January 10, 2022
In 2020, there were 239.4 million attacks in US healthcare alone. That represents an over 9,000% increase since 2019. It averages approximately 816 attacks per endpoint device. CBS News reports that ransomware attacks at an Alabama hospital led to parents suing the facility due to diminished care as a result of this. The NBC News in California reported that the Scripps healthcare system suffered a cyber-attack that resulted in the loss of service for as long as six days for both physicians, clinicians, and patients. Finally, in Massachusetts, there was an attack on OT (operational technology) that led to a potential breach of the hospital system that could have resulted in diminished care as well. So, cybersecurity is a very real and important topic that’s top of mind for a lot of CIOs.
Below is a transcribed webinar with Eric Abbott, healthcare IT strategist, Alessandro Feitosa with Connectivity Wireless, Sam Chughtai, cybersecurity advisor, Carla Shaffer with Wesco Anixter, and Christopher Mohammed with CommScope.
Section 1 – What is the scope of the problem and the reality of the threat?
How would you describe cybersecurity to someone who’s not familiar with it?
Sam: In most cases, if you are a C-suite working in the healthcare industry, then you are aware of the cyber and privacy world. That is because of HIPPA and compliance. They must have heard this word. The cybersecurity bottom line is to protect data in transit and process area. Data is typically found in three locations: where data gets generated, where data gets processed, and where data goes from point A to point B.
These locations are where data gets hacked. The pocket of the data which travels in those three locations needs to be protected. This is because of the regulatory compliance perspective, number one. Number two is a reputational perspective. If there is a data leak within your organization the first impact as a publicly-traded company is the slippage of your stocks. This can translate into billions of dollars. That is for the C-levels.
Eric: In other words, this is very much a top-of-mind area that needs to be taken with a lot of seriousness.
Describe the frequency of cybersecurity issues and attacks within healthcare
Sam: In the last five years, there has been exponential growth. It is a hockey stick phenomenon with the method of attacks. Also, if you look at it from the cyber perspective, let’s take it back to 30 years ago. When you’re done with your work at five o’clock, you clock out, you go home. You don’t carry your laptop or computers at home. you don’t have access, so your cyber world is protected around those big buildings, which you call your head office. When you come home, no access.
What happened over time, is we started bringing laptops, our own devices (such as iPads and cell phones). Now your devices have access to all your data. From a decision-making perspective, from a monitoring perspective, and from a reporting perspective. Suddenly, the landscape of the cyber world, which used to be only around your head office or your data center, has spread out all across the globe now. The expansion of the landscape of cyber data has increased the frequency and complexity of attacks. This is no longer limited to access to your servers. So, it has grown exponentially.
Eric: That certainly sounds very pragmatic, especially given the mobility. If you look at the growth, which is someone meteoric in healthcare. Especially about clinician collaboration, the use of wearables, patient mobility, it’s very easy to see. This is something that’s becoming much more of a pervasive challenge.
What does new technology mean for cybersecurity?
Sam: The number one thing is malware. Under malware can be ransomware. There can be many areas under malware. Those are the highest number of threats we are seeing around. Then the phishing attacks, denial of service attacks. Those are the three ones we see mainly. Now, since the landscape of data access has expanded, so have IoT device attacks. These are some high-level attacks we are seeing increase exponentially.
Eric: When we see these attacks occur very often, it is fair to say that usually, the first indication that an attack has happened is retrospective. It’s not something that in real-time, a healthcare organization, is usually aware that the attack is underway?
Sam: Not necessarily. In most attacks, it ranges from three days to three months. But in some instances, it can last for two years. They would never know. Unless they start seeing the data is being sold on the black net or the darknet. It is hard to tell. It all comes down to, how your cybersecurity posture looks? And the common myth in our industry, unfortunately, is you have a bunch of Sam Chughtais and you’re good. Unfortunately, in today’s world, it has changed.
About 10 years ago, that used to be the case. You hire some top guns, and you deploy those top guns in your environment. They then managed your parameters using top tools and applications and you were covered. Now, there are nations and states, and their organized crimes are involved in that. If they can pick up some high-quality data, which they can sell on the darknet, then especially. I mean they’re individuals. They’re high networked individuals and they end up going to a hospital and they can pick up their medical history. Because in security, you’re as strong as your weakest link.
You don’t have to break into the main firewall. You can hop onto one of your physicians who forgot to upgrade his Microsoft patch three on his Outlook. Here’s your window. You just need to hop onto this clinician’s laptop through his Wi-Fi, right next to his home. You need to park your car right next to his home. Then you’re in. There are many ways, as that is only one example. You can have the best firewalls, the best security posture, best policy, best procedure, best tools, best applications. But if someone is hopping on in one of them which has a clearance, when he logs in, he can go and access all the medical records. Then suddenly, he’s picking up one of the high network individual medical records. This hacker is copying all the data and that information will be sold on the darknet.
Eric: When I hear these sorts of things, it really brings to light that it’s very much a shared responsibility. It just takes one missed step if you will, perhaps at 2:00 AM, someone inadvertently opens an email that they shouldn’t for these things to start.
We hear about today, there are exciting new developments, for instance, with what they call cognitive AI and other potential strategic investments and technology to combat the threat of cyber intrusions.
Sam: You have to have the right tools, you have to have resources, and you have to have multiple partners, not one partner, multiple partners. They’re engaged on a daily basis. Ensuring that you are not missing out on any potential threats in your system.
It is very standard when you have your internal team get complacent. The best way to deal with this nowadays is to have your internal team directly report to the CISO and less hierarchy and collapse the organization. This is so nobody’s hiding and twisting numbers, which happens unfortunately in the cyber world. “Don’t worry about that. We don’t need you to report that. That’s very normal.” You need to have a daily triage, regardless. A daily triage of your mission-critical risk and your false positives because sometimes a false positive is not a false positive. So, it’s a double-edged sword. If I were running an organization, I would have IBM, Mandiant, and CrowdStrike. I’d have a signed contracts retainer. These guys are on my daily two-hour call.
I have the best of the three in the world. They all log in every morning and they go through. That’s what you do in your daily triage call. You go through it with your logs. Did you go through what’s taking place? What are the potential threats? What did your SIM capture last night? Any activity? So that it’s not your guys only looking into it. You need to have an independent third party and that independent third party should not be reporting to your CISO. You should be directly reporting to your board.
Eric: This falls under a strategy predicated on people, process, and technology. It’s not enough to invest in just technology. It’s not enough to do the processes. It’s also the people and its sort of the structural paradigms that you need to bring to an organization to ensure that there are adequate checks and balances and a layered approach.
What advice can you offer in protecting one’s organization?
Eric: Healthcare is one of the most targeted sectors by cyber attackers. I think it’s the number one behind the finance industry. Many people would think that the finance industry would be number one. Recently, in the popular media, there have been some articles about foreign nation-states that are trying to gain access.
Sam: Do not rely on your inside cyber team. You should have your inside cyber team and a third party, preferably, two third parties. If you cannot afford two, at least have one third party. This should be part of oversight on your daily operations, daily triage calls, daily log reviews. Ensuring the third party does not report to a CIO or CISO, but directly reports to the board, which matters. If they report back to the CIO and if they have a different opinion of a tool or approach, the CIO can squash that data, and the board would never know.
Section 2 – Common security issues that arise from traditional wi-fi networks
What are you hearing from healthcare organizations?
Carla: By the nature of what we do, being infrastructure providers, we’re heading more about the IoT technologies and how healthcare can apply a plan. Then deploy that plan within their organizations and networks. So new technologies such as wayfinding and different things are driving competitive advancements.
While they may not be asking us about the cybersecurity aspect, we’re talking about all those things that create cybersecurity risks. So, we bring it to their attention and take the deeper dive discussions with them. Starting with, do you have a plan, to protect all these different points? If you haven’t already done one, let’s get one done. Making sure that turns into a strong cyber policy across all these touchpoints in the technology network.
Christopher: We’re pleased that healthcare organizations are starting to recognize that they have a massive attack now. If you can imagine what a typical hospital room is, it can contain up to 15 or 20 different medical devices. And every year, we’re adding devices to the network. A 2,000-bed facility may contain something along the lines of 1,500 infusion pumps alone. Now, these medical IoT devices are easily outnumbering other IT devices by two or three times. And those infusion pumps and other medical equipment, have a high-value price tag. We also need to ensure that those devices are available for quick access, but also that those high-value devices do not go missing.
It’s great that there is awareness in the executive team, recognizing that devices are no longer just cable to a network. Device manufacturers are taking advantage of Wi-Fi, BLE, Zigbee, and ZWave. Yet, adding these devices onto the network should be done with care. When we assess a healthcare organization, looking at these devices and the connectivity of devices is paramount. And sometimes it’s not under the control of IT. It’s sometimes under the control of facilities or medical device engineering groups. We can’t treat a network and a connection protocol as a dumping ground. In March of 2020, the FDA informed manufacturers of potential security vulnerabilities in an attack for specific medical devices using BLE. The threat of triggering a DoS attack or gaining control of a device. Or better yet using that device as a platform, a jump-off point, to connect to other systems is quite frightening.
Having a third-party providing security audits is important. They should be reporting to a board, having the CSO that’s providing over-watch. But not just in IT, but all those devices that are connecting the network are mandatory. Then these large organizational buildings, they’re vulnerable. There are also lots of attacks that are happening at some of these smaller deployments or locations such as popup facilities. Those devices and the connectivity of those devices need to be secured as well.
Alessandro: First of all, when we bring the issue to their attention, it’s not a surprise anymore. That’s because we were having these discussions probably about two, three, four, five years ago. When we would bring the topic up to them, they would say, “Why should I care?” and “That’s not going to happen to me.” After everything we saw last year and this year, all these attacks are on the news. So, there is awareness is there.
When we bring up the topic it’s not, is this going to happen to me anymore. It’s more like, when is this going to happen to me and what should I do to better prepare when it happens? Of course, we’re not there yet. But it’s better, and this awareness is a great first step in getting going.
What are some mistakes you are seeing as it relates to cybersecurity?
Carla: One of the biggest mistakes is the soft targets, such as the older devices in the network that don’t have adequate security software. It’s an older device and they’ve got the option. They’ve got thousands of them, like these infusion pumps, for example, throughout that facility. Do you make the investment and replace them, or do you require a remote access solution? Like a multifactor authentication along with an enterprise-grade firewall to make that device secure. That’s one of the things people forget that this is already out there, and these touchpoints need to be secured. Because a lot of them aren’t thinking about these items. So, without a 6 to 12-month health check, and a consistent policy that makes sure that you’re looking at all these pieces, they’re not secure. They’re not as secure as that they need to be.
Christopher: The challenge with IT teams in healthcare is that they’re stretched so thin. So, they have to look after the entire healthcare organization and mistakes happen. If a deadline needs to be met, sometimes the IT will take up a kind of risky approach to get those devices on the network. This applies to wired and wireless protocols. Too many times, I’ve walked into healthcare facilities, and they explain to me how they’re secured. Then here I am plugged into a port on the network with no controls or gating. These ports are physically all over the entire healthcare organization, not just in a boardroom. I look at ports when I’m walking down the hall and I easily plug into there, and I have access onto a flat work. Does IT lockdown these ports and have them enable them before use?
Imagine me coming in and plugging in something like a microcomputer that runs Wi-Fi that’s not your traditional Wi-Fi, that can’t be detected by those systems. Now, I’ve got a perfect jump-off point that’s using say 900 megahertz. I can sit in the cafeteria, I can sit in your parking lot, and have access to your entire infrastructure. I’ve seen passphrases written on boards for guests or contractor access. As well as patients connecting to non-secure Wi-Fi. IT administrators are struggling with these medical devices to the point that if the device needs to get on the network, they start creating more wireless networks. Likewise, temporary popup networks are there to show or demo, or even trial devices on the network. They seem to be wanting to put on their network. And now you’re just increasing your tax service for a bad actor.
Keep in mind, security is not a one-time discussion. This is a constant discussion with actionable items for all parties involved. Unfortunately, in 2019, there was a high-profile ransomware attack that resulted in the death of a newborn. And this is one of the first public claims that a patient death was directly attributed to a ransomware attack.
Alessandro: One thing that I see a lot and is very dangerous as Carla mentioned is to have older equipment that is not up to date, right? Most of the time, you forget about those things, that have been sitting there for years being consistently used. And they have a softer failure by softer exploits that you can use. Something else that’s very important, especially when we look back at 2020 and half of 2021 when most of our year was working from home, is you couldn’t do any elective surgeries. From a financial perspective, the hospitals were very impacted.
Going forward, we bring these needs to these people. Telling them, “Hey, you need to invest more in cybersecurity”, “You need to update your infrastructure”, and “You need to deploy this and that”. They’re going to say, “Well, yes, but how do I fit that into my budget?”. Especially given the fact that in the last year and a half, they lost a lot of money. They have to make sure they don’t make a mistake. Looking a little bit more to the future by cutting investment in infrastructure and cutting investment in cybersecurity. This is very important. It’s going to get even more important going forward. So, make sure this is prioritized in the budget and make sure that this does not get removed because of the issues we had in the last couple of years.
What steps can be taken to address these mistakes?
Christopher: It’s hard to imagine what a hospital room would look like without Wi-Fi or wireless protocols. Providing this ease of access has enabled technology in all facets of healthcare. Yet, healthcare organizations realize that the Wi-Fi that you provide at work is not the Wi-Fi that they have at home. The means of authentication, encryption, access rights, policy profiling, network segmentation is vastly different than your home network. And that plagued us at the beginning.
If we recall some of the first Wi-Fi devices that were put in hands outs of IT were VoIP handsets. I’d walk into healthcare and those were one of the first things that were living off of Wi-Fi back in the day. These were, and still are, connecting over WEP or WPA and WPA2 pre-share key networks. They’ve been there for so long and they don’t have any policy, or any security tied to those devices. It’s not uncommon to walk into the IT department and to see the VoIP passphrase on the front desk’s whiteboard. This saying, “If you’re going to onboard a phone, this is the key to use.” Now I mentioned this, but we’re always bringing up new wireless networks for services or headless devices.
At Ruckus, we have a way of collapsing those networks for you. Applying policies and access control. Using things like a public key infrastructure or otherwise for all those connected devices. Legacy devices, such as those VoIP phones that do not support PKI, can onboard those devices. Still providing return roles, even network segmentation, VLANs, or SLA. For that connected device without having to change anything on that device. Very interesting technology.
It’s not just devices that IT owns, but for guests as well. Guests are connecting to networks for a short-term stay or extended stay. They’re bringing more than a single device into the room. And these devices potentially need to communicate with each other as well. Let’s ensure that guests are connecting to a secure network or given the correct policies. As well as the correct network segments, and we can identify them. For healthcare workers, if they log onto wireless, we also need to ensure that they are given the correct policies. They have an identity and connect to a secure network.
Are there other things organizations should look out for?
Christopher: We always want better encryption. We always want better security when connecting to a network, but it’s not the only thing that we can rely on. Just saying that the latest Wi-Fi protocol has better security is not good enough. Let’s think about how we can view the security perimeter at a healthcare organization. What healthcare organizations need to do is understand how security applies to them and understand that security is not that one-time action.
As you’re introducing new devices onto the network, realize that what that device is and what type of security can use are not all equal. There are many times where network administrators are forced to put them onto different networks. This is due to limitations under encryption techniques.
Section 3 – Operational technology, its role, and cybersecurity considerations
What is OT and how is it being used in healthcare?
Eric: Coming back to something that Carla mentioned at the beginning as it relates to operational technology or OT. This is a huge area for investment in healthcare. What we usually hear about is ambient intelligence and automation. Whether it be workflows or whether it be some of the facility activities.
Carla: OT stands for operational technology. These are oftentimes devices that are even found within the diagnostic and monitoring systems for patient care. So, the devices such as insulin pumps, glucose monitoring devices. These are devices you wouldn’t even necessarily think of that feed into an overall patient monitoring solution. Now one might think, how threatening can a simple insulin pump be to my network? Well, it’s extraordinarily threatening if it’s not properly secured. If the device itself we spoke about earlier is older and it doesn’t have the software embedded in it accordingly, then it’s very vulnerable to being attacked. Thus, allowing somebody into the network. If the Wi-Fi network itself is not set up with appropriate authentication, encryption, firewalls, et cetera, then it is very vulnerable.
So, they’re the devices that people may not always think about, right? Maybe it’s an old device or it’s old technology. Not to sound like a broken record, but back to that health check and that policy. Revisiting it every six months to make sure that nothing was forgotten about or added. It may be something new that is old, right? It was something that they didn’t have on the network now, but it’s been added and it’s an older device. It was added for whatever reason, and no one thought about it and no one thought to make sure that it has all these standards within it.
Does it matter which type of technology is used in terms of transmission protocol?
Carla: I think it does. Currently today, most of these technologies are connecting through and to Wi-Fi. It’s the most common practice of today. Now the biggest difference, I’m going to refer to Wi-Fi 6 as the most current and best technology from Wi-Fi, obviously, right? Wi-Fi 6 and what is called 5G so there’s that new. Well, we’ve been hearing about it quite a bit in the cellular world. We had 4G and now it’s 5G. What’s the biggest difference between the two. At the end of the day, it’s the authentication. So, Wi-Fi 6, with WPA3 three at the device is now quite frankly, just about as secure as the 5G protocols that were out there. With those two together, it’s very, very secure. But the WPA3 and devices were just enforced as of July 2020.
There are kazillions of devices already out there that don’t have that level within it. This makes that device less secure if you connect it to an older Wi-Fi technology network. So, there’s work to be done in Wi-Fi to make it as secure as 5G. With 5G, it’s inherent. You must go through strict authentication protocols to connect. So, it’s not there’s one more secure or better than the other. With Wi-Fi, you do have more control at the organization level, but you have to make sure that you implement it correctly. So that relies and depends on your organization’s ability to set it up securely, correctly, and efficiently.
There’s a couple of things that can be done starting with network segmentation. Make sure that you’re using subnets and VLANs to help isolate cyber incidents. That’s nice because you don’t have to have any additional hardware. You already have the managed switches, within your Wi-Fi network. Another area, which is really important even though it sounds simple, is identity and password management. Enforcing the password controls such as the length, age, the strength.
Trust me, I don’t love having to reset my password every 90 days, but I recognize that it’s very important. It’s very important to the organization to keep it safe. You also want to enforce role-based access according to what that user needs for their job. Do they need full access to the entire network? Most users probably don’t. Then lastly, remote access. Who has it? Do you have third-party integrators and contractors that are currently working on your network? What type of access have you given to them? In that case, you want to make sure that that access is through a jump server, such as a DMZ, which you control.
Only allowing them role-based access to assets and resources is very important. They don’t need to access your data unless that’s specifically what they’re there for, which most of the guys aren’t. Also, make sure that you’re monitoring each instance. I know this sounds simple, but it’s so often overlooked. When their job is done and they’re complete, be sure to revoke their access as soon as that work is complete. Don’t leave yourself exposed.
Christopher: We need to understand the security model or the access model. We need to encompass a lot of different resources when we’re talking about it, things like identity, credentials, access management, operations, endpoint, hosted environments, and interconnecting infrastructure. When we start onboarding these devices in terms of OT, MoT, or IoT devices, let’s look across all those different resources and apply security as needed.
What is zero-trust and how does it relate to different users?
Christopher: Zero trust, it’s kind of this interesting thing. We had it 10 years ago and it was called network access control and it was hard to implement it then. Then we morphed it into this concept of zero trust. It’s great to talk about. It is still a complicated thing. It’s important to understand that zero trust isn’t just a single off-the-shelf product or a technology. It’s kind of this holistic approach to cybersecurity that gets guiding principles for workflow and operations.
It’s a set of cyber defenses that collectively looks for threats outside and within a network perimeter. The more access that you provide with a larger attack surface, the more you will need to protect. To Carla’s point providing network segmentation in the terms of VLANs, VXLANs, all those great protocols. If you’re able to do that for say that contractor, you’ve reduced your attack surface by only allowing that contractor access to the resources that he needs access to. So, using a zero-trust security model, no device or user is automatically trusted before being vetted by a strict authentication process. Keep in mind, this is across the entire perimeter and not just Wi-Fi and not just IT.
Carla: Some of the core recommendations are how does an organization deal with this environment is you do have to now. You have the technical measures you can put in place, but you also have to look at the difference. If you can, kind of categorize the smaller groups of users. What access do patients need? What access do these contractors and integrators need? What access do your nurses versus your doctors, for example, need, and start to analyze and make sure it works. There’s no doubt about it, but not everyone needs full access. The levels are different. Make sure that you’re analyzing it right and you are then applying that to those different resources.
Like Christopher stated, not providing any level of trust to a device, in particular, a system, or a user based on its physical or its network location. Just because it’s in headquarters, doesn’t necessarily mean that it can be secure. Don’t assume that somebody put it in a year ago, two years ago and that it has adequate protocols. Make sure that you’re looking at every single device, regardless of where it is. And whether it was previously given access to any part of the network. Revisit it. Does it still need that access? So even if it’s not a user, a piece of equipment is constantly and consistently being reviewed. As well as everyone’s access because you never know when somebody might leave. You never know when a device’s integrity has been challenged. So make sure that you’re constantly reviewing it and then applying all of those technology measures that we spoke of earlier.
Section 4 – How cellular technologies enable a secure wireless environment?
What would a security governance and change management plan look like?
Carla: Have the right policy written for your organization and all of the users implementing that change plan. It ties up the thousands of and probably tens of thousands of loose ends that you have within just one healthcare facility. We’ve spoken about, at the end of the day, the detriment that can happen, you have a loss of life. You have lost a newborn’s life. That’s horrible. You can’t even put a tangible number on that. So, these are the positive outcomes, and this is what it’s going to look like by putting in the appropriate measures. The stakeholders, 100%, the facilities teams, the CIOs as well, and the COOs. These are executives that may not necessarily be in the technology realm. Yet, at the end of the day, the liability realm is critical and important as well.
Christopher: It’s recommended to have parties involved. Those who are responsible for security in the healthcare network are available in change management. This could be the CSO security team that is providing over-watch for all those different devices that are connecting to your network. Third-party security firms should be used. These firms should be reporting to the board, not necessarily the CSO, with their results. Again, it’s important to understand that security isn’t just a one-time thing. We need to invest in these solutions as ongoing action items. These attacks that are happening such as ransomware have evolved. From just paying to unlock the network to now also paying them to ensure that the data that they’ve scrubbed isn’t released into the public. Thus, a double extortion model. So, we need to have a proper security team that’s involved in this change of management and reduce the risk and reduce that surface attack area.
It’s also important to understand how prepared the organization is when there is a cyber-attack. Is the organization prepared to deal with a ransomware attack? What actions need to be taken when there is? Is the organization prepared to understand how an attack can happen? What the repercussions are? And how to deal with actual that release of information, even if the ransom is paid? Are we training the workforce to deal with the inevitable attacks? This is where we look to partners and third-party parties like Connectivity Wireless. To help our customers understand this and do it before they need to require it because they’ve already been suffering from an attack.
What is CBRS and how does it differ?
Alessandro: CBRS allows you to have your private cellular network, without having to rely on carriers to provide services. It gives anybody the ability to deploy a cellular network in a fashion that should be the same way as when you deploy a Wi-Fi network. If you think about the difference between cellular and Wi-Fi, you would say Wi-Fi is everywhere. You have your access point in your house. You just plug it in and it’s working. Cellular is something more complicated. You need a company with 10,000 people working there to make it work. So, the idea of CBRS is to bridge the two technologies together. Bringing the security and the reliability of a cellular network. Then put them together with the ease of deployment of Wi-Fi.
What have you heard from other healthcare administrators?
Alessandro: In terms of stakeholders first, and I tell this to our team as well, everybody in an organization should be responsible for network security. Not only network security, information, physical security, everything. Usually, when we talk about cyber-attacks, people think that somebody’s sitting across a globe in a basement wearing a hoodie and doing something. But most of the attacks, come through emails. Phishing attacks or the network so even though your main door or your IT closet door. So, all of those things have to be part of a comprehensive plan.
Controlling access, removing access, updating software, all those things are important. So, if you need to do those main things and on top of that train people. At the end of the day, the users have to be the ones who recognize something. “Hey, this looks sketchy, right?”, “Should I click here?”, “Should I do this?”, “Should I open the door to this person?”, or maybe even “This guy was working here last month. Is he still working here?”, “Should I check with a supervisor?”.
All these, although they sound like physical security, they are also cybersecurity-related. So, this is all-important in terms of what we are doing. What we do at Connectivity Wireless is we build those great networks, right. They are supposed to be secure. They’re supposed to have the latest standards applied to them. We all know those tracks will be out there for a while, right? So, we can do all of this. We are proud of ourselves for being the end-to-end secure network provider. Not only working on the wireless side of things but also on the wired side of things. The analytics side of things, giving you information, giving you data. So how can you recognize something that’s not working right? This is all we do so healthcare providers can focus on what they’re supposed to focus on, which is giving care.
What are some top recommendations that you have for healthcare leaders in the industry?
Carla: I know everybody loves and trusts their internal teams and their internal cybersecurity team as they should. But as mentioned earlier, having a third-party cybersecurity organization, such as Connectivity Wireless. Coming in and providing sub-external oversight into the organization and a plan. Having that organization directly reporting to the board. Not necessarily to any of the C-level executives, but directly reporting to the board. They are such huge stakeholders in this environment. It’s a critical component. One of the things that we can do is kick off those initial health check risk assessments. Then bring in Connectivity Wireless, bring in the likes of Christopher and the CommScope, sit down and write that policy. And one of the things that we’ll do is, we’ll nag you every six months.
Did you have your updated health check? When was the last time you spoke to Connectivity Wireless and CommScope because you can’t forget about these things? Very easily do you fall into the kind of maintenance mode and just the standard remote monitoring mode. Then you forget that you need to proactively, bring them in and we have to do this again. We need to make the tweaks and changes accordingly as we move forward. I think it’s an interesting time. Technology is fantastic. It’s amazing, but it’s driving these open risk threats that I don’t think we could have imagined 20 years ago. But it’s here and we’re here to help you.
Christopher: Healthcare organizations’ data, from patient records to even a doctor’s identity is extremely valuable on the black market. How hackers can get that information is constantly increasing. This is due to every new thing that needs access on it. From mobile devices to electronic health records, vendors, cloud apps, remote employees, all these medical devices. They all provide potential entry points into an organization’s network.
It’s important to understand that zero trust. It may not solve all cyber-attacks, but it will make your networks more robust against breaches and some of those attacks. What Ruckus can provide is reducing that attack surface for devices connecting. For wired, Wi-Fi, IoT, MoT connectivity as well. We can stop the SSID proliferation and onboard devices securely onto the networks and the correct network that they need through policies and control on wired and wireless. There are no more writing passphrases on boards or never changing a pre-shared key passphrase. We can assist with all those of making the networks more secure, easier to manage, and reducing the unnecessary overhead.
Alessandro: As we head into 2022, the threats are the same pretty much. They will evolve, but they’re there. We know which ones they are. Things like phishing, ransomware attacks, third-party risks, medical device security, they’ll be there. They’re still going to be there. So, I would say most of those risks can be addressed with simple user training, as I mentioned. However, some of them will require more reliable and secure networks. But how do we improve your Wi-Fi deployments? How do you deploy 4G, 5G? That’s what Connectivity Wireless does for a living. As I said, we want to allow them to do their job and we do our job.
We can help them check what they have today if it’s appropriate or not. We can help them choose the right technology for the job. I like this, the right tool for the job approach because some things don’t need to be. We don’t want to paint here the worst-case scenario for everybody. We want to raise the awareness, raise the flag when you need to have top-level security, and when you can get away with something simpler. We can help them choose the right thing for their guest network or their device network and make sure they’re protected. I think this is pretty much the message we should be sending out there.
How is this applicable to other market industries?
Carla: We support all enterprise, commercial, industrial, utility as well. In the utility and the industrial space, it is paramount and critical. So many devices and touchpoints in an outdoor environment. So, there’s a lot there. I would say healthcare is probably outside of that specific industry and the manufacturing. Healthcare is a big leader in the commercial space.
Christopher: Everything that we talked about is needed across all those different verticals. From education to MDUs to government. Security doesn’t stop. With healthcare, we need to continue these ideas across all those different verticals.
Alessandro: This is across the board. Every different vertical will have different nuances. These will depend on the type of devices you’re dealing with or the type of users you’re dealing with. I would say healthcare and essential services are important because we can impact people’s lives. If you can connect to an airport network, right, how much damage can you do? So, it’s important to think about security across the board. I mentioned that in a specific environment, in a specific company, everybody should be a stakeholder. Everybody should be part of the security efforts, but that also applies to different types of verticals. Everybody should be looking at this.
What groups can you be involved with to learn more about cybersecurity and how can you get involved?
Christopher: If you’re interested in zero trust, NIST has a great paper that defines zero trust and how to apply that. Again, a framework. Discuss with us, discuss with Connectivity Wireless how that actually would work in your infrastructure.
Alessandro: Standards are standards. They will not necessarily be implemented or required or recommended. But it’s really important to follow what’s happening out there. For example, it was mentioned here, the Wi-Fi WPA, WPA3 encryption. We only have WPA3 because one and two, were hacked, right?
It’s important to be following the standards for Wi-Fi, for 4G, 5G, and see what’s going on. Watch how companies like CommScope are reacting to it. That happens also in terms of software patches. Make sure you follow what your firewall provider is pushing out in terms of information. We just released this new patch. We found a breach here and there. That applies to devices, too. Apple, Samsung, Android, all those things. So, follow what’s going on in the market.
Carla: There are a couple of standards and regulations that folks can look at. It’s NERC, NIST, such as Christopher mentioned, and C2M2. So, if you’re starting to plan before you go into it, take a read. Read through the policy. Take that time and then take the next steps
Eric Abbott: Strategic Healthcare Advisor
A Senior Technology Executive in healthcare and mobility domains, Eric has directed and led large complex global initiatives to drive value, creation, and growth to achieve meaningful outcomes. He is also an adjunct faculty instructor at Northwestern University teaching Consumer Digital Health and serves as a healthcare subject matter expert advisor for Connectivity Wireless.
Sam Chughtai: Cybersecurity Advisor
Sam has been in the cybersecurity world for 32 plus years. He works for global consulting companies, IBM, Microsoft, and has had an opportunity to be an in a couple of schools. Currently, he is working in an advisory capacity to the US Air Force to help them with their cybersecurity strategy for next-generation hardware.
Alessandro Feitosa: VP of Wi-Fi, Analytics & IT at Connectivity Wireless
Connectivity is a managed services provider. What does that mean? All things connectivity: 4G, 5G, Wi-Fi, private networks, and public safety. They, indeed, are all things wireless connectivity for the healthcare industry. They pride themselves on the amount of experience that they have. They have completed over 2,700 projects and are currently involved with ~60 healthcare organizations. Connectivity does everything from A to Z, truly turn-key. From consulting to design, all the way through to project management installation. In addition to this, they provide monitoring and maintenance on the final day to help evolve the system over time.
Carla Shaffer: VP of Wireless at Wesco Anixter
Wesco Anixter is a global distributor of telecom infrastructure across all technologies and markets. So anywhere from licensed devices, such as cellular or two-way radios for first responders or unlicensed devices to connect to Wi-Fi, we’ve supported the system deployments, and now we’re protecting those systems beyond just the standard physical infrastructure. The healthcare industry is one of their leading markets year after year due to their need to support so many devices within their organizations and the best ways for them to connect those devices securely and efficiently
Christopher Mohammed: Director of Product Management at CommScope Ruckus
At Ruckus, they produce networking gear for Wi-Fi, Wired, IoT, and OT access, as well as onboarding and offboarding onto those networks.