HL: What is NCSA’s big call to action?
Coleman: Right now, the big call to action is update, update, update. The telehealth industry relies on a lot of legacy systems, and we need to be able to update the systems and come into a much more modern era. The healthcare industry, particularly telehealth, relies on connected devices. The call to action for a lot of these healthcare providers is to come into the 21st century, getting rid of legacy programs. Some of them are still running Windows 7. There’s absolutely no excuse for that. 83% of imaging devices run on outdated operating systems like Windows 7. So that’s the first call to action.
The second call to action is an overwhelming show of force as it relates to training and awareness. That’s still a big piece of what we do in terms of making sure folks stay safe in a physical security environment, when it comes to active shooters. We train people how to deal with that situation. Comes a fire, everyone knows what to do during a fire drill. When it comes to bad weather, inclement weather, you know what to do during that drill. Well, in the same way, people need to be trained in technology, to be sure that they understand what to do during a potential hack. That same training program, we’re absolutely advocating for healthcare providers. Those two things alone will get us a long way to realizing a safer environment. Updating legacy systems and certainly enacting a very robust training and awareness program.
HL: With all the attacks that have taken place, particularly ransomware, is it possible people are experiencing “security fatigue,” in a fashion similar to COVID fatigue?
Coleman: We know hospital systems have been hacked. We know that some have been held hostage by ransomware. And so the fatigue is really almost irrelevant because you’re protecting patients’ information. You’re protecting the integrity of what you’re doing as a healthcare provider. I would imagine when the seatbelt campaign started, decades ago, some would have said having seatbelt fatigue is kind of over the top. Well, we now know that it’s a regular part of life. All these public service announcements can perhaps tire you out, but are very much needed. We have to continue to imprint upon people that this is just where we are today. Change the culture on how people see this.
HL: The Solar Winds hack took place way upstream in the supply chain. Certainly people are becoming aware of that kind of attack, but the potential for harm far outstrips the ability of a lot of end users somewhere to actually do anything about it. Can you share your thoughts?
Coleman: Make sure whatever third-party vendor you’re dealing with has just as robust of a security policy as you have for yourself. Robust passwords, multi-factor authentication, while these things aren’t very exciting, they’re very effective for the end user to better protect themselves and their organization against attacks.
HL: Regarding security, what three things should leadership in healthcare focus on first?
Coleman: You can put in a training and awareness program tomorrow. Make sure you have a robust, thorough password and multi-factor authentication policy. Finally, start to identify your legacy systems. Again, that’s easy enough to do. Those three things alone will get you a long way, in terms of helping your system.
HL: When an organization gets attacked, it can be quite useful for that information to be shared with other similar organizations. How do you score healthcare today in terms of reporting and sharing information on hacks and threats? Are those people stepping forward in meaningful amounts to share that information?
Coleman: They’re getting much, much better at just sharing this information. You look at the health IT sector, ISAC, and other organizations, they are really on board with making sure everyone is protected. So yeah, they’re getting much better.
HL: While there’s certainly never going to be a day when there will be no attacks, will we flatten the curve of attacks at some point, or is that unrealistic?
Coleman: Yes. Not unrealistic at all.
HL: So when will that happen?
Coleman: We are heading in that direction. Y2K was only 20 years ago. After that particular time, the technology revolution really took off. In the next iteration, security is going to be very top of mind, because organizations realize that it’s a business case. If I don’t feel comfortable that you’re going to keep my information safe, or keep my account safe, with [the] potential to be hacked, I’m probably not going to do business with you.