Booker, a former CISO at UnitedHealth Group, says the attack is also a stark reminder to healthcare organizations to “make sure you’re focusing on the basics and key security measures, like multifactor authentication, have them where you need them, which is everywhere, and have and how to know that what you are doing is right, have the power to confirm that your things are working.”
It calls on many health care organizations to strengthen security
The authors of the HIMSS report also called for more to be done, for example, writing that “although almost two-thirds of respondents indicated that their board of directors are regularly informed about cybersecurity risks, this number needs to be higher.” Ideally, many health care organizations will embark on an accelerated journey to inform their boards of directors regularly. “
The authors also called for the need for more risk management: “Less than half of the respondents (41.92%) in this study indicated that their organization has established a cybersecurity supply chain risk management plan. The rest of the respondents (58.08%) indicated that they did not have such a plan or were not sure. The risk of not having a robust cybersecurity supply chain management system is that there may be too much dependence on a single vendor or supplier.”
And HIMSS officials are advocating for healthcare organizations to adopt the NIST Cybersecurity Framework Version 2.0 and the US Department of Health’s recently released voluntary cybersecurity performance goals (CPGs).
Others agree that such a move must happen — and happen quickly.
Sen. Ron Wyden, a Democrat representing Oregon and one of many US lawmakers calling for more scrutiny of UHG after the attack, criticized the slow pace of action. He blamed the Biden administration’s timeline for imposing health care laws — saying the end-of-year goal was too far off.
“Every new blow hammers the need for mandatory cybersecurity standards in the healthcare sector, especially when it comes to large companies that millions of patients rely on for care and treatment,” Wyden said in a statement to CSO. “Without action, patients’ access to care and their health information will be compromised and hacked again and again.”
Weiss says healthcare security leaders and other industry executives got that message and are working to learn from the Change Healthcare incident and implement additional security measures to improve their security posture and resilience.
Benjamin Luthy, director of the cybersecurity program and assistant professor at Champlain College Online, says it’s a useful activity: “Everyone can learn a lesson; anyone leading a security or information technology program can learn from this.”
Source link