HIMSS23 Cyber Keynote Stresses ‘Secure by Default, Secure by Design’

On the first day of HIMSS23, April 17, being held at McCormick Place Convention Center in Chicago, Nitin Natarajan, deputy director, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security, presented the Cybersecurity Forum’s Keynote, entitled “Hacking Healthcare – How the Cybersecurity and Infrastructure Security Agency is Here to Help.”

Natarajan explained that one of CISA’s major goals for this year is “secure by default, secure by design.” He said that manufacturers and developers should be held more accountable, so consumers know what they are buying and investing in. Hea added that strong security features should be built in [to the product] up front and come out of the box with basic levels of security.

“That’s what I mean by secure by default,” he said. “So, we know what we are getting is truly secure. This needs to be done across industries and sectors throughout the U.S.”

Natarajan then made a joke about how he compares security to taking care of a car, but in healthcare, you’re taking your car into be serviced once a month vs. once or twice a year.

He then brought up the concept of corporate cyber responsibility. Chief information security officers, (CISOs) have a budget and often have to ask, perhaps, the chief executive officer (CEO) for more money to buy, for example, IT equipment. “And he doesn’t understand what I’m talking about,” Natarajan says. “It’s a lack of understanding of what we need to really protect our organizations. This year, we need to talk more about risk to our CEOs and educate them on cyber risk.”

He stressed that this year IT security professionals should spend a lot of time at their organizations on risk identification and risk mitigation. He said that “We need to make sure they understand the risks that we are accepting, most organizations’ CEOs and the board don’t really understand the CISOs’ [concerns].”

Next, Natarajan changed the topic to collaboration. “How do we collaborate?” He asked. “How can we take cyber and make it less transactional? We work together 365 days a year with partners, human engagement, and need to share information and best practices to understand each other and get out of these ‘transactional’ engagements.”

Natarajan then said we are seeing technology advance in our regular lives every day and even more in our professional lives. He jokes that we know have connected refrigerators, although he’s not sure why smart refrigerators are even “a thing.”

“It will be amazing to see where healthcare is in five years,” he said. “It is exciting but also scary. There are so many potential risk factors.”

Natarajan noted to look at the basics. “Think before you click,” he exclaimed. “There are still people who think they will get a million dollars from an email if they click [a suspicious link].”

He added that phishing emails have gotten so much better over the years, it used to be easy to identify them, but as levels of sophistication have progressed, so have phishing scams. Organizations, he suggested, should think about updating their software and using strong passwords to adopt to the ever-evolving threats.

Additionally, he added, every person at an organization should be aware of cybersecurity best practices. Best practices aren’t just for CISOs and IT teams, everyone in the organization has a role to play in cybersecurity to ensure they are doing their part to protect their organization.

Natarajan then announced that this morning the U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of “version 2” of the organization’s healthcare cybersecurity practices. A press release on the release says that “These efforts are a key part of the Administration’s work to secure all of our Nation’s critical infrastructure from cyber threats.”

The resources include:

• “Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
• Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
• Hospital Cyber Resiliency Initiative Landscape Analysis – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).”

Natarajan said that CISA is there to help organizations. If you give CISA information, they may be able to give information back to you that can help. He added that there are over 600 people in the nation and are available in regionals in your community affiliated with CISA. “We encourage you to go meet them,” he stated.

“In conclusion, what are we asking for?” Natarajan asked. “A handful of things including reporting cyber incidents, industry partner collaboration, and cyber hygiene.”

He then left the audience with some sobering words, “Some may think the next generation is cyber savvy. They are tech savvy, not cyber savvy. We need to make them more cyber savvy to keep us one step ahead of our adversaries.”