NCSA on Cybersecurity: ‘Update, Update, Update’
By Scott Mace
The National Cyber Security Alliance (NCSA) has been on the front lines of the cyber-assault on businesses, especially healthcare, by criminals since well before the pandemic struck.
NCSA executive director Kelvin Coleman recently spoke with HealthLeaders about the continuing threat posed by criminals who see healthcare continuing to be one of the biggest, most lucrative targets for their ever-increasing cyber-intrusion capabilities.
HealthLeaders: What marketplace trends are impacting cybersecurity?
Kelvin Coleman: What we’re seeing now is the digital transformation in healthcare. By 2025, four short years from now, it’s going to be at about $210 billion invested. Compare that to $76 billion, just a couple of years ago, a threefold increase. We know, for example, virtual healthcare assistants—that market including smart speakers and conversational platform chatbots—is going to hit about $2.8 billion in a couple of years. COVID has really fueled it. We’re seeing telehealth visits jump 175 times what they were pre-pandemic levels. These numbers are clearly pointing to the transformation, the evolution of the telehealth market, and we’re not going back anytime soon.
HL: What is NCSA’s big call to action?
Coleman: Right now, the big call to action is update, update, update. The telehealth industry relies on a lot of legacy systems, and we need to be able to update the systems and come into a much more modern era. The healthcare industry, particularly telehealth, relies on connected devices. The call to action for a lot of these healthcare providers is to come into the 21st century, getting rid of legacy programs. Some of them are still running Windows 7. There’s absolutely no excuse for that. 83% of imaging devices run on outdated operating systems like Windows 7. So that’s the first call to action.
The second call to action is an overwhelming show of force as it relates to training and awareness. That’s still a big piece of what we do in terms of making sure folks stay safe in a physical security environment, when it comes to active shooters. We train people how to deal with that situation. Comes a fire, everyone knows what to do during a fire drill. When it comes to bad weather, inclement weather, you know what to do during that drill. Well, in the same way, people need to be trained in technology, to be sure that they understand what to do during a potential hack. That same training program, we’re absolutely advocating for healthcare providers. Those two things alone will get us a long way to realizing a safer environment. Updating legacy systems and certainly enacting a very robust training and awareness program.
HL: With all the attacks that have taken place, particularly ransomware, is it possible people are experiencing “security fatigue,” in a fashion similar to COVID fatigue?
Coleman: We know hospital systems have been hacked. We know that some have been held hostage by ransomware. And so the fatigue is really almost irrelevant because you’re protecting patients’ information. You’re protecting the integrity of what you’re doing as a healthcare provider. I would imagine when the seatbelt campaign started, decades ago, some would have said having seatbelt fatigue is kind of over the top. Well, we now know that it’s a regular part of life. All these public service announcements can perhaps tire you out, but are very much needed. We have to continue to imprint upon people that this is just where we are today. Change the culture on how people see this.
HL: The Solar Winds hack took place way upstream in the supply chain. Certainly people are becoming aware of that kind of attack, but the potential for harm far outstrips the ability of a lot of end users somewhere to actually do anything about it. Can you share your thoughts?
Coleman: Make sure whatever third-party vendor you’re dealing with has just as robust of a security policy as you have for yourself. Robust passwords, multi-factor authentication, while these things aren’t very exciting, they’re very effective for the end user to better protect themselves and their organization against attacks.
HL: Regarding security, what three things should leadership in healthcare focus on first?
Coleman: You can put in a training and awareness program tomorrow. Make sure you have a robust, thorough password and multi-factor authentication policy. Finally, start to identify your legacy systems. Again, that’s easy enough to do. Those three things alone will get you a long way, in terms of helping your system.
HL: When an organization gets attacked, it can be quite useful for that information to be shared with other similar organizations. How do you score healthcare today in terms of reporting and sharing information on hacks and threats? Are those people stepping forward in meaningful amounts to share that information?
Coleman: They’re getting much, much better at just sharing this information. You look at the health IT sector, ISAC, and other organizations, they are really on board with making sure everyone is protected. So yeah, they’re getting much better.
HL: While there’s certainly never going to be a day when there will be no attacks, will we flatten the curve of attacks at some point, or is that unrealistic?
Coleman: Yes. Not unrealistic at all.
HL: So when will that happen?
Coleman: We are heading in that direction. Y2K was only 20 years ago. After that particular time, the technology revolution really took off. In the next iteration, security is going to be very top of mind, because organizations realize that it’s a business case. If I don’t feel comfortable that you’re going to keep my information safe, or keep my account safe, with [the] potential to be hacked, I’m probably not going to do business with you.
Scott Mace is a contributing writer for HealthLeaders.