TECH INTELLIGENCE: Master class

Cybersecurity lessons from the FBI and leading health care industry experts

David Egan//October 21, 2024//

Cybersecurity

PHOTO: DEPOSIT PHOTOS

Cybersecurity

PHOTO: DEPOSIT PHOTOS

TECH INTELLIGENCE: Master class

Cybersecurity lessons from the FBI and leading health care industry experts

David Egan//October 21, 2024//

Listen to this article

Comcast Business and the Health care Information and Management Systems Society recently brought together leading experts at 30 Rockefeller Center in New York to discuss the importance of in health care.

Perhaps no industry exemplifies the shifting and critical nature of cybersecurity better than health care. Panel moderator Jody Hagerman, senior director of sales engineering, Comcast Business, shared the anecdote that before she was born, her father walked an amniocentesis sample across the street from a hospital to a lab for diagnostics. There was no perceived need for security around tracking the sample, let alone health care data at that time.

The theft and public disclosure of tennis star Arthur Ashe’s HIV diagnosis in 1992 changed all of that and led to the passage of the Health Information Portability and Accountability Act and other regulations, as well as an illicit demand for sensitive health data.

The widespread adoption of the internet, mobile devices for employees, the transition to electronic records and cloud applications put health care organizations on a collision course with cybercriminals.

“Last year, the FBI received more than 880,000 individual complaints related to cyber-crimes that represented more than $12.5 billion in losses, a number that we are confident is underreported,” said Michael DeNicola, supervisory special agent for the Federal Bureau of Investigation.

Health care was the most targeted sector for ransomware attacks.

Worse, DeNicola is seeing a shift in behavior where criminals are doing far more than temporarily locking up data. They are also exfiltrating the information for additional extortion or selling it on dark markets.

If all of that doesn’t raise sufficient concern, consider the Illinois hospital that shut down permanently last year in part because of a cyberattack that prevented it from filing insurance claims for months; or the Vermont hospital that couldn’t provide lifesaving care during a cyberattack in 2020.

Jennings Aske, chief technology risk officer, New York Presbyterian, described how the hospital couldn’t deliver care because its cancer regimens were locked up during an attack on an on-premises system. Jennings stated this and other ransomware attacks in health care highlight the need for advanced endpoint protection and other measures to prevent ransomware attacks.

And it’s not just large networks that need to be worried. Small providers that are connected to larger systems such as vendors, partners or billers are prime targets both on their own and as a means of entry to the bigger prize.

So, what can be done to mitigate risk and protect health care systems large and small?

“Security should be a multi-layered strategy, but monitoring is a first step,” said Trevor Parks, senior director, Advanced Security Solutions, Comcast Business. “Investment in cybersecurity tools and teams is non-negotiable. CIOs can work with their finance partners to calculate the costs that would be incurred if they were shut down by an attack to justify the investments that have to be made.”

A zero-trust framework, where every transaction is considered potentially fraudulent and requires multi-factor authentication, is another critical defense along with employee training.

Social engineering used to be centered on email phishing, which was an effective way to avoid threats with minimal training. “Now, phishing has shifted from emails to SMS or text-based phishing and AI is helping hackers get better at their craft,” said DeNicola. “There’s a constant learning curve that goes along with that.”

Organizations must also have a response strategy in case they detect a threat and that should include the ability to segment the network through firewalls that group and separate all entry points – from life-saving devices to employee PCs, to individual facilities and so on.

AI can also be harnessed for good to help identify threats or authenticate employees based on patterns, from keystrokes to the cadence of an individual’s walk as tracked by their phone.

Insurance coverage is important but not a cure-all. “While insurance can help mitigate costs incurred by an attack, most cyber insurance companies will need to see proof that certain controls are in place before they will underwrite a policy,” said Gerry Blass, CEO and founder, ComplyAssistant. “And no insurance can repair the damage done to reputations and relationships.”

Finally, if your organization is affected by a cyberattack, contact the FBI as soon as possible. While full recovery without ransomware payment is rare, they can gather and share intelligence and advise on options.

David Egan is regional vice president for Comcast Business, responsible for serving customers in Greater Philadelphia, New Jersey, New York, and northern Delaware.