Healthcare IT Today has been a partner with the HCP Conferences for a while now, but this week was the first time I was able to attend in person. The event has a unique reverse expo format where the health IT professionals sit at tables and the vendors go around visiting the tables. It was a well run event with some really great health IT professionals and vendor sponsors.
Along with the reverse expo, they also do a number of education sessions, networking, full meals, and they love to have fun (HCP put on a great party with attendees at Drai’s Nightclub in Vegas). Today’s keynote session was with Mac McMillan who everyone in the healthcare security world probably knows. He was founder of Cynergistek which recently sold to Clearwater so Mac could finally start his retirement where he’s still researching and following the healthcare security industry.
We live tweeted Mac’s talk and here were some of the great healthcare security insights he shared.
Many of us only think about the first two expenses when it comes to cybersecurity. However, Mac appropriately points out that the later two are much more expensive.
4 costs of a security incident.
*Cost of security
*Cost of cybersecurity insuranceThose are the smaller costs. The larger costs are:
*The business costs from the disruption
*Incident response@cynergistek #hcplv22 pic.twitter.com/A89E3dgKuP— John Lynn (@techguy) October 12, 2022
Given the risks, it’s pretty sad to hear that Mac suggested that most healthcare organizations are flying blind. They don’t really even know their risks and they’re not appropriately monitoring for breaches.
Most of the hospitals put there are flying blind from a security perspective. -Mac from @cynergistek #hcplv22
— John Lynn (@techguy) October 12, 2022
He then reframed security for us to focus not on the data, but on the patient. When you lose some data, that doesn’t seem like that big of an issue. However, when you start talking about how a breach will impact patients, it becomes more real and important.
We’re focusing on the wrong security mission. We’ve been focused on protecting the data versus protecting the patient. -Mac from @cynergistek #hcplive
— John Lynn (@techguy) October 12, 2022
You’ve probably all seen this, but healthcare has proven to be a great target for hackers since it’s just as lucrative as other industries like banking.
Healthcare is a major target of hackers since it’s proven just as lucrative as other industries. #hcplv22 @cynergistek
— John Lynn (@techguy) October 12, 2022
I’d seen the uptick in ransomware, but this stat astounded me.
In 2018, ransomware was 10% of cyber related losses. Now, it’s 90%. @cynergistek #hcplv22
— John Lynn (@techguy) October 12, 2022
Lots to think about with ransomware, but Mac described ransomware as really a triple attack. We often just hear about the first, but ransomware hackers keep attacking even if you choose not to pay the initial ransom.
Ransomware is a triple attack.
1. Pay us to unencrypt your data
2. Pay us to not leak your data
3. If you don’t pay us, I’ll destroy your system with an attack. @cynergistek #hcplv22— John Lynn (@techguy) October 12, 2022
For those healthcare organizations that are wondering if they should pay a ransomware or not, Mac shared this compelling info about those who paid and those who didn’t. The last stat illustrates that many have good backup and business continuity plans and that everyone should invest more in those.
Wow! Compelling stats on ransomware and why not to pay the ransom. Also compelling reason to invest in good disaster recovery and business continuity. @mmcmillan07 #hcplv22 pic.twitter.com/7iyRb4twZH
— John Lynn (@techguy) October 12, 2022
Mac also shared a number of great insights into the security challenges facing healthcare. First up is third parties being compromised and impacting your organization.
And reliance on third parties is growing. @mmcmillan07 #hcplv22 https://t.co/WTE5tivhgb
— John Lynn (@techguy) October 12, 2022
He told some amazing stories of organizations that didn’t disclose when a breach happened. Plus, the story of the Uber CISO who may be facing jail time for not doing so. Long story short, you have to disclose.
Not reporting security incidents is not an option. It’s not a smart option. See: Uber CISO. @mmcmillan07 #hcplv22
— John Lynn (@techguy) October 12, 2022
We hear a lot of talk of digital transformation. Mac reminded us that these two words are really scary for CISO’s.
Security is scared of the 2 words: Digital Transformation
Something new presents opportunity and risk.
— John Lynn (@techguy) October 12, 2022
Mac also highlighted the disadvantage we have against those exploiting us and our systems. He suggested we need to close this gap.
1 hour and 32 min to exploit you on average. 6 months is the average time to recover from a breach.
— John Lynn (@techguy) October 12, 2022
Mac also shared a view into the future of what security challenges are coming. Plus, he made an impassioned case for why we need to start thinking about things like Quantum Computing security challenges now before it’s too late.
Emerging security challenges in healthcare.
*Artificial intelligence
*Nanomedicines
*Quantum computing
*Smart hospitals— John Lynn (@techguy) October 12, 2022
Finally, he took from his military background to suggest an approach healthcare organizations should take towards cybersecurity.
Think defensively, Act offensively.
Good approach to cybersecurity
— John Lynn (@techguy) October 12, 2022
Thanks to Mac McMillan for all his done for the healthcare cybersecurity industry. Plus, it’s great to see that even in retirement, healthcare cybersecurity’s chief educator is still sharing his wisdom.
