Hackers are becoming more sophisticated at the same time the cybersecurity talent pool is shrinking. That matters more than ever. Simply put, health data impacts people's lives.
And even as hospitals are investing large amounts of money and effort taking on that monumental challenge, too many of them working in isolation. And I don't see the rogue's gallery of criminals, hackers, hacktivists, nefarious nation states and previously unforeseen types of attackers getting smaller anytime soon.
All of which means that chief information security officers in healthcare and elsewhere have a new level of responsibility to transition infosec into something people see as a healthy habit, essential as diet and exercise.
Cybersecurity? It's personal
When I spoke with Anahi Santiago, CISO of Delaware-based Christiana Care Health System, at the HIMSS Healthcare Security Forum 2018 in San Francisco, she cut right to the chase.
"I really believe that I'm only two hands away from a patient and I say that a lot so clinicians know I'm there to help them be successful in care delivery," said Santiago (who was deemed, not-incidentally, to be among our "rock star" CISOs back in 2015.)
"Making the connection with end users and employees can help them understand basic security concepts and teach them to protect themselves," she said.
That means: not just telling them what they cannot do; focusing on phishing, of course, but without overdoing it; being careful not to evoke FUD (good old fear, uncertainty and doubt); explaining good password hygiene; showing them good social media practices for them and their families and basically giving them whatever helps them as people.
"Start talking to them about how to protect their homes, give them information they can walk away with that will deliver value in their personal lives," Santiago said. "I guarantee you not only will they continue to listen but they will bring those practices right back into the organization."
Santiago said she talks often to people about Amazon Alexa, for instance: not necessarily about whether the ambient tech is always listening, which is a personal choice, but instead about whether it is connected to the same WiFi network as their home computer – and whether it really should be. If not, and it makes more sense to separate them, Santiago will then recommend resources that can help configure systems appropriately for non-techie staffers.
"I try to engage them in conversations that will get them to think inherently about security," Santiago said.
CISOs, know this: There's no going it alone
Engaging employees outside the infosec shop is critical, because safeguarding data requires a culture of cyber hygiene best practices.
"Everyone must be on board, receive training, and be appropriately incentivized," said Lee Kim, HIMSS Director of Privacy & Security. "It's not just the CISO's responsibility. They can't do it with a non-existent budget and few staff. They need resources and they need to be empowered to act. The organization needs to let them have some reasonable degree of autonomy and influence."
If not, CISOs are merely people trying to be superheroes – working valiantly, but without actual super powers.
What's more, particularly as information security faces a talent shortage while data and technologies keep exploding and making infosec that much more important, hospitals really need to be planning for the future – as in, future generations of people.
"It's our social responsibility as CISOs to get out there and help with the talent pool problem. Get out and talk to high school and middle school kids and really engage with them so that we start to refill the pool," Santiago said.
"These kids have no notion of privacy, and they don't understand that information security is an emergent and viable field that can make them a good livelihood and give them a rewarding career," she added. "So I think we need to help that solve that problem."
High price of life, death and innovation
Security is hard and there is a lot at stake, to be sure. But too many hospitals continue taking on the challenge alone, despite cyber experts publicly stating that hospitals should join an ISAC immediately, such as the National Health Information Sharing Analysis Center.
"It's sad the amount of money organizations are spending on this problem," said Eric Carey, CIO of Valley Hospital in Ridgewood, N.J. "We're all fighting the exact same battle on our own. Every company that has computers has to solve the problem. Every company has millions of dollars going into solving the same problem."
Many reasons exist for that, and the reality will persist. But security teams can embark on the aforementioned steps to start improving the situation, beginning with a stark understanding:
"Cybersecurity can be a matter of life and death, that's the bottom line," said Michael Archuletta, CIO at Mt. San Rafael Hospital. "It's about people and having them understand cyber."
Now that we all recognize that, let's also agree on the urgency of making quick strides, however iterative they might feel in the moment. Because enticing employees to adhere to cybersecurity best practices and working to foster a new generation of infosec talent will set the stage for security's next act: To be a foundation for innovation.
The next HIMSS Healthcare Security Forum is set for Oct. 15-16 in Boston.