KLAS’s Recent Report on Cybersecurity Services Firms: What Are the Implications for HIT Leaders? | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

KLAS’s Recent Report on Cybersecurity Services Firms: What Are the Implications for HIT Leaders?

August 4, 2018
by Mark Hagland
| Reprints
KLAS Research’s Dan Czech shares his perspectives on the forward evolution of cybersecurity services firms

On June 19, the Orem, Utah-based KLAS Research released its report on cybersecurity services firms. The report, authored by Garrett Hall and Dan Czech, was the first of its kind, surveying the levels of satisfaction experienced by patient care organization leaders with external cybersecurity services companies. As KLAS noted in the release of the report on its website, “Since the beginning of 2018, healthcare security breaches have become an almost daily occurrence. While many healthcare organizations have implemented technologies to help combat both internal and external security threats, some are taking additional measures by leveraging the cybersecurity services and expertise of third-party firms. To highlight which firms can best help their clients be successful, KLAS interviewed 129 healthcare organizations about their engagements with cybersecurity firms to find out which services these firms offer and the types of outcomes they were able to achieve. Additionally, respondents were asked about their firm’s healthcare knowledge, ability to cater to customer needs, and strategic expertise.”

Hall and Czech looked at three core types of cybersecurity services: advisory services, technical services, and managed services. According to their categorization, advisory services “[i]ncludes security-program development/assessment, risk assessment, HIPAA compliance, and less frequently used services such as interim CISO services, payment card industry (PCI) testing, and security operations center (SOC) reporting.” With regard to technical services, they note that “Organizations looking for a cybersecurity services firm will need to determine which firms offer the services their organization needs. To that end, KLAS has categorized the cybersecurity firms in this report based on the breadth of their offerings.” That, they said, “Includes penetration testing, design and implementation of security technologies, social engineering/phishing testing, and web application security testing.”

When it comes to managed services, they included “outsourced management of some or all security tools to a third-party firm. Outsourced security tools include those for data loss prevention (DLP), identity and access management (IAM), medical device management (MDM), security information and event management (SIEM), etc.”

The report’s authors also divided the types of firms surveyed into three categories in terms of their size and scope. “Comprehensive firms offer the widest breadth of cybersecurity services. Clients validate that these firms perform work in all three cybersecurity service areas: advisory, technical, and managed services.” Meanwhile, “Broad firms have been validated for work in two of the main cybersecurity service areas.” And “Advisory-focused firms have the narrowest focus, having been validated by clients for performing work only in cybersecurity advisory services.”

Among the results: “CynergisTek has the greatest breadth of security services and most validated engagements for advisory and technical services”; “Advisory-focused firms Clearwater Compliance and tw-Security have some of the most consistently satisfied clients, many of whom praise their firm’s cybersecurity and healthcare industry knowledge”; and “BluePrint Healthcare IT and Meditology Services clients laud their firm’s strategic guidance and tailored services.”

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Recently, report co-author Dan Czech, a KLAS analyst who has been with the organization for over 13 years, spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding the report’s findings and some of the implications of those findings for the forward evolution of cybersecurity services in the healthcare industry in the next few years. Below are excerpts from that interview.

KLAS analysts will participate in the Health IT Summit in Seattle, to be held October 22-23 at the Grand Hyatt Seattle, to engage in discussions around cybersecurity issues in U.S. healthcare. More details will be made available on the event website in the coming weeks.

What was your overall objective in looking at cybersecurity services?

As with most KLAS reports, we wanted to provide some transparency over which vendors, or in this case, which firms, were providing the highest-level quality to healthcare organizations. In the 2017 broad look at cybersecurity, we asked our audience what some of the technologies and services were most important for them? And interestingly, they said cybersecurity services and managed services. So we asked, who’s leading the industry? And who are some of the up-and-comers who aren’t yet on everybody’s radar screens?


Dan Czech

In addition to validating what they were doing and who was performing well, a couple of the things we looked at specifically was the question, which firms demonstrated that they had healthcare knowledge? And so we asked the extent to which healthcare industry-specific knowledge was helpful, versus understanding cybersecurity in financial services or education. And what about servicing different needs, such as a small critical-access hospital versus a large IDN. So we asked, who tailors their services to best meet your needs? And then we asked what their biggest successes or outcomes were.

Were you surprised by anything that you uncovered?

That’s an interesting question. Yes, I was surprised by a couple of things. We didn’t find the direct correlation we had somewhat expected to find, between being healthcare industry-specific, and having greater healthcare knowledge. There were some healthcare-specific firms, including Leidos and Impact, that didn’t demonstrate what people considered a high level of healthcare knowledge; in contrast, a few firms, including PWC, cross-industry firms, did demonstrate deep healthcare industry knowledge. Also, the size and breadth of a firm wasn’t always a key deciding factor for patient care organizations. Some organizations may not need a Deloitte or CynergisTek or Optiv—sometimes they just want training for their folks and risk assessment, and that might be some of the extent of what they want. And there is a high level of satisfaction when that happens. Most of the firms focused around advisory work—all were above 93 on a scale of 100.

Can you comment a bit on your categorization of firms into “comprehensive,” “broad,” and “advisory services-focused”?

We tried to provide a little clarity and transparency for the provider community, to give them an idea—if they’re looking for a one-stop-shop firm that can do advisory work for them and also have a penetration team that can do work onsite, and also will managed services for some of your software, that was how we defined a comprehensive firm. It doesn’t necessarily mean in all cases that provider organizations use them across all three dimensions.

Meanwhile, broad firms will do two of those three areas, or at least we haven’t validated all three. Often, they’ll do risk assessment and advisory type work, and advisory services. So for example, an organization might contract with a firm to do a pen (penetration test), so they’re doing a test with NIST or HITRUST, and they’re presenting to the organization the results of the risk assessment and the result of the pen test, and here’s an advisory report, with tiers of actions you can take.

And then some firms just focus on advisory work, such as security program assessment and development, risk assessments and HIPAA compliance work, and other advisory type work, in some cases, that’s interim or virtual CISO services that firms might offer.

How much does healthcare industry-specific knowledge matter, in your view?

That’s a great question. I think it matters quite a bit, and here’s why: patient care organizations have accepted the fact that the healthcare industry is behind other industries on the security side. In some cases, they will want to leverage cross-industry vendors. But we have challenges some other industries don’t have, such as HIPAA compliance; and also somewhat-opposing needs, to tighten down security, but you’ve also got end-user physicians and clinicians who want to be able to share data readily. And we’re super-sensitive to physician burnout, and we don’t want security burden to increase physician burnout. So firms that are able to leverage what they know about the healthcare industry and some of its unique characteristics, and marry that up with good cybersecurity practices, and can take the right message to the c-suite and board, that is sometimes a real differentiator for firms.

What challenges and pitfalls, face patient care organization leaders, as they scope out potential services providers?

The size of the firms, the amount of work they do across multiple industries, those don’t necessary correlate to a high level of customer experience. Some of the smaller and most targeted firms achieve very high satisfaction. That’s why we asked the question about tailoring services to meet your needs—as a healthcare organization, you want to be very specific about your expected outcomes, what you expect a firm to do and not do, and then hold them accountable around your expectations. That’s where a few firms have had hiccups, where they’re not sure of their expectations upfront and don’t end up holding their services firms fully accountable.

A couple of other things: you need to have a clear strategy around what you’re going to do with the results around advisory work and risk assessments in particular. We’ve seen a couple of different strategies organizations have: they’ll contract year after year with the same services firm. Others will contract yearly but with different firms every year, to get fresh or unique eyes on the situation. Others will contract every few years and will alternate contracted years with doing their own risk assessments and penetration tests. Others feel they can do it all internally.

So you need to know what kind of strategy you’re going to build around. Do you want to build a years-long relationship? Or just have a good single experience? The other piece of guidance I’d give is around expectations of the end product of an advisory engagement, especially a risk assessment. Oftentimes, security firms produce a relatively canned report that they’ll produce that lists out the findings of their risk assessment; in many cases, it will prioritize action items that can be taken. And if you’re in a position where you don’t have the type of board engagement you’d like, there are some firms that are very good at taking the results they’ve come up with, and partnering with the internal healthcare IT security leader, and pairing up with them and presenting to the board to advocate for actions. Boards are often very conservative in terms of spending, but the last thing they want is an OCR investigation or a public outing of a breach in the newspapers, etc.

How do you see this broad area of cybersecurity services evolving over the next few years?

Good question. I think one area that we’re going to see evolving is, I think the industry is starting to coalesce around a few frameworks as far as their annual risk assessment, the predominant one being the NIST framework. A few firms position themselves as HITRUST-qualified assessors. I think the industry will start to coalesce around those two, and some of the other security frameworks, your ISO, etc., might disappear over time. I think the industry will coalesce around the NIST and HITRUST frameworks. My feeling is that we’re going to see more and more managed services engagements going forward. They’re going to engage a managed services firm for a variety of reasons—to outsource their SOC; to manage a certain piece of software, their SIM system, for example. So smaller organizations that may not have the security staff at their organization and can’t afford the resources they need, I think more and more will outsource their needs.

Do you see consolidation among these services providers?

We haven’t seen a lot over the past 12-18 months; there have been a few acquisitions. We’ve seen some on the security software side. For example, CynergisTek was acquired by another, firm but maintained its name. Where I see the potential acquisitions happening is, you may see some of the big firms like a PWC, Deloitte, EY, etc., acquiring some healthcare industry-specific firms.

 

 


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/klas-s-recent-report-cybersecurity-services-firms-what-are-implications-hit
/news-item/cybersecurity/fda-released-draft-premarket-cybersecurity-guidance-medical-device

FDA Releases Draft Premarket Cybersecurity Guidance for Medical Device Manufacturers

October 19, 2018
by Heather Landi, Associate Editor
| Reprints

The Food and Drug Administration (FDA) has released draft guidance to the healthcare industry that updates cybersecurity recommendations for medical device manufacturers with the aim of addressing vulnerabilities and evolving cybersecurity threats.

The draft premarket cybersecurity guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, identifies issues related to cybersecurity that manufacturers should address in the design and development of medical devices to ensure better protection of devices against cybersecurity threats that could interrupt clinical operations and delay patient care.

The new guidance is intended to provide recommendations to the medical device industry regarding cybersecurity device design, labeling and that FDA recommended documentation be included in pre-market submissions for devices vulnerable to cybersecurity threats. The recommendations build on the framework that the FDA created in its 2014 guidance for manufacturers.

According to the FDA, these updated recommendations also will facilitate an efficient premarket review process and help ensure that medical devices are designed to sufficiently address cybersecurity threats before the devices are on the market.

“Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” FDA Commissioner Scott Gottlieb, M.D., said in a statement. “The FDA has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders. In this way, we can help ensure the health care sector is well positioned to proactively respond when cyber vulnerabilities are identified in products that we regulate.”

“Today’s draft premarket cybersecurity guidance provides updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic attack on a health system,” Gottlieb said in his statement, noting that the rapidly evolving nature of cyber threats necessitated an updated approach “to make sure [the guidance] reflects the current threat landscape so that manufacturers can be in the best position to proactively address cybersecurity concerns when they are designing and developing their devices.”

“This is part of the total product lifecycle approach to device safety, in which manufacturers must adequately address device cybersecurity from the design phase through the device’s time on the market to help ensure patients are protected from cybersecurity threats,” Gottlieb said.

As part of its focus on strengthening medical device cybersecurity, the FDA also announced this week an agreement with the Department of Homeland Security to increase collaboration on medical device security. The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety, the agencies said.

“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber vulnerabilities are identified. This agreement demonstrates our commitment to confronting cybersecurity risks and the unscrupulous cybercriminals who may seek to put patient lives at risk,” Gottlieb said in a statement about the partnership.

With regard to the draft guidance issued this week, it incorporates new recommendations, including a “cybersecurity bill of materials,” which is a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device users are able to respond quickly to potential threats, the FDA said.

The draft guidance also introduces two tiers of devices—those with higher cybersecurity risk, including implanted devices such as pacemakers or neurostimulation devices, and standard cybersecurity risk, which includes devices that contain software—based on potential harm to patients from cybersecurity threats. The draft guidance outlines the documentation for inclusion in a premarket submission to the agency to demonstrate that the design of the medical device has adequately mitigated risk.

The FDA will hold a public workshop Jan. 29-30 to discuss the newly released draft guidance.

 

More From Healthcare Informatics

/article/cybersecurity/guest-blog-cybersecurity-shortage-closing-gap

GUEST BLOG: The Cybersecurity Shortage: Closing the Gap

October 17, 2018
by Mac McMillan, Industry Voice
| Reprints
The gap between the level of cybersecurity preparation that should exist in the current environment, and the reality, is both troubling and in need of closer examination

We are by all estimates well over a million cybersecurity professionals short of what we need and racing towards an even bigger shortage in the decade to come.  Current approaches are not likely to produce the number of cyber warriors we are going to need to close this gap.  Not for want of good intention, but I believe we won’t achieve our intended goal, because the environment has changed and if we don’t recognize this change we may never catch up.  There are multiple factors affecting this paradigm shift, but the biggest of them all is the rapidly evolving nature of technology that is moving at lightning speeds and the associated exponential growth in threat produced as a byproduct. 

Closely related is what this means for the rapidly expanding competency that cybersecurity professionals will have to possess just to be effective in the future.  We have known for decades that cybersecurity is a dynamically changing field affected by changes in the physical environment, changes in technology, the evolving nature of threat and the operational impacts of users.  The enterprise is never static, and every change presents a new opportunities and new risks.  If we take healthcare as one example of this just the past two decades have witnessed amazing changes in technology adoption, the rise of hyperconnectivity, the increase in the sophistication and frequency of attacks and the endless application of technology to operations, simple and complex.  This will move even faster in the future as technologists are already talking about faster processing speeds, quantum computing, artificial intelligence, etc.  Making it harder and harder for those who have to secure the enterprise to do that.

In fact, today’s cybersecurity professionals have to be as diverse as the thing they are trying to secure, meaning many different cyberwarriors with very different specializations.  Analysts, administrators, engineers, program experts, threat hunters, monitors, architects, etc.  Making it all the more impossible for current approaches to succeed.  The supply is not going to catch up with the demand one cyberwarrior at a time.  That ship has sailed.  All the college programs in the land, although important, are not going to get us there.  You cannot create a cyberwarrior army large enough, fast enough to solve this problem.  We need a different approach.

In today’s and tomorrow’s information technology environment, everyone who uses a computer will need basic cybersecurity skills, and everyone who works in IT will need specific job-related cybersecurity knowledge and we need both general and specialized cybersecurity professionals.  Individuals who write code should know how to do so with security in mind.  Database developers and administrators should understand the threats associated with what they are doing and how to avoid them.  System engineers should understand network security principles and how to apply them to what they do.  And on and on.  Information system designers, developers, manufacturers, consumers and users need to accept and embrace this basic requirement.  Curriculums from the earliest stage where information technology is introduced should include cybersecurity training.  Curriculums in career fields where information technology will be critical to accomplishing that skill should include cybersecurity training.  No information technology degree should be achievable without cybersecurity as part of the curriculum.  We should promote greater professionalization of the cybersecurity field to define specific career paths from the very specialized to the general practitioner to the strategist to ensure not only the expertise needed at the tactical level, but the professionals with the breadth and scope of knowledge and experience needed at the higher levels of responsibility to lead and develop effective cybersecurity strategies and programs. 

The gap between the good guys and the bad guys is growing, because we are still trying to solve the problem in the same antiquated way, one cyberwarrior at a time.  There is zero unemployment in the field right now, and many of the people filling cybersecurity roles today are only marginally competent.  Because not only does it take education in multiple disciplines to be become knowledgeable in the field it takes experience, which can only be attained in time.   We are never going to be successful following the path we’re on today.   We need to recognize the paradigm shift that has occurred and embrace the new reality.  Everyone who deals with information technology has to be part cyberwarrior.  Everyone has the responsibility to understand basic computer security skills and the cyber threats that can keep them from accomplishing their mission.  In the military we call this awareness of risk operational security and every soldier, sailor, airman and Marine from top to bottom is charged with understanding operational risks so they can mitigate them regardless of their job specialty.  

Some organizations are beginning to realize this new reality and are taking steps to change how they approach educating the workforce of the future.  One such organization is the University of Texas, which I had the pleasure of supporting recently, who is building a new graduate certificate program within their healthcare curriculum to train members of the workforce to move into healthcare, particularly former veterans.  What is unique about this curriculum is that they have integrated cybersecurity knowledge so that graduates of this program not only prepare themselves for a career in healthcare by learning practical skills, but they learn about where cybersecurity is important and why they need to understand it to be successful.  Their lab environment is unique in that it replicates the hospital experience, admissions, ER, the smart patient room, OR, radiology, pharmacy, etc. and in each lab cybersecurity will be taught along with the information technology associated with those environments as well as the cyber threats that affect both privacy and security there.  A curriculum that teaches not only practical skills needed to work in healthcare, but how to protect patient data and operations.  The program has included several experienced healthcare CISOs as contributing staff lending real world expertise to what they are building.  These are the type of visionary programs we need more of if we are going to close this gap in cybersecurity skills.

Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.

 


Related Insights For: Cybersecurity

/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

Six Lessons From Boston Children’s ‘Hacktivist’ Attack

October 17, 2018
by David Raths, Contributing Editor
| Reprints
CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware

Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.

Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. 

 According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. 

 In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.”

He offered six lessons learned from Boston Children’s experience:  

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.”

2.  Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.”

3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained.

4. Push through security initiatives – no excuses anymore.  Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.”

5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said.

6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.”

In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million.

Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy.

Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don't have these systems. We have important data and will do anything to get our systems back up and running.”

Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.”

 

 


See more on Cybersecurity

betebettipobetngsbahis