In a recent presentation to the New York Healthcare Cyber Alliance, Geoff Brown, chief information security officer for New York City and head of NYC Cyber Command, offered several suggestions for health systems to improve their cybersecurity preparedness.
Brown began his presentation by reading from a cyber intelligence briefing he had just received. “Ohio-based Memorial Health System is diverting some patients after a ransomware incident forced to shut down its IT systems on 15 August. Its emergency departments are on diversion. But the health system will continue to accept stroke and trauma patients. Some of its campuses are on diversion for all non-trauma patients. The diversions will continue until IT systems are restored,” he read. “So that's an event that I was briefed on during cyber threat intelligence updates just today, and I think it does strike home the landscape of daily disruptions of service, espionage, hacktivist activity, and criminal activity. It brings home when these things impact what you do, how significant they are, where the rubber hits the road, and that's the critical services you provide to people.”
Brown spoke about organizing to set up a defensible environment and pursing greater visibility into your systems and networks.
First, he suggested that health systems consider the modernization of their technology footprint. “I always advocate for a more modern technology footprint. It's not only important, because it allows for you, as folks that deliver health services to be able to adopt more rapidly the types of platforms that make it more efficient to do your work, but it also has an incredible amount of benefit from a cybersecurity perspective, because the newer stuff is oftentimes easier to defend, and more compatible with various approaches. It will pay dividends not only from a business perspective, but also from a security and resiliency perspective.”
As an example of what he means, he said that New York City has always been very cloud friendly. “I always encourage organizations to be cloud friendly,” he said. You get a high degree of resiliency and speed from those platforms, he added. “We also identify and adopt very modern identity control approaches.”
The second concept he discussed is having visibility and thus actionability. “Simply put, if you can't see everything, it's very hard to do something about it if a threat actor decides to take notice,” he said. “You need to see all your computer assets and understand how your networks talks to each other,” he said. “These are fundamentals when it comes to the various cybersecurity frameworks, but it's important. People talk in our industry oftentimes about endpoint security tools, but these things very much can mean the difference between automatically blocking something like ransomware in a timely way or responding and containing it if you have threat adversary behavior in your environment.”
Brown said he advocate for launching a journey to achieve as much visibility as you possibly can across your entire technology footprint. “But don't stop there,” he said. “Make sure you're availing yourselves of the different tools and technologies that allow you to automatically block and very quickly react.”
Brown recognizes that not all provider organizations have the resources in house to do this work. In that case, he encourages provider groups to examine various third-party partnerships and service providers that can do that work on your behalf.
“It’s really important to think about your response capabilities, making sure that if something happened, you have all the appropriate capabilities via contract or otherwise, to do something about it,” he said. “New York City itself has a robust partnership with DHS going back many years.”
Also during the webinar presentation, Rich Richard, Cybersecurity Advisor for Region II of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, spoke about all the free tools his organization has to offer healthcare entities in terms of doing penetration testing and tabletop exercises to help prepare for cyberattacks.