false
Catalog
SCCM Resource Library
Cybersecurity in HealthCare
Cybersecurity in HealthCare
Back to course
[Please upgrade your browser to play this video content]
Video Transcription
Hi, my name is Tameka Fletcher, sharing with you today Cybersecurity and Healthcare. I am the Chief Information Security Officer at NASA's Kennedy Space Center, located in Florida. As a CISO, I report to the Center's Chief Information Security Officer and NASA's Senior Agency Information Security Officer on risks that are affecting KSC in the cybersecurity area. That includes operations and providing guidance on the compliance of federal regulations. So today I'll be speaking with you about cybersecurity and healthcare. And I'm sure you're wondering, why in the world is someone in the space industry coming to speak to healthcare professionals? Well part of that is because our roads do collide in the cybersecurity arena. Part of it is that the tools that we teach you all, or at least where I teach my employees here at KSC, is the same things that can be applied in the workplace. So for instance, when we talk to you about, you know, not sharing your personal data on your devices, or being cautious and concerned about what you're sharing on your social media, those are the same things we tell our folks online, because a lot of our hacking events happen through social engineering. So let's get into it. When you hear about cybersecurity, you think about phishing, you think about hackers, you think about smishing, which is phishing through text messages, you might think about patch management. But when you hear cybersecurity, you should also think about privacy and supply chain risk management, audits and assessments, as well as data integrity and availability. It is expected by 2025 that 60% of organizations will use cybersecurity risk as a deterrent on whether or not they will do business with other companies. Now that is a large number, right, 60%, which I'm sure after 2025 it will get larger. And part of that is because now everything has become IT, from the things that we do on our cars, to the things that we do with our appliances, our smart devices as we call them, everything has become more and more integrated with some type of information technology. That includes healthcare. For instance, in September 2020, there was a ransomware attack at a hospital in Germany. And this attack resulted in a patient passing away. Now we think ransomware attack, how can this affect someone, you know, being seen at the hospital? But what it did was the attack shut the hospital down so severely that that patient had to be rerouted to another hospital that was further away, delaying their care. And this could be the first time that a death is directly related to a cybersecurity attack. So what does this mean for hospitals? They have become very reliant on internet connected devices. Physicians computerize a lot of things. I know when I go to the doctor, they're sitting, not just listening to me, but sitting away, typing on their computer to make sure that the information I'm passing along is updating into their databases, right? And so when that happens, a ransomware attack can require that the hospital do certain things or release money to make sure that they can win or score money, funds off of an attack on a hospital or even in the space industry for us. It has been found that as many as 36 patients have deaths caused by heart attacks daily due to a ransomware attack. And in 2019, there was a 20% increase in the number of healthcare facilities affected by electronic breaches. And those breaches not just include ransomware, but they also include things like PII or personal family identifiable information being released. So a patient or an employee's date of birth, social security number, address, those types of things are also things that can be affected by us being more connected to the internet. Research found that hospitals that experienced data breaches have an increase of death rates for the month and years following the attack. Because what I do at KSC is I tell our users when the attack happens, that doesn't mean that the information is going to be leaving immediately. That just means that the bad actor can use that information at a later time, right? So a lot of times they hack the systems and they don't use that immediate because they think they know that folks are looking for them, so they'll use it later. And again, how does this relate to what's happening in the space industry? Well, in August of this year, there was a warning by the National Counterintelligence and Security Center, FBI, and the Air Force's special investigations warning the space industry about the data breaches we're having in our industry. Because the US leads the investment for space exploration, about $130 billion, we have found that we are far ahead of China. So we're first place and China is at second place at $79 billion, that they are trying to take that information and advance themselves in ways that we've already done the research. So if I don't have to do the research and I can, you know, look off of someone else's paper, as I would say, why wouldn't I? And because of that, we're losing billions of dollars because of data breaches in the space industry. Threat actors are using, stealing this technology to make sure that they can advance their technologies and also they can disrupt the industry. So if I am spending my time behind a cyber attack, then I'm not spending my time doing the research and development that's done in space industry or in the healthcare industry, right? And so I'm spending that time and energy running behind those bad actors. This group called the Foreign Intelligence Entities that they warn of are stealing intellectual property, they're stealing company proprietary data, and they're using that to take advantage of firms in the space industry. But again, the things that are happening in the space industry are certainly things that are happening in healthcare. So what can we do? So here's what the recommendations were from that advisory board. And again, I know this is coming or feels like it may be coming from a space person or someone in the space industry. So again, how does NASA relate to what you guys are doing with the Society of Critical Care Medicine? But again, we're all in this waste together. They recommend that we make sure that when we work with third party vendors, that they are compliant in their lifecycle, in their products and services to cybersecurity requirements and standards. Remember at the top when I talked about, you know, what you should also hear in cybersecurity? That's where we're asking you to make sure that your third party vendors and the services that you use are compliant with cybersecurity standards. And standards means that we're applying these things consistently across all industries. They also recommend that we build resiliency into how we target these areas, right? So into our operations, we want to make sure that all of our users, right, if that's the doctors or the nurses or what we're asking of the patients, that we are putting cybersecurity as a part of our operations in day to day. The advisory board also said that we should make sure that our suppliers are enforcing those cybersecurity standards, right? So where do you get your medical devices? Where do you get your computers? You want to make sure that those devices and computer equipment is coming from reputable companies and also that they're meeting supply chain risk management standards, meaning that they're not coming from countries of concern, right? So in the space area or what we do here at NASA, we're always concerned about someone trying to attack us from inside the network and they can do that by putting malicious code on the motherboard of a laptop or a switch. And then we connect that to the internet and now they're inside of our network. So the same could be said in the health industry when you guys are buying devices or you're putting your iPhone or iDevice onto the network. That is a place where bad actors can get into the network. And their last recommendation is that companies, organizations, businesses take a holistic approach to cybersecurity, meaning that they do an enterprise wide cybersecurity engagement in their organization. As I said earlier, we've integrated IT to every area of our organizations and business practices, that we do that in legal and human resources and procurement, all of those offices combined put in an effort to make sure that we are adhering to cybersecurity standards. And I've created a link down here too to give you more detail if you have access to these charts to give you more detail about some of these warnings that are happening in the space industry. So when we talk about an enterprise wide posture for the company, that's really where we integrate every part of what we do into the cybersecurity standards. We all know that we don't use pencil and paper anymore to get hired at a job. We fill out our application online, right? So how does someone protect a user or a patient or a nurse or doctor who's applying for the job in the human resources where they may have asked you to provide your social security number, right? So we want to do that there. We also want to do that in the procurement process where we're ordering parts and pieces, right? We want to understand that from a legal standpoint, right? So how do we go after someone who is a bad actor legally? What are the standards that the healthcare environment utilizes to have that has legal ramifications? And then physical security, you know, who has access to what? At Kennedy Space Center, we utilize smart cards that you can go through buildings and doors. So that means that in physical security, we're also integrating cybersecurity. That integration, again, should be through the whole lifecycle of our organization from the time we put in training, from the time that we order specialized equipment, all of those areas are required to have some understanding of the cybersecurity implications when we talk about the work that we do. So I always try to explain to people that when you are building your house in cybersecurity, we build our house on confidentiality, integrity, and availability. I say to folks that you wouldn't build your house and put doors and windows on, but not any locks on those doors and windows. And that's exactly how you're going to build your house in cybersecurity. You want to make sure that the information that needs to be available is available during that time. You want to make sure that that information is accurate. And you also want to make sure that information is seen by those who have a need to know for the data, right? So we try to implement backups and alternative processing sites. And a lot of those things allow us to recover when there is a bad actor present, or we've had a ransomware attack, and we need to bring our systems and data back up. So having that structure and that foundation in cybersecurity will certainly go a long way for any organization, be it a space industry like myself at Kennedy Space Center, or with you guys in healthcare. Implementing cyber in your organization is similar to protecting your home. You have a physical key. For me, I have a keypad. I locked myself out of the house and said, not only do I want a key, I want to make sure I have a keypad, so I have locks and doors in my window, all those things that build a great cybersecurity foundation. So again, because I am in the space industry, I don't talk you all's talk all the time, but I hope that these things that I have spoken on thus far were beneficial to you. I've left a couple of tips for you as well. The Department of Human Health and Human Services, I hope I said that right. So forgive me, because I'm not a part of your world on a regular basis, has a few tips that you guys can look at. They give some excellent advice about how to protect PII and those types of data points. That's in there. It also talks about some of the standards that are a part of healthcare. It has a really great site. So if you want to do a search on the top 10 things that you can do there, that will be helpful. Four ways to stay safe online. So while we're working at our desk, sometimes during your lunch break, you want to go check out your Facebook, your Instagram, or do a search online. This has four ways to stay safe online. That's very beneficial and helpful to you all. So thinking about what information you put on your Facebook page and how folks can use that to access maybe your email or other accounts. Also making sure you have proper settings. If you're a parent or have minors in your presence, you want to make sure you do that. This is a good reference point for you to use for being safe online. And that's through CISA. So CISA is the organization that puts the cybersecurity standards for all industries, especially in government. So they have really good tips for being safe online. And CISA also has some cybersecurity best practices that you guys can use. So think about some of the things that, again, as I tell our users at KSC, what we talk to you about here in the office, you can implement also at your home, right? So you want to make sure that you have a screen lock on your device. So that if you lose it, someone doesn't access your data on that device without first going through your screen lock or passcode or password. You also want to think about implementing things like having it erase your, you can have it erase your device after so many attempts that are wrong, right? So say someone does pick up your device, be it your laptop or your phone, that after five attempts that device is rendered useless because it wipes and clears everything off of it. So some of those kind of best practices that we put out in the space industry or with my users here at Kennedy Space Center are certainly best practices that you guys can use. So I would say go out there and look online and see if there's anything that would be useful to you that you can cross over because when you start building those good habits at home and they become routine, you'll bring those good habits into the office and that will help you to protect the data for patients as well as yourselves as doctors and nurses and healthcare providers. So I wasn't before you guys long, I do, again, appreciate the opportunity to speak with you. I do want to thank everyone who has welcomed me to come and speak with you all, especially Dr. Jerron. He's been great. Dr. Jerron Lee has been great. So I appreciate this opportunity to speak with you all. I hope that what we talked about, although brief, was very beneficial and helpful to you. And if you have any questions, please don't hesitate to reach out. I can be found at Tomiko.Fletcher at NASA.gov. I would love to come and speak with you all again. And I thank you for your time. And I hope that you all will take this quote that I'll leave you with a little to heart. Cybersecurity is a social responsibility. We all play a role in it. And that's by Mashka Chili. And I think that's very important. We all have a role to play in cybersecurity. We all have a role in protecting not only our data, but the data of others and to help to secure our world. Thank you.
Video Summary
Tameka Fletcher, Chief Information Security Officer at NASA's Kennedy Space Center, discusses the intersection of cybersecurity and healthcare. She emphasizes the importance of cybersecurity in both industries, highlighting the risks of cyber attacks on hospitals and space organizations. Fletcher stresses the need for integrating cybersecurity practices into daily operations and working with compliant third-party vendors. She shares recommendations for building resilience, enforcing standards, and taking a holistic approach to cybersecurity. Fletcher encourages healthcare professionals to follow best practices for online safety and data protection, drawing parallels between cybersecurity measures in the space industry and healthcare sector. She underscores the collective responsibility in safeguarding data and promoting cybersecurity as a social responsibility. Fletcher concludes with an invitation for further collaboration and information sharing.
Asset Subtitle
Crisis Management, Professional Development and Education, 2024
Meta Tag
Content Type
Presentation
Knowledge Area
Professional Development and Education
Knowledge Area
Crisis Management
Membership Level
Associate
Membership Level
Professional
Membership Level
Select
Tag
Leadership Empowerment and Development LEAD
Tag
Emergency Preparedness
Year
2024
Keywords
cybersecurity
healthcare
data protection
resilience
collaboration
Presentation
Professional Development and Education
Crisis Management
Leadership Empowerment and Development LEAD
Emergency Preparedness
2024
Associate
Professional
Select
Society of Critical Care Medicine
500 Midway Drive
Mount Prospect,
IL 60056 USA
Phone: +1 847 827-6888
Fax: +1 847 439-7226
Email:
support@sccm.org
Contact Us
About SCCM
Newsroom
Advertising & Sponsorship
DONATE
MySCCM
LearnICU
Patients & Families
Surviving Sepsis Campaign
Critical Care Societies Collaborative
GET OUR NEWSLETTER
© Society of Critical Care Medicine. All rights reserved. |
Privacy Statement
|
Terms & Conditions
The Society of Critical Care Medicine, SCCM, and Critical Care Congress are registered trademarks of the Society of Critical Care Medicine.
×
Please select your language
1
English