In this episode of the podcast (#235) Justine Bone, the CEO of Medsec, joins Paul to talk about cyber threats to healthcare organizations in the age of COVID. Justine’s firm works with hospitals and healthcare organizations to understand their cyber risk and defend against attacks, including ransomware.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
In May of 2021, Ireland’s Health Service Executive (HSE), the country’s publicly funded healthcare system, suffered a major attack by the Conti ransomware group. The attack was the most significant to date on an Irish government agency and essentially froze HSE’s IT systems, which are used by the agency’s 54 public hospitals. The outage lasted for four months , forcing health staff to revert to using pen and paper. With 80% of HSE’s IT environment encrypted by the CONTI gang, the Irish government had to pay millions of dollars to recover from. Healthcare delivery at HSE facilities was deeply affected during the crisis, as well, according to an HSE report.
The report identified a number of failings by HSE, from a lack of a single, coordinated cybersecurity function at the massive agency, to a failure to properly identify and respond to clear indicators of attack prior to the deployment of the CONTI ransomware.
Healthcare: cyber risk everywhere
While it is natural to think “it could never happen here,” a recent report by the Department of Health and Human Services in the U.S. concludes just the opposite. US healthcare organizations should make a study of the HSE hack from last year and take steps to prevent a similar type of attack from occurring at their facilities.
But how? The healthcare sector presents a particularly vexing challenge for cyber security. In addition to the complex mission of healthcare organizations, healthcare organizations have relatively small budgets for IT and information security. Beyond that, hospitals, doctors offices and other healthcare facilities maintain mountains of legacy hardware and software – some of it decades old. And, like many organizations, they are also contending with the challenge of “shadow IT” as more staff opt to work from home during the COVID pandemic.
Like banking…20 Years Ago
To understand more about the challenges facing healthcare organizations, we sat down with Justine Bone, the CEO of the firm MedSec, which works with healthcare organizations to manage their cyber risk.
In this conversation, Justine and I talk about the fast changing landscape of medical device risk and security – as more attention shifts to protecting medical devices and software supply chains. Bone, whose firm works with healthcare providers, says the industry reminds her a lot of the banking sector…20 years ago. Healthcare organizations too often overestimate their readiness to face cyber threats, while underestimating the threats themselves.
To start out, I asked Justine to tell us about her journey to the information security space – one that started out in the dance studio with her promising career as a ballerina.