To say that the cybersecurity game has changed is an enormous understatement. Not just in terms of the nature of threats, but the effects they can have on healthcare organizations.
“What has really changed is the impact to operations,” said Troy Ament, Field CISO with Fortinet, during a panel discussion with Chuck Christian (VP of Technology and CTO, Franciscan Health) and Erik Decker (CISO, Intermountain Health). “In my previous roles, I’ve never seen a health system have a downtime for weeks.”
Unfortunately, it’s become a reality, and one that organizations must be prepared to face. However, unlike in the past, when the burden has fallen squarely on the shoulders of the security department, leaders are finding that it requires collaboration — both within and outside of the organization.
“You need a lot of friends to get this done,” said Christian. “You need to make sure you’re partnering with the right folks,” including clinical engineering, risk and compliance, and IT, among other departments.
By forming these partnerships, and participating in threat intelligence sharing, organizations can build the resilience needed to stave off attacks — or at least, minimize the damage.
Feeding the Pipeline
It starts by building a foundation of commodity intelligence, according to Decker, who also serves as industry lead and co-chair of HHS’s 405(d) Task Group. “That’s good baseline intelligence you should incorporate and automate into your system for prevention and detection.” The bad news is that although such information provides a critical layer of protection, advanced threat actors can circumvent it by standing up their own infrastructure specific to each attack.
The good news is that although the IP address or URL syntax may change from one attack to the next, the tactics, techniques and procedures typically don’t, Decker noted. “They might change platforms or methodologies, but they go about attacks the same way,” whether it’s through phishing, remote access exploits, or zero-day attacks. “What’s really important is to get a good sense of what those tactics, techniques and procedures are.”
This is where initiatives like CISA (Cybersecurity and Infrastructure Security Agency) and H-ISAC (Health Information Sharing and Analysis Center) come into play by providing a safe forum to share cyber threat intelligence and best practices. “When you share information with CISA, which is protected under the Cybersecurity Act of 2015, it goes back into the pipeline,” he said, and can help strengthen the industry as a whole.
Of course, mechanisms haven’t always been in place to enable broad data sharing. “It’s a fairly new concept,” said Christian, and one that could make a huge impact. “The better information we can get out there in a matter that’s informative, the better we are. But we have to be very careful. It needs to be broadcast within tight networks so that bad actors aren’t able to exploit that information.”
Leaders must also consider how the intelligence is used, both from a tactical and strategic perspective, according to Ament, who previously held CISO roles with Beaumont Health and Sanford Health. “Tactically, you need to ensure that however you’re ingesting the data, whether it’s IOCs or actual threat tactics, that you have an orchestrated and automated response,” he said. “The threat landscape within health systems has really expanded, but the attacks have as well. When threat data become more highly available, there are more bad actors utilizing that data, and so the attacks become broader.”
6 Critical Steps
And, as a result, the task of securing data becomes more difficult. To that end, the panelists identified several best practices to help beef up cyber-resilience.
- Join H-ISAC. It sounds simple, and yet, just a fraction of health systems are taking advantage of its offerings, said Decker, who strongly encourages leaders to check it out. “Not only do you get the automated feeds that come out of the system; you also get a place where you can have a secure dialogue with other security professionals.” He also recommended signing up for the Automated Indicator Sharing System offered by CISA, which provides critical information that should be incorporated into the cybersecurity strategy. These resources, which are taxpayer-funded, can help conduct phishing simulations, vulnerability assessments, and risk assessments, and score and aggregate results to provide industry benchmarks. “There’s just a huge value there.”
- Vendors first. Before allocating more funds to improve the organization’s cybersecurity posture, Ament urged leaders to first approach their security partners. “You don’t necessarily have to find a new product to solve for this problem,” he advised. “If you think you have a security platform that can accept threat intelligence, most of the time there are plugins you can build upon, depending on how sophisticated and how actionable your teams can be from a security operations perspective.” Decker agreed, adding that security vendors may have options available at no added cost.
- Build key relationships. When it comes to securing funds, Christian advised against using fear as a motivator. “I think safety is a better motivator,” he said. “You have to build relationships. You have to be credible and you have to be believable and you have to have a defensible position about the reason you want to spend money.” This tactic has helped triple Franciscan’s budget for security staffing over the past few years, which has proven tremendously helpful. “We were able to do that because we built relationships, not only with the CIO, but with risk management, with compliance, with legal and a lot of other folks to build those programs.”
- Share the burden. Security is not just the CISO’s responsibility, said Decker. “As far as I’m concerned, every member of our organization should be security-focused,” and should understand that clicking on a phishing link can result in the entire system being shut down. “It needs to be a shared responsibility. I consider myself to be the chief risk advisor around cyber issues, and that means I need engagement from the other executives, all the way down to the frontline.”
- Governance matters. In order to ensure solid governance — which is a must with any initiative — leaders are advised to include representation from across the organization, and even consider chairing committees with leaders outside of IT and security. “From a cyber perspective, we should be presenting materials, presenting risks, engaging in discussions, and facilitating a dialogue to help ultimately decide what is our level of risk tolerance.”
- Leverage all resources. Both Decker and Christian recommended regularly reviewing publications like Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), which provides guidance on cost-effective methods that organizations at every size and resource level can use to reduce cybersecurity risks. “You need to be on top of the critical vulnerabilities,” noted Decker, whether it’s the latest phishing lures or exposed areas such as remote desktops. “I’m still shocked by how many attacks occur because people have remote desktop protocol directly accessible through the Internet.”
Finally, it’s important that CISOs take the right approach when addressing senior leadership. Above all else, executive teams and boards want a security leader who is trustworthy, capable, and ensures the organization’s priorities are aligned. “We are business leaders; we are not our own special and unique part of the organization that gets to do whatever we want to do,” said Decker. “We need to make business decisions just like everybody else, and we need to be a trusted partner.”
Christian agreed, adding that the best way to do that is by being transparent and not getting too far into the weeks. “They don’t want intimate details. They want to know that you understand the risk, and that you have the appropriate staffing and resources to move the program forward and keep the organization safe.”
To view the archive of this webinar — Enhancing Cyber-Resilience with Timely Threat Intelligence (Sponsored by Fortinet) — please click here.