Mon. Dec 23rd, 2024


Closing cybersecurity loopholes — lessons from the US

Gregory Garcia* is a cybersecurity specialist and the Executive Director of the Health Sector Coordinating Council Cybersecurity Working Group. As the nature of cybersecurity risks continues to evolve, how is the US health sector tackling risks? What could Australia learn from its approach? Read on to find out.

Gregory Garcia was once the most senior cybersecurity professional in all of the United States. Appointed by President George Bush in 2006, Garcia spent two years pre-empting and mitigating threats for the US Department of Homeland Security, where he supported the country’s critical industry sectors.

However, it was his later experience in health care that would humble him the most. Now, in a more sophisticated threat landscape, Garcia finds himself contending, daily, with the possibility of entire hospitals being seized for seven — sometimes eight — figure ransoms.

“The stakes are just so high in healthcare. And malicious actors are of course attracted to this because, when patient safety is at stake, it is more likely their financial demands will be met.

“All they have to do is hack your system, install a ransomware, and they can shut down your electronic health records, your critical software, you name it, until a hefty ransom is coughed up.”

The threat is pertinent to Garcia on a personal level, having watched close friends narrowly miss catastrophe from malicious attacks on hospitals.

Closest to home was a major ransomware attack which took down one third of America’s health care system in February 2024, at the same time his wife was receiving hospital care.

“It turned out the hospital she was attending did not use the affected software — but I didn’t know that at the time, so it was scary.

“It’s frightening when malicious actors attack systems designed to keep people safe — when cyber security crosses into the physical realm.”

With this in mind, Garcia — who is now Executive Director at the Health Sector Coordinating Council Cybersecurity Working Group — has not had time to sleep on his strategy.

“Whether it is nation states, criminal groups, or teenagers in their mum’s basement, adversaries are innovative,” he said.

“They will exploit any weakness you have — so you can’t rest.”

Whole of organisation input

One of his strategic priorities is to mobilise leaders from across the organisation, not just in IT.

“Today’s threats are a shared challenge and responsibility, which permeates into the C-suite. It is simply part of broader enterprise risk management.

“If we confine it to the IT department, we won’t be able to tackle it. It requires a whole-of-organisation input, and a security culture that trickles down from the top.”

While leaders from across the organisation might not understand the technicalities of product security features, Garcia said they can certainly demand them from technology vendors.

“At present, many vendors treat security as an add-on, sometimes charging high prices on top of the initial product cost. Too often, I see healthcare procurers turning down these add-ons due to resource constraints.

“But my advice is to always demand them, no matter how tight your budget. If you can’t afford product security, then you can’t afford the product.”

Cutting through the literature

A challenge in involving the broader executive team is the noisiness of the cyber security landscape.

Garcia says that, to non-specialists, the sheer volume of advice can be overwhelming, leaving leaders unclear on which direction to take.

“There are a lot of resources out there. We’ve published 28 guidance documents over the past eight years — and we are not the only ones. In some ways, there is just too much information.

“For health systems, whether you are a small rural clinic, or a large urban integrated system, you need to be clear on best practice.

“So, as IT leaders, we need to find ways to engage the C-suite and senior management teams. Help them understand cyber risk, so they can develop a cybersecurity, sign off on larger purchases, demand security features, and audit them for efficacy.”

A further challenge is the constantly evolving nature of cybersecurity guidance. What was best practice last week, might not hold relevance today, Garcia said.

“You can’t just get your team to do a quick course and move on. Once a cybersecurity loophole becomes known to hospital staff, attackers know they can no longer use it, so they find and exploit another one. As a hospital leader, I’d be holding weekly meetings with staff to discuss cybersecurity.”

Government input

While measures at the organisation level can make a difference, Garcia said they are not enough. In the US, he — and other advocates — are calling for a public cyber health strategy, and encourage Australia to do the same.

“Even in a government-centric health system like Australia, this is a crucial step forward,” he said.

Additionally, countries will need to build resilience in their international supply chains, whether though market influence or reach.

“In the US, we are still shoring up our operational security at a domestic level, but a coherent, sector-wide approach is something we are working towards. I recommend Australia keeps up with its work in this space too.”

*Gregory Garcia recently presented at The Australia Centre for Value-Based Health Care’s event on cyber safety, organised in collaboration with CyberCX. The Centre is part of the Australian Healthcare and Hospital Association (AHHA).

Image caption: iStock.com/Nutjaree Yomjun

Leave a Reply

Your email address will not be published. Required fields are marked *