Protecting healthcare data is essential, but cybersecurity experts say it is one of the hardest industries to protect due to its larger attack surface – and the fact that lives are at risk.
At a FedInsider event on April 12, Federal government and industry experts talked about the critical need to protect the healthcare sector, and how difficult that task is evidenced by more than 40 million individuals’ health records being exposed just last year.
“The most important thing I think that resonates with most people is that healthcare has sort of a wider attack surface, between medical devices, medical systems, Internet of Things, the urgent nature of most health care decisions – it’s really easy for attackers to insert themselves into that ecosystem and to create havoc and to find weaknesses,” said John Murphy, global field chief security officer and CISO at Rubrik Inc.
“The healthcare fight – because it ultimately impacts human life directly – is one of the most important things that we can focus on in terms of protecting data,” Murphy added.
What’s more, the healthcare industry’s large attack surface only increased during the pandemic once employees started working from home, according to La Monte Yarborough, the acting chief information security officer at the Department of Health and Human Services (HHS).
“The fact that folks started working remotely, that perhaps increased the attack surface because you had to deal with not just government or hospital networks, you had to deal with how secure networks were in people’s homes and the coffee shops and, who knows, poolside Wi-Fi,” Yarborough said.
Yarborough explained that bad actors are going to take advantage of that increased attack surface to carry out cyberattacks.
Col. Bobby Saxon, the deputy director of the Office of IT at the Centers for Medicare & Medicaid Services (CMS), said when his agency had to send employees home during the pandemic, he focused on “mission-essential functions and the activities that we have to do as an organization.”
Saxon said he believes CMS is “in much better condition now than we were a few years back,” in terms of cybersecurity, and could ensure the security of its data as employees quickly transitioned to remote work.
For any healthcare organization that is “seeking to get an understanding of their environment, or if they’re just in a position where they don’t know where to start,” Yarborough recommended they visit 405d.hhs.gov to join HHS in its collaborative security effort. There, he said healthcare organizations can identify cyber strategies and tactics to “better fortify your organization.”