Today’s interconnected and digitized world – coupled with ever more sophisticated cyberattacks – exposes new security vulnerabilities and requires healthcare organizations to reevaluate their cyber posture.

As senior principal cybersecurity engineer at MITRE, a federally funded nonprofit research organization, Margie Zuk is one expert who CISOs, CIOs and other IT and security leaders can learn from when it comes to cybersecurity strategy.

Zuk will be speaking at the HIMSS 2023 Healthcare Cybersecurity Forum in a panel session next month focused on rethinking new approaches to cybersecurity for a fast-evolving threat landscape. Other members of the panel include Terri Ripley, CIO at OrthoVirginia and Joseph Cuozzo, VP of IT at Richmond University Medical Center.

We interviewed Zuk to get a sneak peek at her presentation and learn some of her thoughts on overhauling a healthcare cybersecurity strategy in the midst of a wildly changing environment.

Q. Why do you think most healthcare provider organizations need to revamp their cybersecurity strategy today?

A. With an exponentially increasing system of connected devices, cloud connections and third-party dependencies, healthcare and public health have become the most targeted critical infrastructure sectors.

The ripple effects on healthcare delivery organizations and patient safety from cyberattacks are felt not only at the healthcare delivery organization experiencing the cyberattack, but also at other healthcare delivery organizations in the region.

Given that disruptions in clinical care can take weeks or months to fully recover from, it is important that healthcare delivery organizations integrate cybersecurity into their organizational emergency response plans to prepare for cyberattacks and the resulting clinical impact.

In support of the FDA, MITRE engaged with a broad range of stakeholders across the health sector, including healthcare delivery organizations, medical device manufacturers, and state, local and federal government organizations to understand the gaps and challenges, particularly the unique challenges of securing medical devices with their critical role in delivering clinical care.

The resulting Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook was initially produced in 2018 after the WannaCry attack, and was updated in 2022 to reflect the most up-to-date best practices and resources. The playbook:

• Provides baseline medical device cybersecurity information that can be incorporated into a healthcare delivery organization's emergency preparedness and response framework.
• Outlines roles and responsibilities for responders internal and external to the healthcare delivery organization to clarify lines of communication and concept of operations across healthcare delivery organizations, medical device manufacturers, state and local governments, and the federal government.
• Describes a standardized approach to response efforts that helps enable a unified response within healthcare delivery organizations and across regions as appropriate.
• Serves as a basis for enhanced coordination activities among medical device cybersecurity stakeholders, including mutual aid across healthcare delivery organizations.
• Informs decision-making and the need to escalate response. Identifies resources healthcare delivery organizations may leverage as a part of preparedness and response activities.
• Serves as a customizable regional preparedness and response tool for medical device cyber resiliency that could be broadly implemented.

Q. Please choose one of your recommendations around revamped medical device security and talk about it a bit.

A. Cyber threats affecting medical devices could impact continuity of clinical operations for patient care and patient safety. Hence, preparedness activities related to medical devices are absolutely critical to clinical continuity.

The playbook outlines medical device-specific preparedness activities, including medical device procurement, medical device asset inventory, hazard vulnerability analysis and integrating medical device cybersecurity into incident response plans and command structures.

It is critical to exercise any and all preparedness plans, such as emergency operations plans and incident response communications plans, to ensure staff know how to execute them and identify gaps in the plans.

The playbook treats cybersecurity as a hazard and discusses how to include cybersecurity into all-hazards preparedness and response exercises. One distinct feature of cyber incidents is, because they have widespread impacts across the healthcare delivery organization, downtimes are substantially longer than with most other hazards, so exercises should be designed to test extended downtime procedures.

It is important to include a cross section of healthcare delivery organization stakeholders – from the emergency management organization, the healthcare technology management team that manages medical devices, and the information technology department, including security, to medical device manufacturers and other third-party vendors – in preparedness exercises.

Q. Please select one of your recommendations around revamped incident preparedness and discuss that in a little detail.

A. "Develop mutual aid agreements with regional partners for medical device cybersecurity, or supplements as part of broader incident response mutual aid agreements – to include loaner devices, diverting patients to a facility with operational devices and incident response assistance."

This recommendation is part of a broader plan for establishing regional coordination in preparation for a cyberattack that results in extended downtimes and diversions of patients to other healthcare delivery organizations in the region.

Healthcare delivery organizations should establish POC names and contact information with regional partners, conduct joint regional resiliency exercises, and share cybersecurity advisories, alerts and best practices with regional partners.

Healthcare delivery organizations should also develop incident notification procedures among regional partners, including alternate communications mechanisms to prepare for diversions that result from a cyberattack.

It probably goes without saying, but the level of detail should be minute and consider situations as basic as, "If email or contact databases are inaccessible, do we have appropriate contact information stored offline or even on paper as a fail-safe?"

A recent study by the University of California at San Diego highlights downstream patient safety impacts that can result from a cyberattack on a regional partner. We have seen a growing number of regional partnerships forming to conduct regional resiliency exercises across healthcare organizations to prepare for the regional impacts of cyberattacks.

Healthcare delivery organizations regularly exercise for mass casualty and other clinical events – and that same type of focus and rigor should be applied to preparation for a cyberattack. With patient safety potentially on the line, it’s something our community can’t focus on enough.

Zuk's session, "Revamping Your Cybersecurity Strategy for 2023 and Beyond," is scheduled for 12:45 p.m. on Friday, September 8, at the HIMSS 2023 Healthcare Cybersecurity Forum in Boston.

Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.