Health system CISOs offer tips for building cybersecurity 'muscle memory'

By focusing on broader incident response training efforts – which involves medical, operational and other teams – as part of overall emergency preparedness programs, healthcare providers will be better positioned to maintain and deliver patient care when systems are breached and potentially disabled following a cyberattack. A recent study by the Ponemon Institute involving more than 640 healthcare IT and security leader participants found that while most of the provider organizations experienced nearly an attack each week last year, 57% also say these attacks are resulting in adverse impacts on patient care. "This report aligns with the reality that healthcare organizations are facing in terms of the effects to patient safety," said Anahi Santiago, chief information security officer at Delaware-based Christiana Care Health System. "When cyber attacks take place in healthcare, and organizations are forced to either divert services from emergency rooms or have to cancel services because of the unavailability of systems – it does put patients at risk," she said. "I don't think organizations do enough to prepare for how to care for patients when systems are not available," said Santiago, who is also a member of the board of directors for the Health Information Sharing and Analysis Center, or H-ISAC.

While larger provider systems may be more complex than small medical groups, "they still have the same kind of risk, as we have [all] leveraged technology to deliver care," said Decker. The sophistication of threat actors has evolved – they have the ability to shut down systems and key critical processes and functions, said Decker, who is also chair of the Healthcare and Public Health Sector Coordinating Council Cyber Security Working Group. Because healthcare data assets are high-risk, data management requires a risk-based approach where data managers in the healthcare space must act as "mindful custodians," said Lacey. To improve the cybersecurity posture of healthcare, the Department of Health and Human Services recommends enterprise-wide risk analyses and a series of best practices, including maintaining encrypted data backups, vulnerability scans of all systems and devices, regular patching and updating of operating systems and training employees to reduce vulnerability to phishing and other common cyber attacks. Resources from the HHS 505(d) Program, a collaborative effort between industry and the federal government that was launched in 2015 by Congressional mandate, and other agencies can help increase healthcare cybersecurity, resiliency and cyber hygiene with a number of tools and resources for both small and large providers. But vulnerability management has been the most important part of cybersecurity for the past 20 years, said Lacey.

"Then it turns into, who are the operational leaders that need to be involved in the discussion, and how does this work with your emergency management departments and the activation of command?" said Decker. The structure of cyber incident response command, how it is activated, who are the players and what are their roles and responsibilities should be connected to what the organization already knows through its emergency management channels. "One of the biggest mistakes is that when people do tabletop exercises, they focus just on the IT area – how to respond to a cyber incident – and less on the resiliency of an organization to be able to conduct patient care in the face of adversity," said Santiago. Conducting tabletop exercises are now an important part of building an effective incident response team and plan, the experts said. Though unpredictable things can happen in an actual ransomware event, incident response security exercises can identify areas between various operational units that are vulnerable and illustrate how things can play out, helping to strengthen the information security triad – confidentiality, availability and integrity. "Our workforce members are our most important assets, so continuous regular training of their ability to perform their work is integral to our ability to protect organizations," said Santiago.

"We, for example, do them multiple times a year," she said, adding that her organization schedules monthly tabletops; twice per year with the executive, legal, vendor, compliance and privacy teams and once per year with operations. Although no tabletop exercise can convey a realistic picture of an incident, they said, the drills can help executives and planners find gaps, adding that the exercises can "sharpen group problem-solving under pressure and elevate preparedness provided that they are properly designed, carefully conducted, fully evaluated and actually use results to implement response process improvements." But in terms of time, organizations should and will spend more time on incident and vulnerability protection, he said. Santiago noted that larger healthcare systems with mature programs and the capabilities do tabletop exercises on a regular basis and have been doing them for a long time.

And while many larger provider organizations hire outside consultants to prepare and deliver these incident response drills, several agencies offer guidance and risk assessment tools to support health systems with more limited resources, including the Cybersecurity and Infrastructure Security Agency, which has tabletop exercises specifically designed for healthcare systems and medical groups. Resources like the Health Sector Council's Operational Continuity-Cyber Incident (OCCI) checklist, released in May 2022, can also help organizations get started, said Decker. But the floor is going up a lot, which is really good for healthcare because we've always sat along with municipal governments on the floor in terms of the security maturity of our field," said Lacey. Lacey said CISA's suggestions on how to close off technical vulnerability boundaries in healthcare cybersecurity are things providers should be paying "persistent attention" to.