Building Cyber Resilience in Healthcare: Key Strategies with Tommy West of CereCore

A

Hi everyone, this is Brian Zimmerman with Beckers Healthcare. Thank you so much for tuning into the Beckers Healthcare podcast. Today we're going to talk about key strategies healthcare leaders can use to strengthen their cybersecurity posture in an increasingly complex threat landscape. Joining me for this conversation is Tommy West, Enterprise Fellow Security Architecture with cericor. Tommy, thank you for being here.

B

Glad to be here. Thanks for the invite.

A

Yeah, so let's get right into it. You know, we're going to talk about how to strengthen and maintain security posture. Let's begin with this. If you were to give healthcare leaders a couple of focus areas, places they should definitely be paying attention to, what would they be? And also how do you recommend they get started?

B

Sure. Well, it's a big topic. Let's start with what we're defending against. Over the last several years, the causes of most breaches still boil down to just a few things. Primarily compromised credentials, user ran malware, and unpatched vulnerabilities, particularly on external facing systems. So given that backdrop, the first focus area I would suggest would be the human element. This would include things like continuous adaptive training. So moving beyond annual click through modules and adaptive, you know, adopt microlearning, gamification and phishing simulations that are tailored to current threats and then foster a speak up culture. Encourage employees to report suspicious activities and give them clear, easy to use channels for doing so. And on top of that, recognize and reward proactive security behaviors. I know I'm talking the human element here, but just a dab of technology. Prioritize privileged access management. You really get a lot of benefit with relatively low effort when you restrict administrative access to only what's necessary and for the time it's needed. And implement strong authentication for those privileged accounts. Basically practice strong identity and access hygiene across the board. Be more data centric, particularly at the edge and beyond. Healthcare data is still the crown jewel for threat actors. We all know this. And with the transition to remote work, migration of cloud services, and having connected devices from anywhere, that notion of a traditional network perimeter is a thing of the past for the most part. So security needs to follow the data, the device and the user. In practice, that would include things like establishing a data management program. So understanding what data you have and where sensitive data resides, both structured and unstructured, making sure that that data is classified and protected accordingly, and using DLP to prevent unauthorized exfiltration. That data management program should also establish a committee with leaders across the organization who regularly review and respond to changes that impact that data ecosystem. And if you haven't already, Start your zero trust architecture journey. Assume that no user, device or app can be trusted by default, regardless of location. Continuously verify identity, verify that device posture on an ongoing basis and access privileges in any connection should be evaluated. And then lastly, focus on API security. I saw a stat recently from Pew research suggesting that 83% of Internet traffic was API data flows. I don't remember how that was quantified, but even if it's only halfway correct, you're still looking at north of 40% of Internet traffic being API traffic. So in the healthcare space we leverage a lot of third party services and use APIs for data exchange. To protect those channels, I'd recommend implementing API gateways, applying strict access controls and just looking at ways to monitor API usage and vulnerabilities.

A

Yeah, Tommy, I think those are broadly applicable to many organizations and great starting points, wonderful tactics for folks to get started with. But every healthcare organization is different, speaking to the human element as well. Building culture, A speak up culture. Building culture in any organization might look different depending on the organization's composition, what they've got going on there. So I guess the question I want to put to you then. How do you tailor cybersecurity strategies to align with, I guess, the unique operational needs, regulatory needs of certain healthcare organizations?

B

Sure. Well, in my mind it really starts and ends with delivering patient care. So we should deep dive into clinical workflows and patient safety first. You know, a cyber incident can interrupt surgeries, it can disrupt patient monitoring, it can affect medication dispensing and other critical operations. Right. So cyber strategy should prioritize clinical continuity and operational resilience first. That could take the form of conducting clinical impact assessments for potential cyber scenarios and just prioritizing security controls that protect those clinical patient care systems first. So your PACs, machines, your infusion pumps, and where possible, involve clinicians in that incident response planning. Bring those voices into our IR plans. From a regulatory perspective, that's a good point as well. We need to hyper focus on data locality and regulatory nuance around that. As you know, healthcare operates under stringent and sometimes conflicting data privacy regulations. You know, we've got HIPAA in the us, GDPR in Europe, state specific laws like the CCPA in California, and even international standards for global providers. So strategies need to account for where data resides, whether that's on PREM or in the cloud. And in the cloud where in the cloud from a regional perspective or whether it's a hybrid build, you know, how's that data accessed and who has jurisdiction that sort of leans on a point I made earlier around having a data management program where we can implement data mapping and classification schemes and leverage data governance tools to track data flow and compliance. And third, we can't overlook operational resilience and disaster recovery beyond it Downtime isn't just a revenue problem, it can truly impact life or death in some scenarios. So strategies should integrate with organizational, doctor and business continuity plans extending beyond IT systems that include things like clinical operations, physical facility considerations or supply chain resilience. So what does that look like on the technology side? Let's explore options like immutable backups and off site data vaults to help with rapid recovery. And then lastly, I have to mention vendor risk management. Healthcare relies heavily on third party vendors. This is our EHR providers, cloud hosts, medical device manufacturers and so forth. And all of those, or a lot of those have access into our facilities and each one of those vendors represents a potential attack vector. So we need a comprehensive vendor risk management program going beyond questionnaire based assessments and requiring those vendors to demonstrate security control effectiveness through independent audits. These are our SOC 2 type 2 reports, including strong security clauses and right to audit provisions and all of our contracts. And then for medical device manufacturers, demand that bill of materials transparency and get commitments for patching and ongoing security support.

A

I want to zoom in there on sort of the vulnerability of medical and connected devices. It seems to me that this could be an area that's largely underestimated and that these devices can create entry points for bad actors, as you've pointed out. Can you talk a bit about the essentials here for managing medical device risks specifically?

B

Sure, I agree medical device risk is a big one and there are some best practices that should sound familiar. We're going to go back to some fundamentals here, but they all apply. You can't protect what you don't know that you have, right? So the first thing is having a comprehensive device inventory and asset management program, something that goes beyond a basic spreadsheet sort of framework. You need a dynamic, continuously updated inventory of all connected devices, not just medical, but your IoT devices and OT devices. And in that inventory include all of their contextual attributes like their ip, Mac address, os, firmware versions, network connectivity. All of that stuff will really help in vulnerability management and incident response. Second, common strategy is leveraging network segmentation for legacy medical devices that can't be patched or updated. Besides replacement, the most effective control is still isolation, but for the rest, implement strict network segmentation to separate medical devices from other networks and you can go further with Micro segmentation, isolating devices within clinical areas or even individual devices themselves. And in every case limit that device communication to only what's absolutely necessary to function right. Another essential, no surprise again, a fundamental is having a continuous vulnerability management and patching strategy. Traditional patching cycles often don't work for medical devices, but there are still vulnerabilities that must be managed. So work closely with those device manufacturers, understand what the patching capabilities and limitations are for those, and be sure to regularly review security advisories from those manufacturers. The last essential I'll mention is behavioral anomaly detection and threat monitoring. Since traditional endpoint security often can't run on those devices, monitoring their behavior is crucial. So there are specialized IOMT security platforms that can monitor passively network traffic and device behavior for anomalous activity. These are things like the device attempting to connect to an unusual external ip, unusual data exfiltration patterns, or using unauthorized ports and protocols. And then integrate those alerts into your security event logging solution or forward them to your monitoring service for centralized correlation and faster incident response. All of that stuff should sound very familiar. Again, fundamentals still apply.

A

Yeah, thank you so much, Tommy. And I think, you know, CIOs listening to this or other tech leaders within health systems who are probably not hard to get their buy in and help them and have them understand what the vulnerabilities are here and why this is such a top priority. But to really create a comprehensive security culture, I'd say, or comprehensive security strategy, you got to have that buy in from the top as well from other other leaders also. So when health care CIOs have an audience with their boards, governance committees or other leaders, I guess what would you suggest they sort of bring to the table to review so other leaders can help understand their security posture and risk so that they can effectively and accurately evaluate what cybersecurity investments they should make.

B

Yeah, there's a few best practices there for those indicators. It's really important to have the right messaging. You know, we want to move the cybersecurity conversation from being a call center to an enabler of patient care, operational resilience and strategic advantage even. Right. So the key metric should not be breach or no breach. That's unrealistic. But there are still leaders out there that think that way. And you know, I understand, but a few of the key indicators I'd suggest would be first meantime to detect and mean time to respond trends, you know, presenting those metrics over time, whether it's quarter over quarter, year over year, a decreasing meantime to detect shows Improving visibility and threat intelligence and a decreasing meantime to respond shows improving incident response capabilities. Right, and that matters to the board because it demonstrates operational efficiency in mitigating cyber threats. Shorter times could mean less operational disruption and lower overall breach cost. And it quantifies the effectiveness of security investments in those detection and response technologies and processes. A second indicator is will boards manage enterprise risk to your point? So demonstrate the organization's cyber risk posture against its defined risk appetite. So that quantified risk, we're not talking about listing just vulnerabilities here, but presenting a quantified view of your organization's cyber risk, ideally mapped to specific business processes or critical assets. For example, the risk of EHR unavailability is high and exceeds a board defined appetite for medium. So the framework should translate that technical risk into business impact. So your potential financial loss, potential safety impact, reputational damage, highlight the top three to five risks with their potential impacts. And so that approach would translate cybersecurity into their language and helps them understand where the greatest exposures are and whether current investments align with acceptable risk levels. It also directly ties cybersecurity spend to risk reduction. Third, you have to show security control effectiveness. There's a lot of investments in that space. This is your patch compliance, your MFA adoption phishing success rates, that type of thing. And again we're going beyond showing just the presence of controls. For example, a percentage of critical systems with 90% patch compliance within X days, percentage of privileged accounts protected by multi factor authentication, the average click through rate on simulated phishing campaigns and the trending information around that. Or even the number of attempted intrusions that were blocked by your perimeter defenses. So those type of metrics demonstrate operational strength and evidence that the security policies are being enforced and showing measurable improvements. Lastly, I've just got one more here that's, that's key. Something around incident response readiness, for example, your tabletop exercise outcomes and remediation progress report on the frequency and scope of those. More importantly, highlight the key findings and the identified gaps and progress made on those remediation plans. This shows proactive preparation, continuous improvement and our ability to maintain continuity of operations under duress. You know, there's no shortage of data and interpretation in the cyberspace and the threat landscape continues to change rapidly. So these indicators can and should change over time.

A

Tommy really struck today by just how solutions focused your responses have been. I think you and I could easily hang out here here and sort of lament the problem for 15, 20 minutes, but I think you got right to some solutions. Some tactical stuff, strategic stuff as well, for folks to embrace and try to deploy at their own organizations. Is there anything we didn't touch on today you want to leave listeners with, or anything you want to reemphasize, maybe? Final words from you?

B

Yeah, I think it all boils back down to the fundamentals. Like I mentioned up front. And with a lot of these suggestions, keep focused on the fundamentals. Strong authentication, multi factor authentication, encryption, vulnerability management, all of those core capabilities really make the difference. It's just we've got to be able to show their effectiveness when you're engaging with the board, right?

A

Absolutely. Tommy, thank you so much for coming on the podcast today.

B

Thank you for the invite. Appreciate it.

A

We also want to thank our podcast sponsor, Saracor. You can tune to more podcasts from Becker's Healthcare by visiting our podcast page@beckershospitalreview.com.