Deputy director for the Cybersecurity and Infrastructure Security Agency (CISA) Nitin Natarajan spoke last month on the state of cybersecurity in healthcare at the annual HIMSS conference in Orlando.
In a cybersecurity preconference, he informed the audience that the CISA represents sixteen interdependent sectors. As Natarajan explained the threat landscape, he expressed that there has been a change in the adversary and victim landscape. For adversaries, it’s easier to attack. “There are now attacks in rural areas,” he said, “the combination is precarious.”
Natarajan advised pushing the industry to create safe products. “Security should be built into devices,” he noted. He cautioned that there needs to be increased awareness concerning the hardware and software that is being bought. “The secure by design effort is a global effort.”
Natarajan explained risk as a three-legged stool: identification, mitigation, and acceptance. In a joint effort with the U.S. Department of Human Health Services (HHS), CISA is providing free resources, including toolkits and tabletop exercises, to build resilience, he said.
An audience member expressed concern about people who fear reporting incidents out of fear of retribution. “How do we make a safe space for people to report incidents?” they asked. “We are punishing people who do the best they can with the resources they have.” Natarajan answered, “we don’t want to victim shame.” It’s important to report incidents, he said, “we look to help, and to help prevent others from becoming victims.”
We want to pivot away from blaming, Natarajan said, instead we want to talk about building resilience. “How do we bounce back quicker and recover in a timelier matter.” Obtaining timely information is key, he said. “We don’t want to become a burden. We want to protect other organizations.”
