security Forum, which attracted attention as one of pre-conferences dedicated to several hot topics.
Hacking Healthcare – How the Cybersecurity and Infrastructure Security Agency is Here to Help
Secure by Default, Secure by Design
Natarajan said CISA is neither an intelligence agency nor a law enforcement agency. They tackle the toughest challenges by working together across sectors, public and private, to strengthen cybersecurity across the United States. Awareness of cybersecurity in healthcare has grown exponentially over the past few years. There are two possible factors for this.
One is changes in infrastructure. The COVID19 pandemic has spread telehealth to small and medium-sized hospitals and clinics, expanding the attack surface. Another is the evolution of threats. Both state-sponsored attacks targeting sensitive information and critical infrastructure, as well as non-state-sponsored but financially motivated ransomware attacks, have caused a large number of incidents in the healthcare industry. No matter how large or small the organization is, the mission critical systems are exposed to attacks. It suggests supply chain ecosystems are at risk.
One of the goals of this year's CISA is Secure by Default, Secure by Design. Natarajan encourages manufacturers and developers to take more responsibility, security features should be pre-built, and consumers should have a basic level of safety when using them, he said. He also emphasized that cross-sectoral efforts are essential, not something that can be achieved by the healthcare sector alone.
Natarajan suggested that IT security professionals should spend more time identifying and mitigating risks in their organizations this year. CISOs have their budgets to invest on security but are still expected to negotiate with CEOs to ensure adequate funding.
In most organizations, board members and CEOs do not have an accurate understanding of cybersecurity risks, and CISOs need to educate them. If they don't get the risk right, they can't be sure that the risk their organization is accepting is really acceptable.
While we expect the healthcare industry to make great strides in new technologies over the next five to ten years, we should not forget that there are many potential risk factors in cyber and physical systems, he added.
Going back to basics
As cyberattacks increase in "frequency, severity and sophistication," he said the goal of cybersecurity is to make "more expensive, less profitable and more difficult for adversaries to carry out attacks”.
He said the key to that is to do the basics, such as countermeasures against phishing, training, and software updates. He added that cybersecurity best practices aren't just for CISOs and IT teams, they're essential for everyone in the organization. As a tangible output, the US Department of Health and Human Services (HHS) 405(d) program announced the release of new resources on Apr 17.
- Knowledge on Demand
A new online education platform that provides free cybersecurity training to health and public health organizations to raise cybersecurity awareness.
- Health Industry Cybersecurity Practices (HICP) 2023 Edition
A foundational publication aimed at raising cybersecurity risk awareness, providing best practices, and helping the HPH sector set standards to mitigate the cybersecurity threats most relevant to the industry.
- Hospital Cyber Resiliency Initiative Landscape Analysis
A report on national hospital cybersecurity readiness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
Finally, he added, there is not so much to ask of the healthcare industry. They are incident reporting, industry collaboration, and basic cyber hygiene.
In my next blog post, I will delve into the content of the best practices document released this time.