It didn’t take long before Change Healthcare was mentioned at the HIMSS24 Cybersecurity preconference forum on March 11 in Orlando.
In a discussion titled “Planning For When Your Health System is the Target of Cyber Adversaries,” Dr. Justin T. Collier, M.D., chief healthcare advisory at World Wide Technology, cautioned that cyberattacks are life-and-death instances. He noted a growing recognition of the long-term impact of attacks. For example, a cyberattack that causes a patient not to complete a stress test can impact health down the line. “The least advantaged patients are the hardest hit,” he mentioned, because “they don’t have the resources.”
“Risk assessments need to be done extensively,” Troy Ament, healthcare industry leader at Palo Alto Networks, added. He said resiliency plans are essential. He noted that mergers and acquisitions bring with them a third-party risk. Ament suggested that organizations arrange for tabletop exercises and advised to have technology consolidated and centralized. AI relies on data and interconnectivity, he noted. Third-party vendor start-ups may not have the governance yet.
Collier brought up the growing threat of Artificial Intelligence (AI) deepfakes. A brief provided by the Northwestern Buffet Institute for Global Affairs explained, “Deepfakes—media content created by AI technologies that are generally meant to be deceptive—are a particularly significant and growing tool for misinformation and digital impersonation. Deepfakes are generated by machine-learning algorithms combined with facial-mapping software that can insert that data into digital content without permission. When execution is excellent, the result can be an extremely believable—but totally fabricated—a text, video or audio clip of a person doing or saying something that they did not.” It’s important to pay attention to such emerging tools, Collier warned. “AI is a method of attack and defense,” he said.
According to Collier, healthcare takes a long time to recover from attacks. That’s why “recovery and response are critical.” “Practices such as disaster recovery exercises are missing within organizations.” Automation to help cybersecurity teams is also something that organizations need to look at, especially since they are understaffed.
When asked about views regarding paying ransom to attackers, Collier responded that paying the ransom incentivizes more attacks and may work against the hospital's ethical code. Since data has been acquired, secondary extortion can occur. Also, regarding AI, synthetic data can be provided for AI training; it does not need actual patient data.