In the epic battle between cyber threats and the healthcare industry, it’s the patients who suffer the most. There is an urgent need for new regulations in the healthcare industry to address the challenges posed by outdated technology and cybersecurity threats. Today, we talk with Josh Corman about the need for cybersecurity to protect hospitals and ensure the safety of critical healthcare functions.
In this episode:
Is it time for more regulation with Josh Corman – Ep 416
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
Is it time for more regulation with Josh Corman – Ep 416
[02:51] We had Josh Corman on the show back in 2021 (CISA Interview – Ep 327) when we talked with him about CISA and the information and freely available services they provide to help healthcare businesses and other organizations within the nation’s 16 critical infrastructure sectors from cyber attacks. Today, Josh wears a lot of hats, but joins us more in a personal capacity to delve into the pressing issue of healthcare cybersecurity and the need for new regulations to address cybersecurity challenges.A little background on Josh. He founded the IAmTheCavalry.org, which is a nonprofit organization of hackers trying to save lives. He worked with CISA to design emergency services for the COVID task force and is a collaborator in the CyberMed Summit where they do ER hacking simulations with physicians and hospital administrators. His day job consists of leading Claroty’s cyber safety efforts like helping work on industry standards like developing minimum cybersecurity hygiene requirements for medical device manufacturers to provide a Software Bill of Materials (SBOM) to the FDA, which was one of the provisions introduced as part of the PATCH Act. We appreciate Josh taking time to talk with us.
Where Do We Stand?
The healthcare industry faces significant challenges, including outdated devices and multiple systems that require seamless communication. Outdated technology is just one example of the complexities healthcare professionals encounter. It’s crucial for stakeholders to find common ground in order to tackle cybersecurity threats effectively and minimize disruptions to patient care.
[20:34] Josh’s 5 things to make hospitals as safe as possible:- Let’s assume that the hijackers can get on the planes, like did in 911, but let’s make sure they don’t get in the cockpit. What are the steel reinforced cockpit doors for health care?
- Not every hospital and not every region has equal risk. Some cities have ample alternative care options, but in rural areas there are little to no proximal alternative care options. Those need outsized assistance and investments to make sure they don’t go down.
- We have to prioritize the assets. There are some very time sensitive latency sensitive systems for heart, brain, pulmonary treatment or things that directly touch humans, where we’re still running FDA recalled devices that aren’t safe to run.
- We need more emergency response and relief, from potentially CISA, FEMA, ASPER organizations to help decrease the average down time experienced from a cyber attack.
- We have more financial incentive and regulatory to have general accounting practices, trusted and trustworthy than we do to keep people alive. Let’s try to make emergency relief in the meantime while we build up mandatory minimums and the funding to meet those mandatory minimums.
- Protect Sensitive Information – i.e. PHI
- Maintain Access to Medical Records – availability of records
- Provide Medical Care – getting timely access to patient care where you need it
- Support Community Health – broader public health planning and regional resilience and its cascading effects
Ransomware has now affected all four of these critical functions, but regulatory responses have not kept up and we’ve got to make changes soon.
What Should Be Done? Where Do We Start?
[40:39] In our discussion with Josh, there are some ideas of ways to help being kicked around. In the initial stages, focusing our fire on mandatory minimums and the budgets to make sure that if one hospital goes down, you don’t have to go three plus hours to the next nearest alternative care. And there’s a lot more we’d have to do beyond that. But, on the worst day from a ransom attack, still delivering time sensitive patient care is crucial.There has to be a balance of prevention and response, we can’t worry about just what’s cheap, easy and doable. We need really meaningful ideas and an appetite to accept some change. We need ideas, critical thinking, open minds, and everyone coming at this in good faith. We’re in the point now where we’ve got to wrestle with some hard stuff, and it may in fact, create some political will to fix or shore up these rural hospitals from all hazards, not just the cyber one.
Privacy and security is a chronic condition you treat, not a project you complete.
The importance of cybersecurity in healthcare cannot be overstated. We must come together as a community to address the challenges and find effective risk reduction strategies for the healthcare industry. We need new ideas and meaningful changes so that we can collectively work towards resilient and safe hospitals that prioritize patient privacy and deliver the highest quality care.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
