CDC, NIH: People, Technology Threaten Patient Data Most

Cybersecurity threats are evolving, and in turn, so are the healthcare sector’s efforts to thwart them. Key leaders at GovCIO Media & Research’s Health IT Summit discussed their views of today’s top threats: technology and people.

While each agency faces individual problems, the Center for Disease Control and Prevention (CDC)’s CISO Joe Lewis said ransomware remains a top threat. Lewis said ransomware attacks directly impact patient care.

“Impacts on patient care impact our ability to get data in order to make predictive decisions about how we apply resources to contain disease,” said Lewis. “Ransomware, in particular, has affected a number of high-profile healthcare entities over the last 12 to 18 months.”

Before President Biden’s executive order on artificial intelligence (AI), some agencies were hesitant to allow employees to use AI applications like ChatGPT. Lewis recalled being in meetings about the potential risks and benefits of using AI applications. He said the risk of using AI was something he would willingly accept.

“These new technologies can fundamentally alter how we deliver public health to the nation, and so I would much rather us err on the side of risking to do something than to do nothing,” said Lewis.

Lewis also emphasized that cybersecurity officials shouldn’t be the decision-makers on what technologies are being used. With governance in place, cybersecurity officials should inform employees how to use emerging technology safely, securely and intelligently.

As the technology used by bad actors improves, the workforce needs to follow suit. Jothi Dugar, CISO at the National Institutes of Health (NIH), said her team’s holistic and integrative approach includes focusing on people. Dugar started a cyber safety campaign at the NIH and connected cybersecurity to patient safety.

By putting cybersecurity into familiar terms, Dugar said people were more receptive to cybersecurity practices especially as NIH implements emerging technologies like AI. She said the knowledge employees possess empowers them to report cybersecurity incidents.

“We don’t want [employees] to feel too scared to tell our security folks because something bad is going to happen,” said Dugar. “It’s really important to take a holistic and integrative approach and with ‘people process and technology’ really focusing on the people.”

Lewis added that annual training exercises prepare employees for when a breach happens. By thinking in a ‘when’ mindset rather than ‘if,’ Lewis said policies and procedures are updated creating knowledge management. This allows the CDC to prepare for staff turnover and the future use of emerging technologies.

“My job as a leader is to get the most out of people while they’re there, support them, train them,” said Lewis. “If they leave for bigger and better, [they] leave some piece of institutional knowledge, and we remain resilient in the face of that turnover.”