The former vice president of threat intelligence for IBM security is diving into the world of healthcare cybersecurity, the most expensive and cyber-threatened industry.
Caleb Barlow, president and CEO of CynergisTek in Austin, Tex., said not only is the healthcare industry likely to get breached on an ongoing basis, but according to research from the Ponemon Institute, the cost of a healthcare data breach is 65% higher than the cost of a breach in other industries. The average cost of a healthcare data breach is $6.45 million, he said.
"Not only is the threat landscape large and the challenge significant because of the regulatory environment, but the costs associated with a breach are significantly higher than just about anywhere else in the industry," Barlow said.
In this Q&A, Barlow, who succeeded retired CynergisTek founder and security expert Mac McMillan in August, offered his thoughts on the current state of healthcare cybersecurity and the biggest cyber threats facing the industry and provided tips for CIOs and CISOs looking to strengthen their cybersecurity programs.
What healthcare cybersecurity challenges do CIOs face?
Caleb Barlow: We have to constantly look at what is likely going to change in the forms of attack we see. Most of what people are focused on today, in fact most of what we see focused on from a regulatory environment, is data exfiltration. Bad guy breaks into a system, gets access to data, downloads that and extorts that for money. But that's not the really big threat to the healthcare industry. The really big threat, which, by the way, takes the same level of access, is the bad guy changes the data or, worse yet, locks it up so you can't get to it. If you are the CISO of a healthcare entity, you have to be prepared for a breach that might be destructive in nature or might involve manipulation of data. The industry is largely unprepared for that today.
Why is manipulated data so high on your list of security threats?
Caleb Barlow
Barlow: When you change data, not only do you have a problem with the record that was changed, but now you can't trust anything else. You've lost control over that system. You no longer can trust the integrity of the whole system, and that becomes the biggest challenge. If you think about these ransomware incidents that are occurring across the country, mostly at small cities and towns, these are actually stopping business from occurring. When that happens in a healthcare institution, the impact can be significant.
What kinds of attack should healthcare CIOs be most aware of?
Barlow: The top source of data breaches over the course of the last year has nothing to do with phishing. They're coming from the misconfiguration of cloud environments. As more and more data moves to the cloud and these systems that maybe were never designed to be in the cloud are pushed into that environment, [cloud] misconfiguration is the top reason data gets breached. That's a really important thing for companies to think about. In that plan to move to the cloud, are you assessing the systems you're moving into the cloud? Are you validating that the security is built in by design? When those systems were on your own premises, they were behind the wall, they were locked in the tower and could only be accessed from your internal system. But the minute you take that same dataset and move it to the cloud, all of a sudden you've got to make sure it comes with a security wrapper.
What security tips do you have for CIOs and CISOs when moving healthcare data to the cloud?
Barlow: More often than not, when people are moving data to the cloud, they're thinking about cost reduction. They're thinking about, 'How do I get these assets, these servers, the infrastructure, the people that run them, out of my system and off of my premises.' Although those cost reductions are certainly important, it is just as critical to make sure you invest the time to go back and re-look at the security posture and get an assessment on that security posture if you're moving to the cloud. The good news is, it's very doable. The bad news is, you've got to dot your i's and cross your t's as you move data to the cloud.
What's an example of good healthcare cybersecurity?
Barlow: This breaks down into two categories: what you do before the breach occurs and what you do after the breach occurs. Before the breach, it's all about trying to stop it from happening. And questions any CEO can ask their CISO are:
Do we have endpoint protection in place?
Have we segmented our network?
And do we have strong identity and access protection in place, in particular two-factor authentication?
Most hospital systems cannot answer yes to those three questions, and those are the basic fundamentals. There's an equally important set of things you have to do after the breach has occurred. The CEO can go ask their CISO:
What are our plans if we are breached?
Have they been exercised?
Have we tested them?
Are they comprehensive?
Remember you can't fix every vulnerability, so one of the most important things you can do is have those plans in place so when something does happen -- and unfortunately this is kind of the inevitable -- you're able to maintain the resilience of the system, continue to see patients and keep things moving forward. Frankly, a lot of systems don't have any plans in place. If they do have them, they've never been tested.
What cybersecurity advice, in general, can you give healthcare CIOs?
Most of the breaches we see today, the real damage is not caused by the breach. It's caused by the lackluster response.
Caleb BarlowCEO and president, CynergisTek
Barlow: There's this old adage, security professionals say it all the time, you don't have to outrun the bear, you just have to outrun your friend. That basically means you don't have to have perfect cybersecurity, you just have to be better than everybody else. I don't think that adage is true anymore, because the difference nowadays is it's not one bear, it's a whole pack of bears. This is going to happen and it's going to happen to you. The measurement is not if it happens, the measurement is how good of a job do you do as a team in mitigating the damage and processing through that attack. If you do a good job at being able to handle an incident, then the business is going to maintain its resiliency. Most of the breaches we see today, the real damage is not caused by the breach. It's caused by the lackluster response.
What steps should CIOs take to enhance their healthcare cybersecurity?
Barlow: Healthcare has a longstanding reputation of practicing and rehearsing the worst threats that may occur to it, whether that's practicing for what happens when someone with a deadly, infectious disease shows up at the emergency room or what happens if a hurricane comes by and hits their institution. They need to take the same level of care and practice and simulation in thinking about what happens if they get hit with a devastating cybersecurity incident. Just like they did the drill for the hurricane, they need to do the exact same level of preparation for a cyberattack -- how they would organize themselves, how would they make decisions, how would they communicate in the event of a large scale and devastating cybersecurity incident.
Editor's note: Responses have been edited for brevity and clarity.
Caleb Barlow
