Actionable advice on responding to a cyber attack, communicating cyber risk to executives, and more
When lives, not just dollars, are on the line, you’d better get cyber risk management right.
In this episode of the CISO Confidential Podcast series, SAFE CEO Saket Modi sits down with Erik Decker, CISO at Intermountain Health, a 15-year veteran of healthcare cybersecurity. As a co-chair in the 405(d) Task Group, developing healthcare security protocols with the Department of Homeland Security, Erik speaks from wide experience with the problems and opportunities faced by healthcare CISOs.
Watch the CISO Confidential episode with Erik Decker now.
3 Key Takeaways from Saket’s Conversation with Erik on Healthcare Cybersecurity
Timestamps indicated
01:30 Role of a CISO in a Cyber Attack
When the attack occurs, “you start with a blank slate of understanding next to nothing” and then “you start pulling the breadcrumbs together.” Then CISOs should be “the calm cool executive that needs to bring the temperature down.” Next, get answers to some urgent questions:
“Where are they? Can we evict them? Can we contain it? How do we manage the disruption in the organization?”
03:20 Know the Three Primary Entry Points for Attackers
The bad actors are operating at a large scale but the methodologies that they use are consistent.
1. “Social engineering. That’s phishing but it’s also engineering the service desk. Using a Social Security number and a date of birth as an identification that you are at the service desk will allow a bad actor to enroll another multifactor device and that will get them their beach head.”
2. “A vulnerability exposed to the Internet. We always chase vulnerabilities, but I direct my team to bring in context. Where is it? If it’s a known exploited vulnerability by CISA, and it’s exposed to a billion people, you have 24 hours to fix it…If it’s deep inside my network, ok, it’s not a (high level) problem.”
3. “An ecosystem challenge.” It’s very common in healthcare for a device manufacturer to say we have to have remote access on your network to maintain our device. “Whoa, that’s a back door into our environment.”
Once the attackers get in, “they attack the IT administrator, then use all the credentials the IT administrator has…When they own the control systems just like the admin owns them, now they can throw ransomware wherever they want to throw it.”
“Every single attack in healthcare with every CISO I have spoken to, has been that.”
07:30 Communicate Risk to Business Leaders in Three Key Themes and One Context
1. Patient Safety: The critical cyber loss exposure is long-term disruption: if hospital systems go down for 30 days in a ransomware attack, surgeries get postponed, patients get diverted – “executives get that caring for people’s lives is always the most important thing.”
2. Safeguarding Financial Assets. The risk here is fraud through business email compromise or other attack vectors.
3. Data Privacy and Confidentiality. “That’s how we grew up in healthcare cybersecurity. I think many CISOs and other cybersecurity professionals still are too grounded in that. They think all we have to think about is data and they are missing the other two.”
“Surrounding all of that is the complexity factor. As we grow through M&A, divestitures, etc., you are adding all this technology that needs to be rationalized and technical debt is being added into the environment. Have a playbook to really undersand how you streamline that, and know if your security program is really covering every edge of the organization.”
Get more actionable advice on
–Moving from a compliance approach to cybersecurity to a risk-based approach
–Thinking less like a technologist and more like a business leader
–How to use the tools of cyber risk quantification to advance the business
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
