Health Care Cybersecurity Will Need to Keep Pace with Innovation to Combat Threats

Digital modernization is helping agencies adapt to a faster, more connected and digitized world. However, as agencies modernize and streamline assets, the threat and potential damage that bad actors can wreak on data becomes greater.

Amber Pearson, deputy CISO and executive director of information security policy and strategy at the Department of Veterans Affairs, spoke at GovCIO Media and Research’s Health IT Summit about how databases are digitizing while ensuring their data remains secure as cybercrime strategies evolve.

Pearson said that some of the greatest threats that agencies face are malware and ransomware attacks, and cybersecurity will need to keep pace as technology evolves and as agencies adopt zero-trust principles.

“We’re seeing an advancement in all health care technology. We have mobile wearable health care devices. When you think about that, that increases the attack surface,” Pearson said at the event. “Cybersecurity has to move at the speed of innovation.”

Interoperability within health care and increasing data sharing also prove signficant risks to cybersecurity, said Imani Tate, director of cybersecurity compliance at MongoDB.

“Part of that starts with really thorough risk assessments to not only engage leaders in your organization, but also take into account the business needs for both your organization and your customers or clients or whoever you’re serving,” Tate said at the event. “Incorporating that information to determine what are your crown jewels, what should we really be protecting the most?”

Pearson noted the three core principles underpinning the VA’s cybersecuity strategy:

• Never trust, but verify.

• Implement least privilege.

• Assume breach and assume that all networks are hostile.

“Traditional cybersecurity strategies used to focus only on the perimeter. As we see now, that is no longer sufficient. We go beyond that by ensuring that we have rigor in our access management as we look through the ransomware,” Pearson said.

In the private sector, Tate spoke of her company’s cybersecurity outreach program, which encourages all employees to take on the onus of cybersecurity themselves rather than solely relying on their security teams. The program uses monthly meetings and close work relationships to foster discussion and raise awareness of potential threats to the network.