Critical Infrastructure Security, Risk Assessments/Management, Endpoint/Device Security
‘Voluntary practices’ in healthcare insufficient for its dependence on legacy tech

Josh Corman, founder of I am the Cavalry, testifies May 18 at a Senate hearing in Washington.
Although Congress, regulators and healthcare leaders are doing “many correct things," the current state of “voluntary practices, where we take our time, have not proven sufficient to transcend the market failures,” Josh Corman, founder of the voluntary organization of security professionals I am the Cavalry, explained to the Senate Health, Education, Labor, and Pensions Committee on May 18.The course of the pandemic and the strain on healthcare reinforced that cybersecurity is indeed a patient safety risk. Corman puts it simply: the sector is “over-dependent on underdeveloped technologies.”“Our dependence on connected technology was growing faster than our ability to secure it, in areas affecting public safety, human life and national security,” said Corman.Connecting to technology brought promise of immediate adoption with obvious benefits. But it’s hard to determine the delayed consequences of said choices. The reality is that there’s an awareness and adoption gap. Healthcare “organizations are target-rich but cyber-poor,” said Corman. “They lack the resources to do minimum hygiene.”Despite a significant number of resources available from the government and from a range of security leaders, there simply isn’t “sufficient reach to these cyber-poor [organizations]. They don't participate. They don't have CISOs yet and don't participate in Health-ISACs or other information sharing groups,” he explained.Noting that one of the biggest obstacles to healthcare is education, Health-ISAC President and CEO Denis Anderson concurred. And many of those entities don’t know the benefits of the services provided by threat-sharing groups, including the host of free services and resources.It’s vastly different from the financial services sector, where the Department of Treasury provides a great deal of support, including proposed checklists for financial firm audits, Anderson explained. Once the sector became aware of those resources, it became a “tsunami” of people joining the ISAC.Right now, “it’s just not effective,” she added. “But I do believe that if we can educate, that would be a huge, great thing to do.”As it stands, many don’t know what those groups are, or the agencies that can get them the help they need. Corman noted that once these entities are engaged, it’s possible to work with them at their current skill level “with empathy, to get them to crawl, walk, run.”Some strong progress has been made across the sector and the government, but “much more substantive action” is needed to “stem the bleeding in the foreseeable future,” he explained. For one, “one of the top ways to reduce risk is to reduce complexity.” “It's not always defending indefensible things: It's having a more defensible, simpler infrastructure,” he added.But it’s not going to be effective if guidance is only given as advice, or as a voluntary action. Years after the release of multiple voluntary federal guidelines, adoption of these security standards are low and the majority of healthcare organizations are still struggling to keep pace.If Congress wants action, entities must be incentivized to do so: “we need sticks and carrots,” said Corman. The comments echo an earlier declaration from Christian Dameff, MD, emergency room physician and security researcher from the University of California San Diego Health.“If we're going to offer safe harbors, they should be tethered to an attestation about your current state of practice against such a framework tool,” Corman added.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds