Over the last several years, BlackBerry, the one-time mobile phone giant that taught us all how to use our thumbs to text, has been transforming themselves into a security powerhouse. The company has also been making a push into healthcare and have popped up at several Health IT conferences.
I have always been curious about BlackBerry’s work in healthcare so I jumped at the chance to sit down with Thomas Pace, Vice President, Global Enterprise Solutions at BlackBerry. We explored how the company is helping healthcare organizations be more secure, how cyberattacks have changed during the pandemic, and how someone might convince the C-suite to increase their cybersecurity budget.
What is BlackBerry doing in the healthcare space?
“We have a full complement of solutions in the market,” Pace said. “Specifically for cybersecurity, we have a unified endpoint security (UES) platform, formerly known as the Cyclance platform, where we’re leveraging AI and machine learning.”
Pace called the technology “the next generation antivirus” and noted that the company has a renewed focus on “the enterprise of things.” In the healthcare space, this focus is primarily on medical devices.
Pace noted that cybersecurity has been a tough sell in healthcare. “Doctors’ and hospitals’ primary job is to take care of patients, and anything that gets in the way of that is seen as a hindrance,” Pace shared. “That makes sense, but sometimes they take it too far to one end of the spectrum, so anything that’s even slightly inconvenient for a clinician – they just won’t do it, or do it in a minimum way.” That includes, unfortunately, cybersecurity which can impose new login process on clinicians and can (when not properly implemented) slow down applications.
Pace recounted the ransomware attack in Germany that resulted in an organization denying a patient care because they couldn’t access the patient’s medical record, and unfortunately the patient died as a result. That was the first known case of a ransomware attack leading to the death of an individual.
How are ransomware attacks trending in the US? And have things changed because of COVID?
“COVID has undoubtedly caused an increase in attacks on healthcare organizations,” Pace stated. He explained that phishing attacks have been and continue to be the primary infection vector/attack originator for obvious reasons. “It’s easy to craft a phishing email that produces a high probability of someone clicking. A subject line of ‘Hey your new masks are here, click to check them against inventory’ or ‘Your new vaccine testing results are in this spreadsheet’ can easily draw clicks. You can create juicy lures as a result of that low hanging fruit.”
In other words, attackers are preying on how frayed and busy healthcare organizations are with COVID-19 while at the same time exploiting the general anxiety caused by the pandemic.
How can hospitals or healthcare systems find a way to make cybersecurity work for them?
According to Pace, healthcare doesn’t have to “hire an army” of cybersecurity experts. He cited an example of several hospitals overseas that combined their resources to create a security group that acted as a shared service between them. Each hospital in the group could not afford to hire as many skilled staff on their own, but together they were able to put together a strong team.
If I were a CEO of a hospital or healthcare organization, what would you say to get me to increase my cybersecurity budget?
“I’d ask you about the number one thing you care about. I’d hope that would be patients and the care they receive,” Pace replied. Had I responded yes, Pace said he would then educate me on how important it is for patient care to have my hospital’s vital systems and electronic infrastructure always available to my staff. He would convince me that cybersecurity is actually a critical element of care delivery and not just an “IT thing”.
Pace noted that many healthcare organizations already have the tools they need; they just don’t have the people on staff who know how to use them.
If I were the CIO of a healthcare organization, what could I do to be more secure today?
Pace recommended picking a baseline to measure your current security status. (And no, being HIPAA compliant doesn’t count.)
He recommends The CIS 20 Controls as a great place to start. “Grab that list and start working your way down.” Pace also suggests choosing a trusted cybersecurity framework, identify a high, medium, and low threshold you can benchmark against, and then make the necessary investment to address the risks where you scored ‘low’.
“It’s very important to know your inventory,” Pace said. “You can’t protect what you don’t know you have. There’s a reason the number one critical security control is asset inventory. It’s a solvable problem.”
What is the one thing you want our readers/listeners to take away from our conversation today?
The importance of cybersecurity.
“The potential impact of attacks on healthcare is severe and significant,” Pace stressed. “We really need to spend time and energy focusing on this problem. it is similar to the industrial control system problem. Luckily, we haven’t had anything super bad, but if someone’s able to access a nuclear power generator and turn it off or overheat it, that’s a real bad day.” In healthcare a “real bad day” can happen when you can not access the EHR or when life-saving devices fail to respond to user input.
He concluded by reiterating that attacks are real, and the implications are potentially devastating. “This is not theoretical,” he said. “This can happen. It has happened. We’ve dodged a bunch of bullets, but you can only dodge so many.”
Learn more about BlackBerry’s healthcare solutions at https://www.blackberry.com/us/en/industries/healthcare. You can also check out their cleverly titled podcast, “The Insecurity Podcast.”