Cyber Attacks in Healthcare: Not Just an "IT Security" or "Consolidation" Problem

I was halfway through my policy analysis on the recent #cyberattack against Change Healthcare when Ascension news broke. And, while it will be months before we see the actual policy and technical ramifications, there are some similarities--but a lot of differences. And, while it's easy to just say "do security better" or "stop the consolidation", the true solutions here are much more nuanced. There are three key takeaways that should be considered.

Cybersecurity is a Business Activity

The most recent hearing focused a lot on the lack of multi-factor authentication on a single server which allowed hackers to use compromised credentials to access servers. And that must be fixed. However, it seems likely the real root cause was a breakdown between the "security" people and the "business" people on assessing and mitigating the risk of the cyberattack--and the mitigation likely didn't include the business activities that were needed.

Communication is Critical

This is a delicate balance. In the midst of the cyberattack, law enforcement needs to have a free hand. However, Mr. Witty acknowledged that, when their servers went down, all of their customer information was also unavailable, making it impossible to communicate in a timely fashion. For the Ascension cyberattack, there seems to be a slightly better plan in place--reports are that they are communicating with those scheduled for procedures and diverting traffic to other hospitals. And information is coming out in a timely fashion.

Business Continuity Must Be Prioritized

While there will likely be a lot of focus on preventing attacks, the reality is that these attacks will happen.

• Ransomware now operates like other companies--they have "Ransomware as a service"--hiring specialists that can bring certain skills to maximize the impact of an attack.
• State actors are targeting our critical infrastructure--
• There is a proposed rule from the Cybersecurity and Infrastructure Security Agency (an agency within the U.S. Department of Homeland Security ) to finalize reporting in an effort to try to disrupt this trend.

Part of what's needed is to determine how to recover when there is a massive cyberattack as we've witnessed. This is not just an IT activity. Many companies have business continuity plans. Many of them have considered a lot of scenarios. But, as Mr. Witty testified, when the cyber attack occurred, they also locked out their disaster recovery servers. I'm sure they're not alone.

We are living in unprecedented times--and there will undoubtedly be lots of policy actions that will be proposed (in fact, even today, the Department of Justice opened a probe). But in the end, cybersecurity isn't an IT activity or a policy activity. This is an "all of us" activity.

What do you think? What are some steps we can take to help all of us be more secure?