Winning cybersecurity warfare is the ultimate millstone for CISOs


Healthcare operates with the understanding that no system is impenetrable, but must improve incident response practices by finding new ways to stay operational after network attacks, says one panelist at the upcoming HIMSS Cybersecurity Forum.

The healthcare industry is a prime target of organized cyberattacks, as has been shown near daily for the past decade-plus. The urgency of contingency planning has finally been made clear, from the boardroom to the situation room, exam rooms and administrative back offices. 

Health system chief information security officers are at the forefront of one of the health sector's greatest challenges – to provide patient care in the face of regular attempts at network intrusions and total system shutdowns.

Like the role of the CIO, the CISO's job description has been evolving steadily in recent years – and has changed dramatically as hackers added the ability to monetize business disruptions through ransomware attacks.

"It had started as 'data security' or 'information security,' with a heavy focus on ensuring the confidentiality, accuracy or integrity and availability of the data," explains Erik Decker, CISO at Intermountain Health.

While "data was always the center of the conversation," bad actors have now created marketplaces where data, access and privileges have been bought and sold. The market has attracted organized crime to the digital ecosystem – and forced CISOs to take an adversary approach. 

In the age of ransomware, negotiation with hackers is akin to combat.

Decker will moderate a panel on personal liability, budgetary pressures and challenging business climates at the upcoming HIMSS 2024 Healthcare Cybersecurity Forum, scheduled for October 31-November 1 in Washington, D.C.

The panel will address how the role of the CISO is evolving as organizations expect to be interrupted by cyberattacks, but must find ways to maintain patient safety and care operations despite disruption.

Reconsidering reaction to intrusions

Smash-and-grab exploits will likely continue to vex healthcare systems, according to Darren Lacey, CISO at Johns Hopkins University and John Hopkins Medicine for more than 18 years.

"It's not hard to steal a spreadsheet, and a spreadsheet could have 100,000 names on it," he noted. 

Lacey, who will join Decker, Kate Pierce, senior Virtual CISO and executive director of government affairs at Fortified Health Security, and Dee Young, CISO at UNC Healthcare, for the discussion, said that the greater challenge is system-halting attacks – like the Change Healthcare ransomware attack in February that affected healthcare operations nationwide for months.

The magnitude of that attack attracted the attention of many lawmakers this year, who want to see more effort to prevent debilitating disruption across the critical sector.

"Governments and industry will continue to step up their efforts to thwart these attacks, which hopefully include a stimulus to help the needs-based organizations as well as mandating minimum cybersecurity standards in healthcare," Decker said.

Lacey said he believes that the way healthcare systems react can exacerbate the problem in certain instances.

"I think we have to start rethinking about how we do systems trust," he said.

The typical reaction to system intrusion is that "all chaos" is assumed, explained Lacey. "Assuming breach, we plan as if breach is a tornado." 

However, in that posture, "we don't actually assume breach," the industry veteran said. "We do this in large part because the larger security community has a cribbed, binary understanding of systems trust -- and this is a problem for security as a whole," he said by email.

What health IT teams assume is that somewhere in the network a computer or an account has been compromised, and so no systems on the network can be trusted, and must be shut down.

"So the blast radius, even though the attack may be fairly low, is huge," said Lacey, adding by email Wednesday, "what we consider a 'breach' is narrow and only the first step of many necessary to culminate in a breach event."

"It's understandable because what we've done over the last 20 years is consolidate administrative credentials into a much smaller number that makes them more secure."

"But, we need to come up with ways where our self-imposed blast radius is significantly less harmful and more resilient than the current model."

When health IT teams think about cybersecurity events, incidents and breaches, "we think about them as these extraordinary events – a comet hit us, a tornado," he said. "But the tornadoes flying through the data center are much more common than people allow themselves to believe."

Reducing downstream damage

Lacey suggested that organizations start to tabletop "assuming breach" to reduce "downstream damage."

"It may be how we set up administrative accounts," he said. "It may be how we do logging; it may be a recalibration of our risk analysis and those types of things where we don't have a simple binary trusted system-untrusted system."

"Our tabletop exercises are generally useful but typically do not get down to brass tacks of self-imposed blast radius," he added over email. 

Changing how trust is managed may preserve resilience and assure better care continuity, according to this line of thinking. 

"We'd devise different strategies if our main goal was to preserve resilience," he said, adding by email, "This would not be a complete 180 from what we do now, but represent a change in priorities."

"In healthcare, we should better weigh beforehand -- by assuming not just breach but potentially, catastrophic breach -- the downstream impact of taking things down," he said.

"How many systems at Change Healthcare were actually compromised?" Lacey asked rhetorically.

In that attack, which had a seismic effect on healthcare operations nationally, the number of systems affected may not have been excessive – it was likely the complex web of dependencies on administrative accounts, he explained.

"It became super difficult to unpack the whole thing and solve it," said Lacey.

If it's impossible to have any idea about how the adversary is behaving at the time of data transactions, then shutting down systems broadly probably makes sense, Lacey acknowledged, but understanding data integrity at the time of an attack could help improve healthcare's resilience. 

What's unclear in an attack is the likelihood that the integrity of the data has been changed – "not that the data's been lost."

Relying on data that may have been stolen does not necessarily put the patient in danger of a bad medical outcome at the time of an encounter, though it may endanger some kind of identity theft later on, said Lacey.

"If you had a better understanding, what [incident response] behaviors might then be appropriate?" 

"It really is the integrity of the data – and it's not difficult to imagine how you could trace back the integrity of the data in such a way that you can feel 99.99% certain that this hasn't been tampered with," he said.

"Therefore we should assume catastrophic breach, and build monitoring systems and isolation to shrink the blast radius as much as possible," he clarified by email.

AI's role in healthcare cyber-warfare

Artificial intelligence is a cyber weapon that anyone can now use – cyber adversaries or cyber defenders.

"AI will be used both offensively and defensively; it is yet to be determined which side will have the advantage," said Decker.

Which group will have the advantage is split, Lacey said.

Healthcare cybersecurity teams will be better off than the attackers at what he called "the first level" -- in a cribbed view of overall security risk.

"It gives us more tooling than it gives them because our data will be able to figure out more complicated relationships of data than we would otherwise," he said, adding by email, "We defenders will enjoy the benefits of our ability to train our monitoring systems to better identify attacks. 

AI technology also means "we're going to be buried in disinformation," he said, putting CISOs in the business of disinformation prevention. The ability to navigate those risks in the current state of cybersecurity "we are in no way prepared for," he said.

"Much of our job will not be adversarial, it will be testing and monitoring AI systems for hallucinations, bad reasoning and other non-adversarial issues," Lacey added by email.

"For the next five years, we should be preparing ourselves to test and validate AI in many of its manifestations." 


 

Comments