Discover why updating healthcare cybersecurity is vital as MITRE’s Margie Zuk shares insights at HIMSS 2023 Healthcare Cybersecurity Forum. Healthcare must adapt to rising cyber threats, strengthen medical device security, and establish regional collaborations for effective incident response. Zuk emphasizes integrating cybersecurity into emergency plans, exercising preparedness strategies, and fostering communication among stakeholders. The session, “Elevating Your Cybersecurity Strategy for the Future and Beyond,” is scheduled for September 8th.
An experienced information security professional from MITRE offers insightful advice on how provider organisations can arm themselves against the growing and constantly evolving landscape of cyber threats as anticipation grows for her participation in the upcoming HIMSS Healthcare Cybersecurity Forum.
In our contemporary, interconnected, and digital world, the escalating sophistication of cyberattacks exposes new vulnerabilities in security. Consequently, healthcare institutions find themselves needing to reevaluate their cyber preparedness.
Margie Zuk, a senior principal cybersecurity engineer at MITRE – a nonprofit research organization funded by the federal government – stands as a noteworthy expert that CISOs, CIOs, and other leaders in IT and security can draw inspiration from when navigating the intricacies of cybersecurity strategy.
Zuk is set to contribute to a panel discussion at the HIMSS 2023 Healthcare Cybersecurity Forum next month. The focus of the session will be on forging novel approaches to cybersecurity, tailored to the rapid evolution of the threat landscape. Joining her on the panel are Terri Ripley, CIO at OrthoVirginia, and Joseph Cuozzo, VP of IT at Richmond University Medical Center.
In a recent interview, we gleaned insights from Zuk regarding her forthcoming presentation, uncovering her thoughts on the process of reshaping healthcare cybersecurity strategies amid a dynamically changing environment.
Q. Why do you believe most healthcare provider organizations must overhaul their cybersecurity strategy today?
A. As the proliferation of connected devices, cloud integrations, and dependencies on third-party entities skyrockets, healthcare, and public health sectors have found themselves in the crosshairs of the most targeted critical infrastructure segments.
The repercussions of cyberattacks on healthcare delivery organizations, and subsequently on patient safety, reverberate not only within the afflicted institution but cascade to other healthcare entities within the vicinity.
Considering the protracted timeframes required for a complete recovery from disruptions to clinical care, it becomes paramount for healthcare delivery organizations to weave cybersecurity into their core emergency response blueprints. This proactive step prepares them to counteract cyberattacks and mitigate the ensuing impact on clinical functions.
In support of the FDA’s endeavors, MITRE has actively engaged with a diverse array of stakeholders in the healthcare sector, encompassing healthcare delivery organizations, manufacturers of medical devices, as well as state, local, and federal governmental bodies. This collective effort aims to discern the existing gaps and challenges, with a special focus on safeguarding medical devices – owing to their pivotal role in delivering clinical care.
The resultant outcome, the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, emerged in 2018 following the WannaCry attack. Subsequently updated in 2022 to encompass the latest best practices and resources, the playbook offers:
1. Fundamental medical device cybersecurity insights, adaptable for integration into the emergency preparedness and response frameworks of healthcare delivery organizations.
2. Clearly defined roles and responsibilities for both internal and external responders, fostering lucid lines of communication and a coherent operational model across healthcare delivery organizations, medical device manufacturers, governmental bodies at different levels, and federal authorities.
3. A standardized approach to response initiatives, facilitating cohesive action within healthcare delivery organizations and even across multiple regions when warranted.
4. A foundation for enhanced coordination endeavors among stakeholders involved in medical device cybersecurity, encompassing collaborative assistance across healthcare delivery organizations.
5. Guidance for informed decision-making and the imperative to escalate responses as needed. The playbook also pinpoints resources accessible to healthcare delivery organizations for bolstering preparedness and response activities.
6. A malleable and customizable regional tool geared towards enhancing medical device cyber resilience, with applicability on a broad scale.
Q. Please select a recommendation from your revamped medical device security proposals and elaborate on it.
A. The potential ramifications of cyber threats targeting medical devices extend beyond mere inconvenience – they can disrupt clinical operations and compromise patient care. In light of this, meticulous preparation surrounding medical devices emerges as an indispensable component for sustaining the continuum of clinical activities.
Within the playbook, a comprehensive roster of medical device-specific preparedness measures takes center stage. These encompass aspects such as the procurement of medical devices, maintaining an accurate inventory of said devices, conducting hazard vulnerability analyses, and above all, the seamless integration of medical device cybersecurity within incident response strategies and command hierarchies.
Vital to this endeavor is the active practice of all preparedness schemes – including emergency operations plans and communication protocols for incident response – to ascertain that personnel are adept at their execution while simultaneously identifying areas for improvement.
Notably, the playbook treats cybersecurity as an inherent hazard, proposing strategies to amalgamate cybersecurity into the broader framework of all-hazards preparedness and response exercises. Unique to cyber incidents is their far-reaching impact across healthcare delivery organizations, leading to extended downtimes compared to other hazards. Therefore, these exercises should be tailored to evaluate protocols for handling prolonged periods of disruption.
Incorporating a cross-section of stakeholders from diverse sectors of healthcare delivery organizations – ranging from emergency management units, medical device management teams, IT departments (including security), and even external entities like medical device manufacturers and third-party vendors – is a cornerstone of effective preparedness exercises.
Q. Please select a recommendation from your revamped incident preparedness suggestions and delve deeper into its specifics.
A. “Foster collaborative agreements with regional partners for bolstering medical device cybersecurity. Supplement existing incident response mutual aid agreements with provisions for scenarios like loaner devices, patient diversion to operational facilities, and collaborative incident response support.”
This recommendation forms a pivotal segment of a broader strategy designed to cultivate regional synchronization, preempting cyberattacks leading to prolonged downtimes and necessitating patient diversion to alternative healthcare establishments within the region.
In this vein, healthcare delivery organizations are advised to establish designated points of contact along with pertinent contact information within their regional partnerships. Collaborative regional resilience drills should be conducted, sharing advisories, alerts, and optimal practices pertinent to cybersecurity with these partners.
Moreover, incident notification protocols should be devised among regional collaborators, encompassing auxiliary communication avenues tailored for circumstances where cyberattacks necessitate patient diversions.
Forethought must extend to minute details – envisioning scenarios where core communication systems like email or contact databases might be rendered inaccessible. Appropriate fail-safes should be devised, such as offline or hardcopy backups of essential contact information.
A recent study by the University of California at San Diego serves to underscore the downstream consequences on patient safety stemming from a cyberattack on a regional collaborator. The rising trend of regional coalitions forming to undertake joint resilience drills across healthcare organizations underscores the growing awareness of regional cyberattack repercussions.
Healthcare delivery institutions regularly conduct rehearsals for mass casualty incidents and diverse clinical scenarios. Applying this same rigor to cyberattack preparedness is a mandate that cannot be emphasized enough – especially when patient safety hangs in the balance.
Anderson’s session, titled “Elevating Your Cybersecurity Strategy for the Future and Beyond,” is slated for 12:45 p.m. on Friday, September 8th, at the HIMSS 2023 Healthcare Cybersecurity Forum in Boston.
