On the third day of HIMSS23, April 19, being held at McCormick Place Convention Center in Chicago, in an education session entitled “Code Dark: Finding Force Multipliers in Hospital Cybersecurity,” was presented by Nate Lesser, vice president, chief information security officer, Children's National Hospital.
Washington, D.C.-based Children’s National Hospital is celebrating its 150th anniversary this year and has more than 8,000 employees. According to Lesser, the organization is reliant on information technology for all aspects of care and is the only pediatric hospital in the region.
“Everyone is responsible on some level for information security at their organization and we, as cybersecurity leaders, need to figure out how to make that a reality for all of our staff across the entire organization,” Lesser said.
Lesser then explained that cybersecurity attacks are increasing and that medical records are extremely valuable on the dark web. For 12 consecutive years the healthcare industry had the highest average cost of a breach.
Lesser noted that there has been an increase in ransomware attacks on healthcare organizations. “At the end of the day, hospitals are just getting hammered and those who haven’t had a major outage due to ransomware are constantly feeling like, ‘we’re next,’” Lesser said.
Beyond ransomware, Lesser noted, business email compromise attacks increased by 81 percent in 2022 and 175 percent over the past two years. The question, he said, is “How do we balance highly sophisticated engineering phishing and at the same time contend with nation-states and other sophisticated attacks?”
Hospital budgets are not only tight, but there is also a shortage of information security professionals across all industries, not just healthcare. Lesser commented that there are currently 750,000 information security job openings in the U.S.
Right now, according to Lesser, there is a paradigm shift in the industry. “We need force multipliers to overcome the headwinds of increasing attacks and decreasing resources,” he said. Organizations should consider automation, outsourcing/hybrid staffing, and collaboration (external and internal).
Lesser stressed the importance of collaboration. “Cybersecurity is a team sport,” he said. “We need to work together across the entire community, across the entire hospital staff or system, or region and do a better job of collaborating.”
Next, Lesser explained a method that he uses at Children’s National Hospital, dubbed “CODE DARK.” Hospitals have color codes, he noted, saying that there’s code blue, a code color for an active shooter, and even hurricanes. CODE DARK is a code that will be called when a hospital is actively combatting a cyberattack. The DARK in CODE DARK stands for:
- Disconnect your workstation and internet connect devices.
- Await instructions from your IT department before reconnecting computers.
- Report to your managers for department specific downtime actions.
- Know and follow your department’s emergency policies and procedures.
Regarding how this practice got started, Lesser said, “One of our senior medical leaders said to me that if he saw a ransomware message on his laptop, he’d throw it out. We needed to figure out a way to communicate better.”
“At the end of the day, we all need to put more attention into the response and recover side and all work together to try and shift the paradigm of massively increasing attacks, decreasing resources, and still figure out how to get ahead of the curve,” Lesser concluded.