CHICAGO – Speaking to a full house at the HIMSS23 Healthcare Cybersecurity Forum on Monday morning, Deputy Director Nitin Natarajan of the Cybersecurity and Infrastructure Security Agency noted that even a few years ago it would have been hard to gather a crowd that size to talk about cybersecurity.

But the events of the past few years, with ransomware debilitating hospitals and health systems around the world and cyberattacks increasing in "frequency, severity and sophistication," have helped focus the healthcare industry's attention on a fundamental security challenge – one that's no longer about data breaches but poses real threats to patient safety.

We're "crested the hill," said Natarajan. Chief information security officers and other IT and infosec leaders are no longer having to "sell the need for cybersecurity" investments to boards and CEOs. Most execs now understand the stakes.

Now it's time for "tackling the harder challenge of working together," he said.

As a key part of the U.S. Department of Homeland Security, CISA occupies a unique spot in the federal government – and is uniquely positioned to help healthcare organizations gird themselves for this ongoing battle, said Natarajan.

"We're not the intelligence community, we're not the Defense Department, and we're not law enforcement," he said. Instead, the agency, which was founded in 2007 to help strengthen cybersecurity protections across the U.S. – three primary areas of focus are K-12 education, water and wastewater, and healthcare, he said – has the core job of helping the private sector build resilience against relentless cyberattacks.

"We're here to help," said Natarajan.

And not a moment too soon. He cited recent American Hospital Association data showing an 86% increase in attacks against hospitals since 2021.

"Healthcare reported more incidents than any other sector," he said. "And this is going to continue to increase."

The trends aren't in the healthcare sector's favor, as bad actors take aim at health systems' troves of PII, payment information, PHI, and even national security info such as pandemic planning plans and response, said Natarajan.

Meanwhile, telehealth has great expanded the attack surface, wider cloud adoption has increased the potential risks, attacks against small and rural hospitals are expanding significantly – and rise of ransomware-as-a-service offerings has made it easier than ever to be a bad guy

"It used to be hard to be a cybercriminal," said Natarajan – who noted that a key focus at CISA in the months ahead will be to innovate AI and machine learning, working together with the private sector to further automate its response capabilities, and spurring wider adoption and implementation of zero trust architecture.

The goal, he said, is to make it "more costly to the adversary, less profitable and more difficult" to wage attacks.

"Organizations of all sizes need to be prepared to respond," he said. But he promised that healthcare providers are not alone in the fight. Natarajan pointed to new resources from HHS, just published that morning, to help healthcare and public health organizations.

Other government and private-sector agencies, from ONC to HC3 to Health-ISAC, can also be key partners in helping health systems bolster their resilience, he said.

But at the same time, other players have to step up.

"We need to hold manufacturers and developers more accountable," said Natarajan, and expect as consumers that they'll have "strong security built in, up front, with no additional cost."

And health system leaders – those who haven't already – need to wake up to the threat, and open the purse strings for appropriate cybersecurity investments, he said.

The days of "CISOs fighting for budgets," should be in the rearview mirror, said Natarajan, noting that CEOs and boards need to take responsibility and get better educated on cyber threats.

At CISA, he said, "we work with you to meet your needs going forward," and continue its mission of helping "raise awareness and increase resilience" in the face of an escalating threat.

"We have an adversary that is well-funded, that is capable and that is targeting all of our organizations," said Natarajan. "Only by working together can we ensure we're one step ahead of them."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.