Navigating an evolving landscape: The healthcare CISO  

Navigating an evolving landscape: The healthcare CISO  

From CISO to patient, Achi Lewis, Area Vice President of EMEA for Absolute Software, delves into the complexities and importance of cybersecurity in healthcare. 

Achi Lewis, Area Vice President of EMEA for Absolute Software

In the past, hospitals prioritised locking filing cabinets over securing electronic medical records and concerns about patient privacy were confined to physical safeguarding. Fast forward to today, the digital landscape has transformed and healthcare systems have needed to be more secure than ever.   

The realities of cybersecurity and regulatory compliance call for the evolution of the Healthcare Chief Information Security Officers (CISO) in order to meet the challenges posed by disruptive cyberthreats.  Cyberattacks do more than threaten the bottom line, they can also impact the ability to deliver services and treatment to the public. The pressure that healthcare CISOs face highlights an increased awareness that the focus must shift from cybersecurity to cyber-resilience.  

The cost of cybersecurity in healthcare  

According to Security Intelligence, a healthcare data breach is among the costliest types of cyberattacks. The average cost of a data breach across different industries is £3.5 million, which compares to the average cost of a healthcare data breach at £8.59 million. Healthcare has also seen a significant increase in cost of 53.3% over the past three years. Inside these numbers is money associated with detection and escalation activities, post-breach response and lost business.   

As these costs rise, many healthcare organisations face the challenge of recruiting cybersecurity experts. In the 2022 HIMSS Healthcare Cybersecurity Survey, 61% of security professionals claimed that a core challenge to achieving more robust cybersecurity was a lack of cybersecurity staff, especially when severe threats such as ransomware remain the key threat to organisations around the world.   

Complicating matters further, in the average hospital there are dozens of connected devices per patient bed which can include patient monitors to infusion pumps that perform vital functions. Yet many of these devices are running on outdated system versions that are vulnerable to attack.   

Traditional endpoints such as tablets and laptops still need protection as well, as any data stolen from them can be uploaded to the dark web. These devices are likely to have private health information on them which needs protecting. Tracking and keeping an accurate inventory of technology is a critical security and compliance function. Without continuous endpoint visibility, organisations cannot validate data protection.   

The cybersecurity landscape, however, extends beyond individual organisations, involving an interconnected ecosystem of contractors and service providers that may also have access to private health information. Performance Health Technology (PH TECH), a service provider for Oregon Health Plan was among the organisations impacted by attacks by targeting a critical vulnerability in MOVEit file transfer software. An investigation found the attacker used MOVEit to access and download data files from PH TECH, impacting more than 1.7 million Oregon Health Plan members.  

Strategic focus   

Cyberattacks against the healthcare industry are particularly threatening, directly impacting patient safety and care. A survey conducted by Ponemon Institute and Proofpoint of IT and security professionals in healthcare found that two-thirds of healthcare organisations impacted by ransomware, supply chain attacks and cloud compromise attacks reported disruptions in patient care as a result. The disruptions ranged from an increase in complications in medical procedures to delays in testing.   

Another example in 2023 was Prospect Medical Holdings, a healthcare provider that operates hospitals, clinics and outpatient services, which fell victim to a cyberattack. The fallout from the situation led to some elective surgeries, blood drives, outpatient appointments and other services being put on hold which can have a detrimental effect on necessary patient care. Incidents of cyberattacks have highlighted the growing awareness of the importance of cyber-resilience.   

Cyber-resilience   

A key aspect of a CISO’s job is balancing the organisation’s business and security needs. An effective CISO not only advises the Chief Information Officer, but also engages with key stakeholders to clarify the importance of understanding which systems and processes are most at risk from cyberattacks, and the most critical at delivering services. With a focus on business continuity, security and incident response practises will minimise downtime in the event of an attack and enhance the defence against potential threats.   

Implementing a protected security framework such as NIST 800-53 aids in prioritising security initiatives. An effective security strategy should cover both physical and digital security to safeguard against unauthorised physical access to critical systems and ensure control over devices, even when offline.   

Endpoint security and management technology play a key role as it improves visibility into device inventory, enables remote wipe and locating capabilities for lost or stolen devices, and ensure that all security controls remain resilient in the face of technical complexity and attacks. Addressing these challenges is becoming paramount to security and compliance, leading to the emergence of new solutions that that industry-leading advisers are such as Gartner are calling attention to.    

Absolute has been recognised in the 2023 Gartner Hype Cycle for Endpoint Security, as a representative vendor in the newly identified Automated Security Control Assessment (ASCA) category.  

By focusing on cyber-resilience, CISOs move towards a broader strategy that includes incident response and recovery and continuous risk assessment rather than focusing solely on threat detection and prevention. Thinking holistically about the threat landscape, risk management and business continuity will allow healthcare CISOs to effectively adapt to any challenges 2024 will bring.