Interview: Enhancing Cybersecurity in Healthcare with Nitin Natarajan from CISA
In the rapidly evolving digital landscape, healthcare organisations are increasingly becoming targets for cyberattacks. These potential victims now encompass large and small, public and private, rural and urban organisations, as the convenience of internet connectivity brings an additional vulnerability to healthcare[1].
Recognising the urgency, the Cybersecurity and Infrastructure Security Agency (CISA) is stepping up to provide support. At the recent HIMSS23 conference, CISA Deputy Director Nitin Natarajan discussed the changing cybersecurity landscape for healthcare, emphasising the importance of a proactive approach[2].
CISA offers a range of free services to help healthcare organisations strengthen their cybersecurity posture. These include cyber hygiene scanning and vulnerability scanning for organisations with limited resources or budget[3]. One such service is the CISA's vulnerability scanning tools, which continuously evaluate internet-connected healthcare technology for thousands of vulnerabilities, configuration errors, and weak security practices[4].
Nitin Natarajan also emphasised the importance of involving everyone in a healthcare organisation to strengthen the security culture. He suggested prioritising cybersecurity investments by doing something each day, week, month, and year to raise resilience[5].
Healthcare organisations should ensure that third-party vendors, sources, and contracts are secure and practice strong cybersecurity. Legislation like the Healthcare Cybersecurity Act promotes formal collaboration between CISA and the Department of Health and Human Services (HHS), establishing dedicated liaison roles to facilitate rapid, real-time sharing of threat intelligence, best practices, and coordinated response strategies across healthcare providers and federal agencies[1].
In addition, healthcare organisations should conduct comprehensive risk assessments to identify vulnerabilities, especially in electronic health records and medical devices. CISA and HHS jointly publish studies that highlight critical risks faced by healthcare entities, guiding focused mitigation efforts[1].
To prevent unauthorised access, implementing strong authentication and access controls is crucial. Enforcing multifactor authentication (MFA) for system logins and eliminating shared credentials can significantly reduce these risks[4].
Expanding targeted cybersecurity training for healthcare providers and staff improves the overall security culture, helping to prevent phishing attacks and other common threat vectors[3]. Robust backup and recovery procedures are also essential to guard against ransomware and data loss[4].
A cyberattack against a hospital can become a patient safety issue, with impacts felt throughout communities. By implementing strategies such as strong passwords, multifactor authentication, updating and patching software regularly, and adopting a Secure by Design, Secure by Default model for technology products, healthcare organisations can significantly reduce their risk of falling victim to such attacks[6].
CISA's Zero Trust Maturity Model, consisting of five pillars, can help healthcare organisations assess and improve their cybersecurity posture. Each pillar represents an area for improvement, and these can be adjusted like dimmer switches[7].
In conclusion, a proactive approach to cybersecurity is crucial for healthcare organisations. By working with CISA, implementing recommended strategies, and prioritising cybersecurity investments, healthcare organisations can safeguard sensitive patient data and critical healthcare functions from escalating cyber threats[1][2][3][4].
[1] Cybersecurity and Infrastructure Security Agency. (2023). Healthcare Cybersecurity. Retrieved from https://www.cisa.gov/healthcare [2] Healthcare IT News. (2023). Nitin Natarajan: Healthcare needs to be more proactive about cybersecurity. Retrieved from https://www.healthcareitnews.com/news/nitin-natarajan-healthcare-needs-be-more-proactive-about-cybersecurity [3] Health Data Management. (2023). CISA offers free cybersecurity services to healthcare providers. Retrieved from https://www.healthdatamanagement.com/news/cisa-offers-free-cybersecurity-services-to-healthcare-providers [4] Healthcare IT News. (2023). 10 cybersecurity best practices for hospitals. Retrieved from https://www.healthcareitnews.com/news/10-cybersecurity-best-practices-hospitals [5] Healthcare IT News. (2023). Nitin Natarajan: Healthcare needs to be more proactive about cybersecurity. Retrieved from https://www.healthcareitnews.com/news/nitin-natarajan-healthcare-needs-be-more-proactive-about-cybersecurity [6] Healthcare IT News. (2023). Top 5 cybersecurity threats to healthcare providers. Retrieved from https://www.healthcareitnews.com/news/top-5-cybersecurity-threats-healthcare-providers [7] Cybersecurity and Infrastructure Security Agency. (2023). Zero Trust Maturity Model. Retrieved from https://www.cisa.gov/zerotrust-maturity-model
- In light of the increasing cyber threats towards healthcare organizations, the Cybersecurity and Infrastructure Security Agency (CISA) is offering a range of free services to help strengthen the cybersecurity posture of these entities, including cyber hygiene scanning, vulnerability scanning, and the use of vulnerability scanning tools to evaluate internet-connected healthcare technology.
- Recognising the importance of a proactive approach to cybersecurity, CISA's Deputy Director Nitin Natarajan emphasized the necessity of involving everyone in a healthcare organization to strengthen the security culture, suggesting prioritizing cybersecurity investments by doing something each day, week, month, and year to raise resilience.
