H-ISAC’s COO Shares Her Perspectives on the Challenges of Promoting Cybersecurity Inside Patient Care Organizations
Sara Hall will be a featured presenter on Friday, Sept. 20, at the California Healthcare Cybersecurity Forum, sponsored by Healthcare Innovation, and to be held at the Sofitel Hotel Los Angeles at Beverly Hills. Hall, who will speak on the subject “Framing Cybersecurity During Budget Discussions: Selling Cyber to your Leadership as Part of Business in the Technology Age,” is chief operating officer at Health-ISAC.
As its website notes, H-ISAC, the Health Information Sharing and Analysis Center, “is a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities that can include data such as indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. H-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector and services such as Shared Services offer enhanced services to leverage the H-ISAC community for the benefit of all.”
Further, its website notes, “H-ISAC’s mission is to enable and preserve the public trust by advancing the global health sector’s cyber and physical security protection and resilience as well as enabling the ability to prepare for and respond to cyber and physical threats and vulnerabilities.”
Recently, H-ISAC’s Hall spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding her upcoming presentation at the California Healthcare Cybersecurity Forum, and the broad cybersecurity issues facing patient care organization leaders in the current operating environment. Below are excerpts from that interview.
Tell me about your original professional background?
I’ve spent the majority of my career in cybersecurity. I have a degree in information systems, and around 2003, I came into cybersecurity because there was clearly a lot of demand for that.
When you look at the 40,000-feet-up view, what does the healthcare cybersecurity landscape look like right now?
I think that the landscape of cybersecurity in healthcare is rapidly evolving; there’s better awareness that it needs to be a focus, but it isn’t there yet. There’s a bit of inconsistency, particularly between the haves and have-nots. The dialogue is beginning to come around to looking at cybersecurity as a patient safety issue. I know you have Dr. Christian Dameff [who was recently appointed medical director of cybersecurity at the University of California San Diego Health system] speaking, and he’s been very vocal. And it’s important for the doctors and practitioners to understand that this isn’t just a technology concern. And generally, being able to speak in business concerns, and particularly business risk concerns, is very important. And in healthcare, that includes being able to speak to the actual providers. So healthcare overall has a ways to go, but the dialogue is moving forward.
Healthcare is particularly vulnerable as an industry, because of clinicians and other frontline end-users being public-facing. What are the smart patient care organizations doing right?
One person with whom I’ve interacted and who works for one of the sector coordinating councils, the policy counterparts to the ISACs, has a nursing background; and one thing that she said recently at an event really resonated with me. She said, to her, cybersecurity was just one of those pieces of noise that she called people at the help desk for help, etc. But the second that someone in cybersecurity came to her and said, hey, I have a patient safety issue that you might have overlooked, and she said, all of a sudden, I listened, because we’re trained to think about patient safety. So those who are doing the right thing are presenting things in terms that clinicians can relate to. Second, they’re prioritizing. It’s not reality to do everything; you have to take a risk-based approach. And if you’re getting five minutes of the clinicians’ time, what do you get onto their radar? And what do you do to incrementally get their attention?
You can’t boil the ocean at once.
That’s right.
So, if you were suddenly ushered into a hospital meeting room with a couple of hundred clinicians, what would you say to them, at the top of your presentation?
Initially off the top of my head, I would say, you don’t need to understand the technology, but you do need to understand the risk around the technology. Also, one thing that would significantly help and be a win-win would be, first of all, making sure you have a dedicated security person and aren’t just relying on my team—but having folks dedicated to the process. And that includes IT folks, too, who could help shape the process. A lot of things can be done early on that aren’t so hard to implement, particularly if you get the right people. Most people work in healthcare because they want to help people. And security people aren’t there to make their jobs more difficult.
What are you telling audiences about the acceleration of threat vectors right now in healthcare?
I’m a big fan of using case studies, because the more relatable it is to them, the more they can understand. But they’ve also got to be quick to relate, and have to be high-impact. Ransomware, people have heard about it, and know enough to be scared. But people can share some specific examples. And also medical device security—there are many examples involving potential compromises, related to devices and to research. Years ago, I worked at a biotech company, a genomics company, and initially when I came in, there were a lot of eyerolls from doctors, and others, and initially, they said, oh, you security people, you’re just constantly trying to scare us with some boogeyman that will never affect us. So I started by sharing real experiences and case studies, and asking that we discuss initial first steps—three things at a time—so, kind of breaking it down into bite-sized chunks, and making it relatable. And also implementing a risk decision process: I told them, at the end of the day, everything is a business decision, and it’s not my job to tell you no, but to apprise you of the risk and of the likelihood of something happening, but you ultimately make the call. It worked really well, because once they were accountable for putting their names on it, they paid more attention.
What are a couple of the things you’re going to talk about at the upcoming summit?
You’ve already elicited some, one key being speaking in business-risk terms. Also, about how we’re going through a revolution right now. And I’m going to talk about the beginnings of the Industrial Revolution, and how people lost lives and limbs before safety measures were implemented. And one of the challenges is that we have a big generation gap, too; while most doctors and nurses weren’t trained in security, in the future, that will have changed. Some will have had coding courses in, say, third grade. It has to be accepted as part of the responsibility of doing business going forward. And how you talk about that, not in a scolding way—you say you don’t have money for security, but you’re willing to spend millions and millions of dollars on technology. And you need to understand that, in order to automate, I need to protect that investment. So, speaking in business terms that people can understand.