Why Is Healthcare Sector So Vulnerable to Cyberattacks?Interview With CISO Dave Summitt, a Featured Speaker at ISMG's Healthcare Security Conference
A lack of understanding among senior leaders about the seriousness of cyber threats and a shortage of experienced information security staff are two key factors that make the healthcare sector vulnerable to cyberattacks, says Dave Summitt, CISO of the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Fla.
Many covered entities and business associates "are starting to do a better job, but we are still a long way from really securing organizations," says Summitt, who was a featured speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 1 and 2.
In addition to the severe shortage "of qualified and experienced cybersecurity people," many organizations' information security departments "are just not large enough to handle what is going on," he says. "It takes dedication, resources and time for someone to actually watch the network and the applications."
Another area of concern, Summitt says, is "a lack of understanding of exactly what their network is supposed to look like under normal operations, what their applications are really doing, where their applications are within the organization and where their protected health information resides. And if you don't where that is, or what it's supposed to look like, it makes it very challenging to protect those assets."
In this audio interview (see link below photo), Summitt also discusses:
- Suggestions for how healthcare entities and business associates can improve their approach to data security;
- Tips for getting buy-in from senior leadership to ensure support for appropriate information security resources;
- Predictions about the top cybersecurity challenges in 2017.
Before becoming CISO at the Florida cancer center, Summitt spent 21 years at the Department of Defense, where he held various roles, including the Naval Sea Systems Command's technical representative for a major missile defense program, security data custodian, information systems security officer, data and configuration manager, and change control chairman for several military programs.