‘The Best Thing’ Hospitals Can Do to Prevent Cyberattacks: CISO Weighs In

[ad_1]

Hospitals may be concentrating their cybersecurity efforts in the wrong place, according to Mike Hamilton, field chief information security officer at Lumifi Cyber.

Hamilton spoke on Newsweek‘s virtual panel, titled “Crisis Management: A Crash Course for Health Care Leaders,” on February 13. He sees cybersecurity incidents as inevitable for health systems: “You’re secure, until your ticket is punched.”

“The first thing we need to acknowledge is that it’s going to happen,” Hamilton said, noting that attackers have more resources than health systems.

“Really, more investment needs to go into detection and recovery rather than prevention,” he said.

Newsweek Virtual Event Photo
A screengrab of Newsweek’s “Crisis Management: A Crash Course for Health Care Leaders” panel on Thursday, February 13.

Newsweek

When asked to expand on health systems’ cybersecurity blind spots, Hamilton explained that attackers have three common methods for obtaining “initial access” to an organization.

The first is social engineering, using impersonation and deep fakes to trick an employee into giving up sensitive information. Second is credential abuse: testing every password in a massive database against a person’s account. Finally, many hackers gain access through vulnerability exploit, finding weak spots in firewalls and entering before they are patched.

Proper training can be one of the best defenses, Hamilton said. “There’s no firewall for gullibility. You have to train your people.”

He recommends a strict credential policy that aligns with guidelines set by the National Institute of Standards and Technology. Forget uppercase, lowercase and special characters—the strongest passwords are sentences and should be changed each year, according to Hamilton. Users’ credentials will be even more secure in a password vault, and organizations should prohibit them from storing login information within their browsers.

“But the best thing you can do to move the needle the most with the least amount of effort,” Hamilton said, “is implement a policy of personal use on personal devices only.”

When Hamilton was chief information security officer for the city of Seattle, 40 percent of compromised assets on the network were due to the use of personal email. He admits that banning Gmail and Facebook on company devices “makes people grouchy,” but assures leaders that the security is worth the grumbling.

He also shared advice for health systems facing legal consequences in the wake of a data breach. Oftentimes, the unauthorized disclosure of protected records is followed by a class action lawsuit, which can place further financial strain on organizations attempting to recover.

More health care executives are being accused of negligence for lack of involvement in risk management, Hamilton said. If executives can prove that they had their fingerprints on those decisions—including risk assessments, governance processes and corrective action plans—they’ll be better protected.

“If you can show your papers, [that you] were actually doing the right things, that provides a bit of a safe harbor against civil litigation,” Hamilton said.

His No. 1 piece of advice? Be flexible, keep records and think in “ifs,” not “whens.” He quoted a recent IMF report which estimated that cybercrime will cost the world $23 trillion in 2027—up 175 percent from the global losses in 2022.

“There’s no way you’re going to go glove to glove with those organizations, those actors, and come out on top,” Hamilton said. “Prepare for the eventual event. It’s going to happen. And then we are going to show everything that we’ve been doing to [prove] this wasn’t our fault—it’s because we were outgunned.”

[ad_2]

Source link

Leave a Comment