Cyber criminals only have to be right once to wreak havoc. In healthcare, we have to be right 100% of the time to manage the risk of cyberattack. In a recent interview on the CereCore Podcast, Phil Sobol, Vice President of Business Development talked to Darcy Corcoran, Principal for Cybersecurity Advisory Services about the cybersecurity must haves and the often-overlooked aspects of considering AI use cases in healthcare. Darcy employs her extensive background in the Department of Defense and work with NATO and the Pentagon to inform organization-specific tactics and industry best practices offering thoughts on cybersecurity in healthcare through lens of extensive cybersecurity background in defense.
Cybersecurity must haves
As for the must haves, Darcy maintains it’s important for an organization to define a clear, strategic vision and to empower technology organizations and their partners to build a plan that aligns with that strategy and defends it. Ultimately, everything a security organization does should align to that strategy, so the vision is executed every day. Leaders have an important role in defining the vision and ensuring the execution.
Patients need to trust and have reasonable assurance that healthcare technology is going to keep their data safe and private. And at the same time, physicians need to know data is reliable, secure, and resilient. For healthcare’s cybersecurity teams this means making a malicious act on their organization so cost prohibitive that they move on to find a softer target.
Threat intelligence is an important factor in determining cybersecurity strategy, and a lot of general threat intelligence information today lacks the perspective of your organization’s attractiveness to malicious actors. Healthcare organizations need to be able to provide context to their threat intelligence thread and then draw a line to where it should be incorporated into your defense strategy. Reactive network defense strategies focus on fortifications, and boundaries and react in similar fashion to all of the detected threats. That's not only an expensive proposition, it's exhausting, and it just might not even be as effective as an informed defense posture with context of the threats.
A fundamental shift in focus for cybersecurity
In fact, according to Darcy, a fundamental shift is needed from hyper focus on managing governance, risk, and compliance (GRC) duties to an organized common operational picture that integrates everything into a concerted operational view to defend against persistent, sophisticated, competent criminal enterprise.
To that end, these are three areas to consider:
- Contextualized threat intelligence: unbiased review and understanding of your organization’s threat surface in detail to inform priorities and resources for necessary impact
- Reduced unintended consequences: modernizations (such as moving to the cloud and using AI) increase vulnerabilities and change an organization’s risk profile
- Commitment to compliance and regulatory baselines: regularly performed gap assessments are key to identifying and addressing potential vulnerabilities in an environment that changes daily
AI considerations leaders may overlook
AI has made some incredible advances in expanding the effectiveness of primary care providers, streamlining access to care, and helping to address burnout. It’s time, if you haven’t, to embrace the change AI brings. The biggest risk AI poses to an organization is when there’s a lack of understanding about how the technology works. Consider these:
- The data AI ingests and analyzes: What does it know? What doesn’t it know? How will you depend on it? How will you validate what it produces? What does it share? Where does it share it?
- Operational protocols for AI: Is AI for internal use and/or external? What do the quality control and maintenance processes look like? Is it talking back to a foreign country? Does it take data samples? If so, where do the samples go?
In cybersecurity, we always try to balance the equities of the operational needs against things like data quality, privacy, security, and ethics. As we try to balance all those equities, we can’t have a denial of service internally because our policies are so strict that nobody can do anything. But at the same time, we must do our best to protect the very important things that we are charged with protecting.
Get started with a cybersecurity assessment for your organization.
For more on Cybersecurity Advisory Services, check out these resources.
