With targets on their backs, healthcare CISOs fight to protect data

CHICAGO — Healthcare chief information security officers (CISOs) know their organizations offer an appealing target for cybercriminals – and they’re doing everything they can to avoid being the next victims, according to a panel speaking during Advisen’s Cyber Risk Insights Conference here.

Panelists described the many moving parts to their organizations, with hundreds of healthcare professionals requiring access to sensitive information, cross-border compliance issues, legacy IT systems and medical devices, and vast networks of third-party partners.

“It’s really hard to go to a doctor who’s an expert in his field and say he needs to get rid of his X-ray machine that runs on Windows XP or Windows 98 when he says that’s the system that gives him the image he needs to save the patient,” said Robert Hill, CISO of the Mayo Clinic.”
The recent WannaCry ransomware attack gave healthcare institutions a wake-up call that cyber problems aren’t likely to go away any time soon.

“It was mind-blowing the last four or five days,” said Jerry Sto. Tomas, who said he had been involved in US Health and Human Services discussions on the massive global attack. He explained that while his organization wasn’t affected, an opportunity exists for the cyber insurance industry to help small and middle-market healthcare entities avoid falling victim to similar attacks.

Dealing with social engineering is “all about training,” said Hill. Mayo Clinic conducts monthly and occasionally weekly tests to see if employees will click on phishing links.