Preventing a 'Doomsday' Healthcare Cyber EventErik Decker, CISO at the University of Chicago Medicine, Discusses Threat Mitigation
The healthcare sector needs to continue upping its cybersecurity ante to prevent potentially catastrophic "doomsday" events that could devastate regional healthcare systems, says Erik Decker, a federal adviser who's CISO at the University of Chicago Medicine. He's co-leading an effort to draft a guide to mitigating five key cyber threats.
So far, cyberattacks in healthcare have not focused on harming patients. "What hasn't happened yet, but I can foresee happening, is ... terrorism," he says in an interview with Information Security Media Group at the recent College of Healthcare Information Management Executives' Advocacy Summit in Washington.
"If a threat actor can get to a certain level of sophistication and understand how to compromise regional health systems - independent health systems that are not part of the same group - by leveraging a lot of the same types of vendors that we all use and the access that these third parties have ... then you have a situation that is going to be quite catastrophic," he says.
But hopefully such a "doomsday" situation is becoming less likely thanks to recent cybersecurity progress, the CISO, who has testified before Congress, contends.
"The good news is that cyber has become a huge, hot topic in healthcare," he says. "There's been a lot more prevalence at the local level, all the way to the national level, on how do we solve this problem."
Guide to Mitigating Threats
Decker is co-leading a Department of Health and Human Services task group of more than 150 industry experts that's devising a plan for implementing certain provisions of the Cybersecurity Information Sharing Act of 2015 within the healthcare sector.
Later this year, the task force will release a four-volume guide to raise awareness of the top five cybersecurity threats facing the healthcare sector and 10 ways to mitigate those threats, with mitigation suggestions tailored for small, midsize and large organizations.
In addition to patient safety issues related to network-connected medical devices, the other top threats, according to the guide, are: phishing attacks, ransomware, lost and stolen computing devices and insider threats.
In the interview (see audio link below photo), Decker also discusses:
- Progress the healthcare sector is making so far on medical device cybersecurity;
- Why the WannaCry ransomware attacks last year that severely impacted the United Kingdom's National Health System were a major wake-up call for the U.S. healthcare sector;
- Why breach detection and response is beginning to overshadow prevention.
Decker is the chief security and privacy officer for the University of Chicago Medicine. He has 18 years of experience in IT with 12 years focused on information security. Decker is also the chair of the Association for Executives in Healthcare Information Security - or AEHIS, a subgroup of CHIME focused on educating over 900 CISOs and providing cybersecurity resources. Plus, he's co-leading a Department of Health and Human Services task group that's implementing certain provisions of the Cybersecurity Information Sharing Act of 2015 within the healthcare sector.