Jenny Radcliffe of Human Factor Security recently sat down with Kate Mullin, chief information security officer (CISO) at the Cancer Treatment Centers of America, to discuss the latest threats facing the healthcare industry. Their conversation touched on everything from ransomware and hybrid work to the skills needed to carve out a career in cybersecurity today.
The following is a summary of what Kate had to say on these and other topics:
On healthcare’s position in the crosshairs
Having worked in healthcare cybersecurity for many years, I’m used to the industry’s position in the sights of cybercriminals. However, the events of recent years have been something else. At the same time as dealing with the fallout of COVID-19 and the rise of hybrid work—plus medication shortages due to the war in Ukraine—we have to continue to see our patients because we work in oncology.
Naturally, these events have caused major disruption to our work, but the bad guys simply don’t care. Ransomware attacks in the healthcare space have increased significantly. Of course, the stakes are higher here as an attack can impact a patient’s ability to receive oncology care. And the tragedy is that many won’t have the option to start over if there’s any disruption to that care.
There’s a lot of luck involved as to whether you’ll be one of the organizations that get targeted, but everyone needs to be ready. That’s why I advise organisations to carry out ransomware tabletop exercises to better understand what can and can’t be done.
There’s still a belief that you can just pay the ransom and decrypt, but that is not always the case —take a look at the Proofpoint State of the Phish report to find out how many companies never gain access, despite paying ransoms. Decryption can take a very long time, and you may even be able to rebuild systems faster.
Hybrid work and the human factor
Hybrid work has increased and shifted the risks the healthcare industry faces. Many people may have spent money upgrading tech for “smart homes,” but it’s not enough. While you may have secured your devices, unless you’re on a virtual private network (VPN) when you get online, you’re effectively using an unsecured network.
Hybrid work has also made it even more evident that the human side is our greatest weakness. People pose an enormous risk, whether due to error or because of the Great Resignation, turnover or early retirements. In healthcare, this risk comes from both workers and patients. They will be targeted, and I don’t know anyone who won’t get caught out by a targeted phish—even if it takes a few tries to get them to fall for it.
Then, there’s the issue of patient privacy. Of course, the security of healthcare data is taken very seriously, and the workforce is very well trained on that. But there are areas where we want to be open, and that causes difficulty. The healthcare industry wants to cure disease and integrate systems to provide better care. But the more we do this, the more we create potential weaknesses and areas of compromise.
Why we all need cybersecurity skills
Everyone in IT needs to learn information security skills. And everyone is in IT. If you’re loading apps onto your phone, you’re in IT. If you have children, you’re in IT. If you’re working from home, you’re definitely in IT.
Before widespread hybrid work, you could leave your computer plugged in and, miraculously, everything was updated by the morning. But now that it’s happening remotely, our people need to have a better understanding of why security is so important.
Every member of the workforce needs to know what it means to patch computers, what a VPN is and why we use them, and so on. And we, as cybersecurity professionals, need to get better at communicating what they need to know.
Want to hear more from CISOs?
Head to CISO Voices to listen to Jenny’s interview with Kate in full and find more episodes.
Jenny’s Human Factor Security podcasts also feature further insights from cybersecurity experts. Look out for our next CISO Voices blog post to discover cybersecurity insights from CISO-to-hire Tom Wade.
Proofpoint CISO Hub
Visit our CISO Hub to get regular updates on cybersecurity research, insights and resources specifically for the global CISO community.