Healthcare Security Risk Management: How Bad Is It?Former Healthcare CIO David Finn of CynergisTek Discusses Sector's Weak Spots
During the COVID-19 pandemic, many healthcare sector entities - faced with so many new demands and added pressures - have shifted their attention and resources away from some of the most critical cybersecurity activities, says former healthcare CIO David Finn of consultancy CynergisTek.
For instance, conducting security risk assessments and managing supply chain risk were among key areas of weaknesses last year for many healthcare sector organizations, he says in an interview with Information Security Media Group in which he discusses findings of CynergisTek's The State Of Healthcare Security & Privacy 2021 Annual Report.
The study, among other things, examined healthcare entities' conformance with the National Institute of Standards and Technology's Cybersecurity Framework and the HIPAA Security Rule.
Due to the COVID-19 crisis, many healthcare organizations found themselves dealing "with a whole new model of IT delivery," he says.
"So, a lot of organizations shifted their dollars from assessments to doing other things like buying new mobile devices to send home with staff, physicians and other caregivers. So, funds that would have gone to assessments and understanding what needed to be [mitigated] dried up and got used in other ways," he says.
"Unfortunately, that portends an even worse year next year, because a lot of those funds and the changes they were used to make with remote workers, telehealth - there were no assessments going on about the new risks that were being introduced. So, we're going to be a little farther behind in these areas, and we haven't been addressing them as they happen."
Supply Chain Issues
Meanwhile, supply chain risk management also is presenting challenges, the report shows.
"From SolarWinds to Colonial Pipeline to Microsoft to meatpacking plants - supply chain is just a whole new threat vector and an attack surface for everyone, but for healthcare in particular - and I'm not sure we have the focus there," he says.
"So it’s a good idea, with your own supply chain, to look downstream to see what [vendors] are doing in the event of a cyber incident, or the kinds of massive breakdowns we've seen in the supply chain across all sectors."
In this video interview, Finn, a featured speaker at the recent Healthcare Information and Management Systems Society 2021 conference in Las Vegas, also discusses:
- Disturbing ransomware trends in the healthcare sector;
- Common weaknesses in incident response and disaster recovery plans;
- Top medical device cybersecurity challenges.
Finn, executive vice president of strategic innovation at CynergisTek, previously was health IT officer at security vendor Symantec. Prior to that, he was CIO and vice president of information services at Texas Children's Hospital, where he also served as the privacy and security officer. He has more than 30 years of experience in the planning, management and control of IT and business processes.