What Were the Biggest Cybersecurity Lessons Learned at HIMSS21?
HIMSS21 took place later in the year than usual, due to the uncertainty surrounding the COVID-19 pandemic. Despite the Delta variant’s attempt to bring in-person events once again to a screeching halt, the conference, sponsored by the Chicago-based Healthcare Information & Management Systems Society (HIMSS), took place at the Venetian-Sands Expo Center, Caesars Forum Conference Center, and Wynn in Las Vegas during Aug. 9-13. All attendees were required to be vaccinated and masks were required per Nevada’s statewide mandate at the time.
At the conference, I had the privilege of attending a number of learning sessions and forums, many of which focused on cybersecurity. If I could sum up what I heard over and over and over in these sessions in two words, they would be: collaboration and resiliency.
Collaboration includes involving third-party vendors, according to Sri Bharadwaj, vice president of digital innovation and applications at the Mishawaka, Ind.-based Franciscan Alliance, who was one of the panelists on “Healthcare Cybersecurity Leadership Panel: State of the Industry,” which took place during the Healthcare Cybersecurity Forum on Monday, Aug. 9. On that day I wrote, “Bharadwaj commented, ‘Make sure you have a conversation with the vendors to understand what they're doing, if you don't have that dialogue, you're more vulnerable.’”
In that same forum, Theresa Lanowitz, head evangelist at San Mateo, Calif.-based AT&T Business – Cybersecurity, and Keith Weisman, senior director, systems engineering at Mountain View, Calif.-based SentinelOne, presented some highlights from the 2021 AT&T Cybersecurity Insights Report, and stressed the importance of collaboration and working together on all levels throughout one’s organization. In that same article I wrote, “Further, the report page states, as did Lanowitz and Weisman in their presentation, ‘Teamwork between IT and business leaders is key to a business' ability to grow and remain competitive.’”
In a learning session titled, “Building a Case for Medical Device Security” presented by David Finn, executive vice president of strategic innovation for the Austin, Texas-based CynergisTek and Priyanka Upendra, a consultant and healthcare technology management professional, Finn emphasized the need for collaboration as well. Finn said that “Tools and metrics don’t fix problems; they help identify problems. Problems at the end of day get fixed with processes and processes are written by people—workflow redesign must be done at a most basic level.”
Regarding resiliency, Michael Coates, former CISO of Twitter and former head of security at Mozilla, replied simply when asked what steps companies can take to improve their resiliency during the “Healthcare Cybersecurity Leadership Panel: State of the Industry.” I wrote on Aug. 10, “‘The most important thing to take away with resiliency is that it should be boring. We should get away from sexy cybersecurity,’ Coates responded. ‘What builds resiliency is fundamentals. It is boring and hard doing the things you know you need to do across the board for your organization all the time, but it is what you need to do.’”
Admiral Michael Rogers, former director, National Security Agency and former Commander, U.S. Cyber Command, was part of the panel as well. I wrote, “Adm. Rogers added that ‘Because we didn’t focus on resilience, we increased the probability of successful penetration. So, what does that mean for us?’ He explained that the actors are getting more aggressive, and he knew things were fundamentally changing when he saw ‘regular’ criminals carrying out attacks that he had only previously been seen in nation state hackers, like attacking supply chain. He added that ‘We need to step back and reassess.’”
The two themes of collaboration and resiliency should be taken into consideration by organizations to, at the very least, improve their preparedness, which is currently lacking.
On July 30, Healthcare Innovation Editor-in-Chief Mark Hagland published an article on CynergisTek’s fourth annual report on cybersecurity preparedness, which “found that nearly two-thirds of U.S. health systems are woefully unprepared for the cyber threats to come.”
Hagland wrote that “Indeed, CynergisTek’s leaders, in their fourth annual report on the state of U.S. health system cybersecurity preparedness, entitled ‘Maturity Paradox: New World, New Threats, New Focus,’ found in their analysis that fully 64 percent of organizations were below an 80-percent level of preparedness.”
Hagland continued in his piece, “Further, it noted, ‘Assessments were categorized into two cohorts: high performers with NIST conformance scores over 80 percent and low performers with conformance scores under 80 percent. CynergisTek’s 2021 report focuses on the industry’s overall status in cybersecurity preparedness, with 64 percent of organizations below 80 percent conformance. The report identified several areas for continued improvement in planning and preparedness, especially seeing as only 75 percent improved during the coronavirus pandemic—even then only slightly. While that is progress, it isn’t the progress the industry needs to shore up defenses. Investing in security, in the long run, is often ultimately more cost effective than paying the recent exorbitant ransoms.’”
In that same article, Hagland had a conversation with Finn of CynergisTek. Hagland reported “The first thing here is that we have to take security seriously, and I’ve been saying this for twenty-some years now. If twenty-twenty hadn’t done it, people should understand that security and privacy aren’t just elements of your business, they are your business. And this isn’t just healthcare; we’ve seen pipelines, meat processing plants, schools, and all sorts of businesses get hit. I just read a stat on January twenty-sixteen through December twenty-twenty. Four-thousand daily ransomware attacks in the U.S. And we’re still not preparing for it. You just need to be ready all the time.”
It seems clear that incorporating the ideas of collaboration and resiliency on multiple levels within an organization will help improve preparedness. I’m interested to see what the themes at HIMSS22 will be surrounding cybersecurity. Considering it is planned for March 14-18, 2022, we won’t have to wait that long to find out what, if anything, has changed in such a short period of time.