Connect with us

Health Care

Sutter Health’s CISO on How to Overcome Cultural Hurdles to Cybersecurity



Cyberattacks on hospitals are rising – healthcare security leaders urgently need to ensure their organizations and the people they serve are secure. But the many decisions and actions needed to achieve security are complex and go well beyond the CISO role.

CISOs must know how to navigate cultural issues and share best practices on how to achieve consensus in their organizations – at all levels – including effective communication strategies to gain buy-in from senior management.

Jacki Monson, vice president, chief technology risk officer, chief information security officer and chief privacy officer at Sutter Health, will be speaking on this very topic at the upcoming HIMSS Cybersecurity Forum, a virtual event held December 6-7.

Her session is entitled “Achieving Buy-In, Changing the Culture around Security and Connecting to the Needs of the Business.” Her co-presenters in the session will be Dan Bowden, vice president and CISO at Sentara Healthcare, and Saif Abed, director of cybersecurity advisory services at Abed Graham Group.

Healthcare IT News interviewed Jacki to get a sneak preview of her session.

Q. What are a few of the cultural issues that impede good cybersecurity?

A. There are a few cultural issues organizations are facing right now that impede good cybersecurity. A major one many organizations are working through is the rise of remote work culture.

In response to COVID-19, employees who were used to coming into the office, opening their computers and safely accessing a secured network, suddenly were attempting something different. They worked to ensure their home Wi-Fi networks met security requirements and their workspaces were physically secure – if space even allowed a separate location.

They also had to properly “remote in” to their office and safely manage documents and other issues. On the flipside of that coin, organizations also were scrambling to make changes to their networks to allow employees to engage in secure and efficient remote work.

Organizations balanced this while also managing supply chain shortages on items like computer screens, hard drives and other necessary tools. Employees, who we all know are the first line of cyber defense, also were often faced with the challenges inside their remote work environments. They were helping home school their children or working from home alongside their partners.

These new requirements and distractions created unique security awareness challenges that can be tough to communicate and tackle. For example – helping ensure employees understand corporate devices are for corporate use only when perhaps there is a shortage of computers at home.

There also is fatigue – errors are made when employees are tired – and COVID-19 and other events have made the past couple of years an exercise in overstimulation and extra work for many.

As remote workers are settling in and organizations have adjusted their cybersecurity strategies accordingly, these cultural issues are creating fewer cybersecurity hurdles. However, they remain challenges and will continue for the foreseeable future.

Additionally, we are faced with our frontline workers being very resource-constrained. This means we must continue to find ways to help support them while they support patients and families, all the while reducing organizational risk.

In addition to continuing phishing campaigns throughout the pandemic, we also are finding new ways to mitigate the cyber risk like blocking access to third-party email and unsecure digital storage locations.

Q. How do CISOs and CIOs overcome these issues?

A. Overcoming the cultural hurdles to cybersecurity requires a multi-pronged attack.

First, we should always align with commonality, in essence, surrounding patient safety and quality with cybersecurity. One thing to always consider: privacy and security by design. Security teams need to engage with the business from day one on projects and ensure privacy and security considerations are contemplated at the start of a project instead of at the middle or end.

The approach helps avoid complicated processes or procedures tacked onto a project at the end. Not only does this help an organization save money, but it also allows for privacy and security to be seamlessly built into an end-product. If we can make privacy and security easy – and maybe even invisible to the end-user – people are more likely to engage and comply.

Another way CISOs and CIOs overcome these issues is by finding common understanding and areas of mutual benefit. When cybersecurity is considered a team effort, more people are likely to engage and seek to be part of the solution.

Frame security conversations so the business knows you are seeking partnership. In other words, communicate that you want to help them succeed and prevent things like ransomware and maintain the confidentiality of data.

Help employees see that the security controls and practices you ask them to follow at work can also benefit them in their home lives. When CISOs and CIOs can focus on common understanding and mutual benefit, their teams are less likely to experience pushback.

Q. What are a couple of effective communication strategies to gain buy-in to cybersecurity matters from senior management (non-security level executives)?

A. When communicating cybersecurity matters to non-technical senior leaders, it is always helpful to focus on the “why” of any request. It also helps to translate cybersecurity issues into the language of business risk. This approach helps senior management see how a strong cybersecurity strategy and program ties to the mission of the organization.

The importance of translating cybersecurity issues into the language of business risk helps gain buy-in because it puts cybersecurity into language senior management understands. Most members of senior management might not understand firewalls or how to reverse engineer malware.

They do, however, understand that keeping patients and the organization safe are critical. In order to accomplish that, we must mitigate business risk that can create vulnerabilities.

Monson’s session, “Achieving Buy-In, Changing the Culture around Security and Connecting to the Needs of the Business,” will air virtually 11:25-11:55 a.m. on December 6.

Twitter: @SiwickiHealthIT
Email the writer:
Healthcare IT News is a HIMSS Media publication.

Original Source:

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Health Care

Apple Sues NSO Group, Accusing It of Spying on Users in New Lawsuit



Apple announced this week that it was suing NSO Group, an Israeli surveillance technology company, in federal court for allegedly accessing users’ devices without authorization.

In addition to damages, the tech giant is seeking to block NSO Group from accessing or using any Apple products, or developing spyware that could be used on Apple products in the future.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability,” said Craig Federighi, Apple’s senior vice president of software engineering, in a statement. “That needs to change.”

Apple devices are “the most secure consumer hardware on the market,” he contended, but “private companies developing state-sponsored spyware have become even more dangerous.

“While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe,” Federighi added.

NSO Group offered a statement to Healthcare IT News in response to requests for comment.

“Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers,” said NSO Group representatives. “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth.”


NSO Group says its surveillance technology is used by government intelligence and law enforcement agencies to track criminals.

But as Apple outlines in its complaint, the company’s spyware has reportedly been used against journalists, human rights activists, dissidents, public officials and others.

This month, the U.S. Department of Commerce included the NSO Group in its Entity List for “engaging in activities that are contrary to the national security or foreign policy interests of the United States.” Specifically, the agency said that NSO Group had enabled foreign governments, via its spyware, to “maliciously target” individuals such as embassy workers and academics and to “conduct transnational repression.”

In its complaint, Apple zeroed in on “FORCEDENTRY,” an exploit for a vulnerability used to break into a victim’s device and install NSO Group’s Pegasus spyware product.

The company accused attackers of creating Apple IDs to send malicious data to a victim’s device, which then allowed NSO Group or its clients to surreptitiously deliver Pegasus.

“On information and belief, Defendants provide consulting and expert services to their clients, assist them with their deployment and use of Pegasus, and participate in their attacks on Apple devices, servers and users,” according to the complaint. Although Apple has not observed any evidence of successful remote attacks against devices running iOS 15 or later, it said that each attack carries substantial costs for the company, including the necessity to redirect resources.

“In the meantime, on information and belief, Defendants continue with their pernicious efforts to target and harm Apple and its customers by infecting, exploiting, and misusing Apple devices and software,” said the complaint.

The company also announced that it would be contributing any damages from the lawsuit, plus an extra $10 million, to organizations pursuing cybersurveillance research and advocacy.

“At Apple, we are always working to defend our users against even the most complex cyberattacks,” said Ivan Krstic, head of Apple Security Engineering and Architecture, in a statement.

“The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place.”


Nation-states have increasingly relied on sophisticated software to carry out governmental objectives.

As Errol Weiss, H-ISAC chief security officer, pointed out in an interview with Healthcare IT News earlier this month, cyber-offensive capabilities have now become the norm, not the exception.

“A few years ago, you could count maybe a few dozen countries that had a decent, offensive cyber capability. And now it’s probably the opposite,” he said. The U.S. government has raised the alarm about these developments, most recently regarding an Iran-sponsored hacker group targeting healthcare.


“Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon,” said Apple’s Krstic in a statement.

“Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group,” he said.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.


Continue Reading

Health Care

French Researchers Reveal Chatbot Skills to Override Vaccine Hesitancy



A team of French cognitive scientists has addressed the urgent issue of vaccine hesitancy within many EU countries and proposes a new approach. With a study published in October this year, the researchers successfully demonstrated that the reluctance to be vaccinated could be decreased by deploying chatbot technology.


The chatbot study involved researchers from the Centre National de la Recherche Scientifique (CNRS), the French National Institute of Health and Medical Research INSERM and ENS-PSL.

The study, published in the Journal of Experimental Psychology: Applied, found that interaction with a chatbot developed by CNRS, ENS-PSL and INSERM was able to reduce vaccination refusal by 20 per cent within a test group of 338 participants.

In the control group, which received only brief information about the COVID-19 vaccination, there were no comparable results in terms of general views and willingness to vaccinate.


Although nearly three-quarters of all adult Europeans are now fully vaccinated against COVID-19, there remain huge disparities in vaccination rates across countries.

According to the vaccine tracker of the European Centre for Disease Prevention and Control (ECDC) as of 25 November 2021, individual EU countries such as Portugal (81.5 per cent), Ireland (76.2 per cent) and Denmark (76 per cent) have already made great progress in immunising their populations with a full COVID-19 vaccination, while the vaccination rate of other countries such as Germany, France or Austria continues to stagnate at below 70 per cent.

In other parts of Europe, especially in the south-west, the vaccination rates are significantly lower than 50 per cent. In Slovakia (45.7 per cent), Romania (37.3 per cent) and Bulgaria (24.7 per cent), very few people have received the double COVID-19 vaccine dose.

These vaccination backlogs are not only due to vaccine shortages, but in many cases a result of existing scepticism of many Europeans.

The researchers from France now hope that technology-based communication, such as chatbots, could have a positive impact on these figures in the future.


“It remains to be shown whether the effects of chatbot interaction are lasting, and whether they are the same across age groups, and among those most resistant to vaccination”, emphasised the authors of the study with predominantly young and well-educated participants.

They added: “Half of the experimental group later tried to persuade others to get vaccinated, with three-quarters of them stating they drew information provided by the chatbot to do so.”


Continue Reading

Health Care

Roundup: Medanta Adopts’s X-ray Software, India to Open a Medical Cobotics Centre, and More Briefs



Medanta taps for AI-driven chest x-ray analysis

Medanta, a multi-speciality medical group in India, has partnered with to implement the latter’s artificial intelligence software to enhance chest x-ray analysis.

The hospital group will be adopting the qXR software which automatically analyses chest x-rays and spots findings for better diagnosis and treatment. The AI tool can detect 30 abnormalities of the lungs, pleura, heart, bones and diaphragm.

“Medanta strives to deliver world-class healthcare through its high-end medical equipment and superior infrastructure. State-of-the-art technology is an essential aspect of healthcare delivery,” Dr Naresh Trehan, chairman and managing director of Medanta, was quoted as saying in a news report.

The software has also been adopted by Fujifilm Corporation for its portable X-ray FDR Xair system. Through its recent partnership with AstraZeneca Malaysia, the startup has brought its x-ray software to some primary care clinics in Malaysia to support the early detection of lung cancer there.

Medical cobotics centre to be launched in India

The I-Hub Foundation for Cobotics at the Indian Institute of Technology – Delhi (IIT Delhi) and iHub Anubhuti at the Indraprastha Institute of Information Technology – Delhi (IIITD) have signed a memorandum of understanding to set up India’s first medical cobotics centre.

The two government-backed university technology hubs have been developing advanced technologies in robotics and collaborative robots (cobotics), digital health, sensing and computing technologies for robotic-assisted surgeries, training, and medical procedures.

According to a press statement, the Medical Cobotics Centre (MCC) at IIITD will be a tech-enabled medical simulation and training facility for young resident doctors, as well as other healthcare professionals, paramedical staff, technicians, engineers, and researchers.

It will also serve as a validation centre for research outcomes in the area of healthcare cobotics and digital health. This upcoming facility will establish partnerships with companies, undertake research, and work toward the commercialisation of technologies.

MMC’s training programmes will be at multiple levels and cohort-specific, such as urology, neurology, and laparoscopy, but will be initially limited to minimally invasive surgeries. Experts from All India Institute of Medical Sciences in New Delhi and other medical colleges will be consulted for these programmes and invited as guest faculty to conduct them.

The first batch of trainees is targeted to be inducted around April-May next year. They will be initially trained with basic training simulators while advanced surgical robots will come in the next phase.

Moreover, the centre will also be a place for various technology innovation hubs under the Indian government’s National Mission on Interdisciplinary Cyber-Physical Systems to “showcase their medical-related projects and products with applications,” according to IHFC CEO Ashutosh Dutt Sharm and IHFC Project Director Subir Kumar Saha.

Philips Foundation backs cardiac rehab programme in Singapore

Philips Foundation is funding one of the centres run by social service agency Singapore Heart Foundation that provides subsidised cardiac rehabilitation services.

The year-long project of Royal Philips’ non-profit organisation aims to reduce the mortality rate of cardiac incidences and help lower a patient’s risk of hospital readmission.

Specifically, it intends to close the gap in patients’ lack of participation in rehab programmes, which is considered a huge barrier in the secondary prevention of heart diseases. It was reported that only between 6%-15% of Singaporean patients attend cardiac rehabilitation programmes.

SHF-Philips Foundation Heart Wellness Centre is one of the social services’ three centres that provide cardiac patients and at-risk individuals with access to heart health.

Philips’ support, according to SHF Heart Wellness Centres Chairman Dr Tan Yong Seng, will provide SHF with the “resources required to continue providing affordable and quality support to the patients in need, as well as give our team the capacity to focus on raising awareness on the importance of cardiac rehab[ilitation] and drive higher participation in our programmes”.

Under the partnership, 20 sites in Singapore will be equipped with the Philips HeartStart automated external defibrillators (AED) and 500 persons will be trained in giving cardiopulmonary resuscitation (CPR) and AED over a year.

“Through the heart wellness centre’s education initiatives, the AED roll-out and the CPR training, we want to equip individuals and communities with the knowledge and resources to reduce the mortality rates of cardiac incidences in Singapore,” Philips Singapore Country Manager Ivy Lai said.

Original Source:

Continue Reading