Connect with us

Health Care

How to Get the Cybersecurity Funds Needed to Protect a Hospital or Health System



Health systems, like all enterprises these days, are not immune from cyberattack. In fact, they are at a higher risk because of a combination of the sensitivity of the systems and data they possess, the diversity of different systems deployed within the four walls of a hospital, and the fairly open access people have to physically interact with systems and access points.

Compounding the problem: Most hospitals and health systems face both budgetary and staffing shortages that limit their ability to defend against financially motivated threat actors. This makes for a complicated environment to secure.

Getting the funds to best secure a hospital or health system is not necessarily an easy task – just ask healthcare chief information security officers (CISOs) and chief information officers (CIOs).

Yes, the horrible headlines of healthcare security breaches help security and IT leaders make their points to the C-suite and the board, but truly effective cybersecurity requires some serious cash, and that’s not always easy to come by in today’s healthcare environment.

To help IT and security leaders with this vexing challenge, Healthcare IT News sat down with Andrew Howard, CEO of Kudelski Security, to obtain advice on talking with the C-suite and the board about cybersecurity investments, dealing with security and IT staffs that are stretched thin, and more.

Q. Hospitals and health systems often are cautious in their approach to new technologies and trends. How do CIOs and CISOs get through to the C-suite and board to convince them to invest in new cybersecurity technologies and monitor new security trends?

A. Protecting an enterprise from cybersecurity threats is not easy and it takes resources – lots of them. Historically, CIOs and CISOs have been forced to use scare tactics around the security threats to get the resources they need. I have been a part of many presentations with clients trying to convince the boards of directors that the sky is really falling.

In today’s landscape, boards tend to already understand the threat and the risks associated with inaction. All they have to do is turn on the news to understand the macro environments. They are also seeing peer hospitals and health systems come under attack virtually every day.

While the pitch to the board has morphed as boards have matured, security leaders still must have a convincing plan backed with data analysis. Security leaders are likely to be asked questions by the board, such as:

How secure are we?
How do we know we haven’t already been breached?
How does our security program compare to those of our peers?
Are we investing enough?
Are our investments paying off?

Well-thought-out answers to these questions will help drive the right level of investment from the board. Far too often, we see security leaders focusing on metrics and details that may initially appear interesting to the board but do not help tell the right story to justify investment.

If a security leader can show a standards-based approach, with defined and measurable outcomes that are aligned to the healthcare objectives, the right investment will likely follow. Simply asking for funds for technology is not the right approach.

Q. Healthcare provider organizations do not have a lot of money to spend on non-reimbursable operational expenditures, so the money associated with new cybersecurity investments is hard to come by. What steps and strategies can health IT and security leaders take to get the money they need?

A. Recent high-profile ransomware attacks on hospitals now make it much easier to link a lack of cybersecurity investment with tangible negative financial and patient services outcomes. Security leaders can reference many real-world examples where a ransomware-induced IT outage caused millions of dollars of revenue loss and, in at least a couple of cases, potential civil liability for a patient’s death. Determining the likelihood and impact of these events is no longer a hypothetical exercise or one that can be dismissed as fear, uncertainty and doubt.

Furthermore, boards cannot rely on insuring against this risk, as many cyber insurance policies exclude ransomware payments. Furthermore, recent guidance from the U.S. Treasury Department highlights potential sanctions on companies and institutions for facilitating ransomware payments, even unknowingly, to terrorist organizations or U.S.-sanctioned countries.

Linking security spending to compliance outcomes is a typical step security leaders can and do take. Often, the compliance is currently addressed through human-powered, manual processes.

The challenge then is convincing boards to invest in technology to accomplish the same tasks, but perhaps with greater precision or efficiency. This requires security leaders to explain risks created in the current process (precision) or illustrate how the freed-up resources can be reassigned to other, more critical security tasks (efficiency).

Where possible, I recommend justifying new security tooling by linking it to other non-security business outcomes. Asset management and tracking is a great example of this.

From a security perspective, if a healthcare organization doesn’t have a solution that discovers and tracks what assets are in its environment, it can’t know holistically what to monitor, protect or patch. It can never truly be sure of the real security posture or attack surface. Similarly, this same lack of asset visibility has ramifications for accounting and operations.

Consider expensive network-connected medical devices. Is this device listed in a fixed asset schedule? Does the organization know its physical location for purposes of an annual audit or routine maintenance? Is the device being so underutilized that it should be liquidated? In this example, the same technology solution can enable both security and business teams to accomplish their objectives.

Q. Healthcare security and IT staff often are small and stretched thin. Getting more money, as we already have discussed, is one solution. What else can leaders do to help with this problem?

A. Without question, money is needed to drive a successful security program and mitigate the impact of inevitable breaches. The cost of the necessary security people, processes and technology is also increasing.

Organizations today are spending upwards of 15% of their IT budget on information security. However, while an organization cannot build a world-class security program without significant financial resources, they can build a good enough security program with the right focus and limited investment.

Security leaders should focus on cybersecurity hygiene before and above all other tasks. Building mature and repeatable processes around identity management, patch management and threat detection will go a long way to deter threats.

I see many clients over-investing in technology and under-investing in the basics. I have visited many data centers with racks and racks of security appliances turned off because the organization could not figure out how to operationalize the technology. While technologies like endpoint detection and response are typically worth the investment regardless of the security program’s maturity, most other technologies will fall flat without the right processes around them.

In my role, I regularly ask our incident responders what advice they would give a new security leader to best defend their network. While the advice has changed alongside the threat landscape, the fundamental advice has not.

Healthcare organizations should buy and ubiquitously deploy a strong identity-management solution that supports multi-factor authentication, segments their network to mitigate expansion opportunities post-breach (ideally with a zero-trust approach) and stays on top of patching key systems. One piece of specific advice that has not changed in years: If nothing else, disable macros in all Microsoft Office productivity applications. Most ransomware attacks we see today start with a macro.

Twitter: @SiwickiHealthIT
Email the writer:
Healthcare IT News is a HIMSS Media publication.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Health Care

Apple Sues NSO Group, Accusing It of Spying on Users in New Lawsuit



Apple announced this week that it was suing NSO Group, an Israeli surveillance technology company, in federal court for allegedly accessing users’ devices without authorization.

In addition to damages, the tech giant is seeking to block NSO Group from accessing or using any Apple products, or developing spyware that could be used on Apple products in the future.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability,” said Craig Federighi, Apple’s senior vice president of software engineering, in a statement. “That needs to change.”

Apple devices are “the most secure consumer hardware on the market,” he contended, but “private companies developing state-sponsored spyware have become even more dangerous.

“While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe,” Federighi added.

NSO Group offered a statement to Healthcare IT News in response to requests for comment.

“Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers,” said NSO Group representatives. “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”


NSO Group says its surveillance technology is used by government intelligence and law enforcement agencies to track criminals.

But as Apple outlines in its complaint, the company’s spyware has reportedly been used against journalists, human rights activists, dissidents, public officials and others.

This month, the U.S. Department of Commerce included the NSO Group in its Entity List for “engaging in activities that are contrary to the national security or foreign policy interests of the United States.” Specifically, the agency said that NSO Group had enabled foreign governments, via its spyware, to “maliciously target” individuals such as embassy workers and academics and to “conduct transnational repression.”

In its complaint, Apple zeroed in on “FORCEDENTRY,” an exploit for a vulnerability used to break into a victim’s device and install NSO Group’s Pegasus spyware product.

The company accused attackers of creating Apple IDs to send malicious data to a victim’s device, which then allowed NSO Group or its clients to surreptitiously deliver Pegasus.

“On information and belief, Defendants provide consulting and expert services to their clients, assist them with their deployment and use of Pegasus, and participate in their attacks on Apple devices, servers and users,” according to the complaint. Although Apple has not observed any evidence of successful remote attacks against devices running iOS 15 or later, it said that each attack carries substantial costs for the company, including the necessity to redirect resources.

“In the meantime, on information and belief, Defendants continue with their pernicious efforts to target and harm Apple and its customers by infecting, exploiting, and misusing Apple devices and software,” said the complaint.

The company also announced that it would be contributing any damages from the lawsuit, plus an extra $10 million, to organizations pursuing cybersurveillance research and advocacy.

“At Apple, we are always working to defend our users against even the most complex cyberattacks,” said Ivan Krstic, head of Apple Security Engineering and Architecture, in a statement.

“The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place.”


Nation-states have increasingly relied on sophisticated software to carry out governmental objectives.

As Errol Weiss, H-ISAC chief security officer, pointed out in an interview with Healthcare IT News earlier this month, cyber-offensive capabilities have now become the norm, not the exception.

“A few years ago, you could count maybe a few dozen countries that had a decent, offensive cyber capability. And now it’s probably the opposite,” he said. The U.S. government has raised the alarm about these developments, most recently regarding an Iran-sponsored hacker group targeting healthcare.


“Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon,” said Apple’s Krstic in a statement.

“Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group,” he said.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.


Continue Reading

Health Care

French Researchers Reveal Chatbot Skills to Override Vaccine Hesitancy



A team of French cognitive scientists has addressed the urgent issue of vaccine hesitancy within many EU countries and proposes a new approach. With a study published in October this year, the researchers successfully demonstrated that the reluctance to be vaccinated could be decreased by deploying chatbot technology.


The chatbot study involved researchers from the Centre National de la Recherche Scientifique (CNRS), the French National Institute of Health and Medical Research INSERM and ENS-PSL.

The study, published in the Journal of Experimental Psychology: Applied, found that interaction with a chatbot developed by CNRS, ENS-PSL and INSERM was able to reduce vaccination refusal by 20 per cent within a test group of 338 participants.

In the control group, which received only brief information about the COVID-19 vaccination, there were no comparable results in terms of general views and willingness to vaccinate.


Although nearly three-quarters of all adult Europeans are now fully vaccinated against COVID-19, there remain huge disparities in vaccination rates across countries.

According to the vaccine tracker of the European Centre for Disease Prevention and Control (ECDC) as of 25 November 2021, individual EU countries such as Portugal (81.5 per cent), Ireland (76.2 per cent) and Denmark (76 per cent) have already made great progress in immunising their populations with a full COVID-19 vaccination, while the vaccination rate of other countries such as Germany, France or Austria continues to stagnate at below 70 per cent.

In other parts of Europe, especially in the south-west, the vaccination rates are significantly lower than 50 per cent. In Slovakia (45.7 per cent), Romania (37.3 per cent) and Bulgaria (24.7 per cent), very few people have received the double COVID-19 vaccine dose.

These vaccination backlogs are not only due to vaccine shortages, but in many cases a result of existing scepticism of many Europeans.

The researchers from France now hope that technology-based communication, such as chatbots, could have a positive impact on these figures in the future.


“It remains to be shown whether the effects of chatbot interaction are lasting, and whether they are the same across age groups, and among those most resistant to vaccination”, emphasised the authors of the study with predominantly young and well-educated participants.

They added: “Half of the experimental group later tried to persuade others to get vaccinated, with three-quarters of them stating they drew information provided by the chatbot to do so.”


Continue Reading

Health Care

Roundup: Medanta Adopts’s X-ray Software, India to Open a Medical Cobotics Centre, and More Briefs



Medanta taps for AI-driven chest x-ray analysis

Medanta, a multi-speciality medical group in India, has partnered with to implement the latter’s artificial intelligence software to enhance chest x-ray analysis.

The hospital group will be adopting the qXR software which automatically analyses chest x-rays and spots findings for better diagnosis and treatment. The AI tool can detect 30 abnormalities of the lungs, pleura, heart, bones and diaphragm.

“Medanta strives to deliver world-class healthcare through its high-end medical equipment and superior infrastructure. State-of-the-art technology is an essential aspect of healthcare delivery,” Dr Naresh Trehan, chairman and managing director of Medanta, was quoted as saying in a news report.

The software has also been adopted by Fujifilm Corporation for its portable X-ray FDR Xair system. Through its recent partnership with AstraZeneca Malaysia, the startup has brought its x-ray software to some primary care clinics in Malaysia to support the early detection of lung cancer there.

Medical cobotics centre to be launched in India

The I-Hub Foundation for Cobotics at the Indian Institute of Technology – Delhi (IIT Delhi) and iHub Anubhuti at the Indraprastha Institute of Information Technology – Delhi (IIITD) have signed a memorandum of understanding to set up India’s first medical cobotics centre.

The two government-backed university technology hubs have been developing advanced technologies in robotics and collaborative robots (cobotics), digital health, sensing and computing technologies for robotic-assisted surgeries, training, and medical procedures.

According to a press statement, the Medical Cobotics Centre (MCC) at IIITD will be a tech-enabled medical simulation and training facility for young resident doctors, as well as other healthcare professionals, paramedical staff, technicians, engineers, and researchers.

It will also serve as a validation centre for research outcomes in the area of healthcare cobotics and digital health. This upcoming facility will establish partnerships with companies, undertake research, and work toward the commercialisation of technologies.

MMC’s training programmes will be at multiple levels and cohort-specific, such as urology, neurology, and laparoscopy, but will be initially limited to minimally invasive surgeries. Experts from All India Institute of Medical Sciences in New Delhi and other medical colleges will be consulted for these programmes and invited as guest faculty to conduct them.

The first batch of trainees is targeted to be inducted around April-May next year. They will be initially trained with basic training simulators while advanced surgical robots will come in the next phase.

Moreover, the centre will also be a place for various technology innovation hubs under the Indian government’s National Mission on Interdisciplinary Cyber-Physical Systems to “showcase their medical-related projects and products with applications,” according to IHFC CEO Ashutosh Dutt Sharm and IHFC Project Director Subir Kumar Saha.

Philips Foundation backs cardiac rehab programme in Singapore

Philips Foundation is funding one of the centres run by social service agency Singapore Heart Foundation that provides subsidised cardiac rehabilitation services.

The year-long project of Royal Philips’ non-profit organisation aims to reduce the mortality rate of cardiac incidences and help lower a patient’s risk of hospital readmission.

Specifically, it intends to close the gap in patients’ lack of participation in rehab programmes, which is considered a huge barrier in the secondary prevention of heart diseases. It was reported that only between 6%-15% of Singaporean patients attend cardiac rehabilitation programmes.

SHF-Philips Foundation Heart Wellness Centre is one of the social services’ three centres that provide cardiac patients and at-risk individuals with access to heart health.

Philips’ support, according to SHF Heart Wellness Centres Chairman Dr Tan Yong Seng, will provide SHF with the “resources required to continue providing affordable and quality support to the patients in need, as well as give our team the capacity to focus on raising awareness on the importance of cardiac rehab[ilitation] and drive higher participation in our programmes”.

Under the partnership, 20 sites in Singapore will be equipped with the Philips HeartStart automated external defibrillators (AED) and 500 persons will be trained in giving cardiopulmonary resuscitation (CPR) and AED over a year.

“Through the heart wellness centre’s education initiatives, the AED roll-out and the CPR training, we want to equip individuals and communities with the knowledge and resources to reduce the mortality rates of cardiac incidences in Singapore,” Philips Singapore Country Manager Ivy Lai said.

Original Source:

Continue Reading