This is part of our Humans of Cyber initiative, a series of in-depth interviews with key figures and leaders of the Canadian cybersecurity ecosystem.
In part I of the series, we interviewed Neumann Lim, ISA’s Director of Digital Forensics and Incident Response, on his DFIR thought leadership and practice. Download his full interview here.
Cybersecurity in Healthcare
In part II of the series, we interview Kashif Parvaiz, CISO at the University Health Network, Canada’s largest research hospital, embracing five Toronto-area hospitals, healthcare and research facilities. As an industry expert and seasoned cybersecurity executive, Kash shares his thought leadership on the top three considerations for 2021, for healthcare CIOs and CISOs.
ISA Cybersecurity has helped many healthcare organizations like the University Health Network, achieve their privacy and security goals, and be proactive in the fight against security threats. We deliver cybersecurity services and people you can trust.
Let us know how we can help you. Get started today with a complimentary security rating assessment that details the cyber risks in your organization and see how you benchmark against your peers in 20 major risk categories.
ISA: Now, the cybersecurity world is still buzzing over the co-ordinated attacks against hospitals in the US at the end of October. And this comes on the heels of the massive UHS attack in September affecting hundreds of health facilities. Have you changed your tactics or strategies in light of these heightened threats against healthcare?
KP: Yes, so those attacks have not gone unnoticed, I’ll tell you that, by the board [laughs]. The board members actually have read the same reports that you have read, and they’ve asked about it. So, it’s a good time this month, actually, later this month, I’m going to my board to discuss exactly that: what happened there at UHS. They want to know, and basically ‘Could that happen to us?’ is really what they’re what they’re after. And to be honest, I think one of the best approaches that anyone can take is… there’s a lot of publicly available information regarding those attacks, as well as other attacks that have happened at healthcare organizations in the world.
You really have to just sort of analyze them and dissect them and say, ‘What was the root cause of them?’ and ‘What was the way that it spread?’ and ‘What was the response taken by these organizations?’ Then you can look at yourself and say, ‘Are we susceptible to that? What are we doing about the way that phishing comes out? What are we doing about the way that things spread laterally? What are we doing about our incident response?’ Those kinds of things, it takes you back to say, ‘This is what happened there, and this is how things went sideways; this is what we need to do to, maybe not avoid it completely, but at least reduce the impact to patient care should this happen to us.’
There’s a whole bunch of preventative things that you can do, yes. But I mean, if it was to get through and were to spread, what would you be prepared to do? You need to have both. It can’t just be ‘Well, we’re going to prevent everything that we’re going to get.’ That’s sort of foolish to think like that. I think that there are going to be situations where it gets through. Now you need to know what you would do about it, to mitigate it. And so it doesn’t become a huge incident like at Michael Garron or some other hospitals as well that they had last year. They were out for four to five days, which is… that kind of stuff is too impactful, I think, to let go.
ISA: Hospitals have an extensive array of third-party suppliers, cloud integrations and as-a-service partnerships. How do you manage all those relationships from a governance and cybersecurity perspective?
KP: Yeah, you’re absolutely right. These days, with medical devices and clinical devices, they are very highly-tuned equipment, and they need special support agreements. We have a number of third-party support contracts with these medical suppliers. And they come in on a regular basis – nowadays remotely – to administer and maintain these types of systems. And so what we’re doing now is we have set up a questionnaire – so it’s more of threat and risk assessment questionnaire – that is mandatory for them to fill out before we actually start any thinking about purchasing and procuring these types of devices. We have a medical engineering team – we call it biomedical engineering – they actually are the ones who usually test and procure these types of devices.
We’ve embedded ourselves in there to run this threat and risk assessment before any procurement happens. And then even when the procurement starts happening, we work closely with their legal teams as well to develop some contract language as well to allow us to do things like ensure that various patches are applied and that some of the devices are tested, well-tested before, and that new software is sent to us, whenever it’s available, that sort of thing. There is a lot of contractual language as well, that we’ve also had.
It’s both threat and risk assessment questionnaires, as well as legal, and then we also – third – the last thing is what we’re trying to do is ensure that “least privilege” is enforced, meaning that these people come in, they are coming in such a way that they can only get access to the various systems that they need to administer, but not other systems. I think we are doing all three of those things to reduce the risk.
ISA: Thank you for that. So looking ahead, as a cybersecurity leader in the Canadian healthcare industry, can you share your thoughts on say, the top two or three considerations for 2021, for healthcare CIOs and CISOs?
KP: Yeah, I think the big thing for me and for most organizations, I think, is just like you mentioned. One, is getting a handle on your IoMT devices, understanding where they are. Most of them are not, you know, you’re unable to patch them to the highest levels, or they’re running legacy operations. So you have to know where they are, and then come up with a strategy to segregate them or isolate them so that they’re much safer, because those are the ones that if they are impacted, or taken offline, they can have the biggest impact to patient care. Those are the ones you need to protect first. So that’s one.
The other is, I would say, focusing hard on detection and response. You have to have eyes on your network and your whole system at all times. And I think that’s very, very key. Most of these, you’ve got logging here and logging there on different systems, disparate systems – you need a centralized logging system that can alert, whatever operation centre you have, whether it’s an in-house or outsourced SOC to take action.
And the third I’d say is once you have all of that detection, you need to have strong incident response, procedures and plans and things because everyone needs to know what their role is. Because I think, at the time of an incident, it can’t be that sort of a panic, where everyone’s kind of calling each other and that sort of thing. You need to know exactly what needs to be done to mitigate the risk. I think those are the things for next upcoming year.
Download the full interview transcript here.