Dave Summitt, chief information security officer and director of cybersecurity operations at Tampa, Fla.-based Moffitt Cancer Center, discusses the importance of proper risk assessment and security awareness in hospital cybersecurity.
Responses are lightly edited for clarity and length
Question: What would you say is the No. 1 threat to hospital cybersecurity today and why?
Dave Summitt: This is a toss-up — for the most part, lack of senior leader buy-in remains to be a problem with most for-profit organizations. Many still see cybersecurity as a liability to the bottom line and would rather take the chance of not having anything happen over protections to prevent something from happening. If I wanted to somewhat shift that responsibility, I would have to say that it then depends on the lack of proper communication of risk from the lead cyber person to those senior leaders. Therefore, one of the main threats is lack of proper risk assessment and security awareness.
Q: What do you see as the next big cybersecurity threat hospitals should look out for?
DS: Bad actor infiltration into the supply chain. Most security teams are already stretched with items and risks inside their organization. Having the bad actors begin to look at ways to take over through vendors or other vendor products is a tough battle. Most of this includes medical device and [Internet of Things] that come in under the radar of the security or IT teams.
Q: What advice would you give to other hospital CISOs or CIOs to get hospital staff on the same page in the aftermath of a cyberattack?
DS: Lesson’s learning meetings and lots of them. Properly documenting the 'what went wrong' and 'how to fix' is key to preventing the same thing from happening again.
Q: What do you consider to be the most important aspect in hospital data protection?
DS: Leadership buy-in and user participation. Without either of those, the best cyber team in the world will not be able to operate efficiently.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.
To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com