The Cyber Health Care Department is a complex proposal, at the very least.
CISOS, CIOS and other information security leaders used to worry simply about ensuring strong network safety and preventing lost laptops.
Now they have many new challenges to be dealt with, the natural materials of the threat – and the organizational landscapes – have become more complicated daily.
AI’s advanced ransom attacks, the proposed HIPAA safety base and mitigating the risk of third -party seller are three issues in particular that relate to one security expert.
Barry Matisis managed the director of consulting consulting information technology at Pya, a health care consulting company. He has approximately three decades of experience in the field of information technology and healthcare industries as director, information technology review director and risk management consultant in IT.
Health care news Talk to him recently to get his views on these concerns and others.
Q: With the appearance of artificial intelligence tools such as FraudGPT and WormGPT, there is a transformation where non -technician criminals can launch ransom attacks and hunting very effective. How is this democracy change in electronic crime to the threat scene, especially for health care organizations, and what can be done to remain at the forefront of these advanced threats?
A. As a person who spent contracts for information technology in the field of health care, I have seen the development of e -threats directly. But the appearance of the AI’s ransoms does not resemble anything we had previously faced.
Tools such as FraudGPT and WormGPT are limited to onramb for electronic criminals, allowing even those who have the lowest technical skills to launch successful attacks. In health care, where patient safety and data safety are very important, this is especially dangerous.
Nearly 400 American health care organizations were Ransomware targets in 2024 aloneWith the attackers exploiting the weaknesses of the Internet of Things and Old Infrastructure devices. The use of artificial intelligence for automatic vulnerability means that the attackers can now identify and exploit weaknesses faster than ever.
Although I saw a noticeable increase in hospitals and health systems that invest in the protection of the Internet, they are still related to the number of health care organizations that are still not equipped to deal with modern cybersecurity threats. Despite the long -term awareness of these risks, I still face health systems that lack both infrastructure and internal guarantees to stop data violations.
It is anxious, they do not have a lot of clear protocols to restrict unauthorized access. From my work to check and evaluate, a familiar pattern appears. Hospitals settle resources in digital health initiatives such as electronic records and mobile applications, but they overlook the basic safety practices. Basic problems such as wrong end points, old programs and insufficient planning for recovery remains throughout the industry.
artificial intelligence It should not only look at the infiltrator feature. It has strong capabilities to reinforce the defense. Unfortunately, most health systems have not yet harmed this ability.
Answer this question, one of my favorite TV ads comes to mind. It is characterized by the bank’s security guard, which simply tells the sponsors that the bank is stealing. While they expect the security guard to do something about theft, he explains that his job is only to monitor.
Health care organizations should take a closer look at the current safety frameworks and move towards more advanced and adapted protection. This includes publishing AI’s reliable tools to determine and responding threats to them, applying virtual patching solutions to protect old systems that cannot be easily updated, and running regular simulation exercises to test the willingness of response.
With the continued growth of the nature of electronic threats in complexity and speed, defensive strategies should turn from interaction to pre -emptive. Including smart and pre -emptive security measures is no longer optional – it is necessary for flexibility.
Q. Suggested updates of HIPAA safety rules aim to promote protection for electronic protected health information. Besides compliance, how these changes reflect a broader shift in how health care organizations deal with cybersecurity in an increasing hostile digital environment?
A. Suggested updates of HIPAA safety base Locally late and reflects an increasing recognition that the health care sector is being attacked. As a former CIO employee and information technology, I have always seen HIPAA not only as organizational requirements, but as a basis for the trust of society and the patient.
These new changes aim to update protection for electronic protected health information, especially in light of the development of increased electronic threats. But the real question is: Do institutions treat this as a sign of compliance or as a catalyst for real change?
The proposed updates put a strong focus on security practices that depend on risks, preparing accidents and overseeing the relations of the third party. These are the areas where many health care organizations continue to struggle.
Over the past three decades, I have seen countless examples of the outdated risk assessments and the upcoming policies that fail to calculate threats in the real world. HIPAA’s changes seem to encourage move towards continuous risk assessment and more flexible and response security strategies.
With the evolution of electronic threats rapidly, especially with the rise of attack methods driven by artificial intelligence, solid compliance methods are no longer similar to the review menu sufficient and completely acceptable based on my personal interaction with health and human services investigators.
Regardless of how the final base is organized, the basic message is clear: digital protection should be dealt with as a basic responsibility through health systems. This requires active participation of leadership, cooperation through departments, and steady commitment to upgrade both tools and skills. Meeting the minimum standards is not enough.
These boxes that give up the knees will be backward, and they will be victims of electronic attacks as well as defendants in civil and federal investigations. The organizations that succeed will be those that view safety as a driver of long -term stability and operational power, not just a mission to compliance teams.
Q: Even with the strong controls for cybersecurity, health care providers often face risks from third -party sellers. Since these sellers become more integrated into health care operations, what are the strategies that organizations should adopt to ensure that their extended digital ecosystem does not become the weakest of them?
A. Third -party sellers often constitute the most important weakness in a Digital Security Defense of the Health Care Organization. Even a good safe hospital can be at risk through control gaps when interacting with external sellers.
In my experience, the filing of technological operations and the audit operations, and I have been constantly confronted with unparalleled abuse of sellers guarantees, such as unprotected systems or unanswered access, created a clear path for unauthorized access.
For example, the entire hospital and more than 600 systems were affected by the service for more than a month, which requires complete rebuilding from the zero point. The root cause of this weakness was a single non -shared server as a support gateway for an external side seller.
Since health systems adopt more digital tools, from cloud infrastructure to virtual care and distance monitoring, these exposure points double and require more clear supervision than ever.
One of the ongoing issues in health care security is the lack of an organized approach to risk management associated with external sellers.
Although some institutions may perform a preliminary review before the seller is placed, consistent follow -up is often missing. Since digital environments are getting more complicated and with connected devices and common smart systems, this lack of supervision becomes an increased problem.
From what I saw, managing these risks is more effective than one time examination. It requires a comprehensive process: a comprehensive evaluation before participation, clear security conditions in contracts, and active supervision during partnership and coordination when accidents appear.
Regardless of organizational effects or other external effects, health care organizations must treat third -party sellers as their infrastructure accessories. This means integrating them into security awareness training, and requires proof and effects of regular independent assessments or certificates, and the use of data -based automatic registration systems that assess the status of cybersecurity for institutions.
When the sellers become more integrated than providing care, their security becomes your security. The organizations that recognize and work on them will be in a much better position to protect their patients and reputation.
Follow Bill Hit coverage on LinkedIn: Bill Seuiki
Email him: [email protected]
Healthcare is Hosz News.
Watch now: Epic Emeritus CMIO to become CMIO – and succeed
