Healthcare (& Personal) Cybersecurity

Now 

This week I listened in on a panel discussion on “Cybersecurity and Canadian Health Care”. A couple of decades ago I had the privilege of leading the IT teams for three hospitals that sadly now seem to be the latest victims of a serious cyber attack. So I have a perspective in this subject. Organized by the Globe and Mail and CIRA – the Canadian Internet Registration Authority -  you can see background at https://www.cira.ca/blog/cybersecurity/healthcare-cyberthreats.

The panel made good points around funding, planning, core competencies, and Board and Province level responsibility for cyber risk management. However, I think they missed (or maybe glossed over) a key root cause of health system vulnerability – complexity, fragmentation, and the lack of a big picture viewpoint.

A comparison to the private sector might shed some light on what I’m talking about …

Then

Prior to joining the healthcare sector I was Corporate IT Director for a small international high-tech Corporation. One that actually designed, manufactured, marketed, and sold high tech equipment for critical infrastructure around the world - not just social media advertising software. After leading global Intranet, Internet, & eMail (Novel), Collaboration (Open Text), BI (Cognos), and Y2K projects, my next major project was transitioning our ERP system to SAP. For this project I contracted with one of the big 5 accounting firms to provide SAP expertise for our finance folks. During our kick-off meeting our new SAP SME felt the need to level-set our team. So he drew a big circle on the white board and put a dot in the middle. The circle was SAP, and the little dot represented his expertise in SAP. Sure, there’s a lot of moving parts and it takes a significant team to implement and maintain. But it’s an integrated solution and SAP has lots of training and resources to support the teams. And I repeat, it’s an integrated system. So in spite of it’s size and project challenges that included international team members being stranded in different cities or continents by 9/11 and its aftermath, the teams made it happen.

After I transitioned to the healthcare space and started drinking from that firehose, I reflected on the SAP demo. On my mental white board, the circle was now healthcare systems and the dot was SAP. And many of those systems were not natively integrated but developed by autonomous enterprises with their own commercial agendas and release plans. So, we depended on third parties to provide integration systems & expertise, on HL7 & IHE standards to provide an integration framework, and on our internal team to coordinate everything and provide 7/24/365 support for over a thousand users.

But managing the complexity of these systems and integrations and supporting health care users with a huge diversity of process and automation needs across multiple sites with an IT staff of 8 left little time for staff development and introspection about cyber security. Most shocking for me in my new role in the public sector was that I was just one hospital IT Director, trying to architect and support solutions to meet the same needs as 100 other hospital IT Directors in the province. And I was doing it my own way and with my own set of applications, integrations, security policies, etc. ad inf.. In a single payer healthcare system. That if it was organized like the US Veterans Administration (which has a similar sized population) would have a single, integrated system. For everyone. But for us, the Best of Breed vs Integrated solution debate raged on and well-funded research hospitals competed with each other and under-resourced/led provincial  resources to create pieces of shared EHR …

Now

Fast forward 20 years and it seems some things have changed and some haven't. Listening to the CIRA panel and then discussion on Howard Solomon’s Cyber Security Today podcast with the always insightful David Shipley of Beauceron Security provided some fascinating déjà vu. David Shipley put his finger on one of the current problems. To paraphrase him:

IT powers everything in a modern hospital and if it breaks we’re screwed. But we don’t take it’s support seriously.

I know that now huge sums are spent on US-based Hospital Information Systems for Ontario hospital groups. But how much of IT funding goes to actually managing provincial IT services and protecting them from cyber threats? 

Then

Over the course of my decade or so as a Hospital IT Director I often used the Boiling Frog apologue to describe the status of digital healthcare. We were transitioning from paper to electronic health records (EHR) and few were paying attention to the big picture implications of managing this new ecosystem, although a few centralized systems started to evolve. At the end of that decade in 2011 I even started to write a series of whitepapers about this that I called the HITMan papers (for Health Information Technology Management). A few quotes are probably still relevant:

Enormous efforts are being expended world-wide to move the integrated healthcare enterprise agenda forward; however, the focus is primarily on clinical and information architectures, protocols, and standards. What about the management of the technology that all this innovation runs on? What is being done to ensure all this technology is actually useable in the real world?

Astonishingly, there is scant evidence of widespread collaborative use of IT management best practices to support the evolution of the shared EHR.

… Limited recognition that replacing paper-based systems with an EHR comes with game-changing requirements for HIT availability, continuity, capacity, security etc.

Now

Well, almost every week now, 12 years later, we hear about another healthcare frog that is dying in the pot and needs huge resources and funding to resuscitate it.

And What About Us?

My current focus is on Cyber Security for a different, under-served, sector that I call IFH – Individuals, Families, and Home Businesses. And there are parallels to Healthcare Cyber Security of yore. So now, the users aren’t only healthcare providers, they’re the internet users of the world – billions of us. And the organizations that should be collaborating on security aren’t a hundred hospitals but a hundred countries. The cyber-risk for the IFL sector is just as great as for the SMB and Enterprise sectors, with drive-by malware downloads and increasingly sophisticated AI-driven phishing campaigns trying to steal and ransom our stuff. Even if we’re only collateral damage from crooks trying to get to our workplaces via our homes.

But we don’t have IT departments to help us navigate these waters and proactively defend us. This, I believe, is the responsibility of those hundred or more countries. But I’ve seen little evidence of countries stepping up in a collaborative way  on behalf their citizens with actionable tools, information, and even hack-backs on the crooks (although Australia may be the exception here). The current focus, maybe rightly for now, seems to be money-laundering, business break-ins, and critical infrastructure.

What to Do?

Which leads me to our evolving site, cyber-me.ca. We’re hoping to develop, identify, and recommend an integrated set of  useful, actionable tools and checklists to help the rest of us defend ourselves, while governments (hopefully) get their collaborative acts together to protect us and pro-actively counterattack the crooks. And this in turn leads me full circle back to one of those tools, created by CIRA, the organizer of the event that triggered this ridiculously long post. One way to reduce cyber-surfing risk is to have a trusted service check the sites first and block connections to them if they’re fishy (or phishy). This is what the CIRA Canadian Shield can do for Canadians. And we’ll be looking into alternative, equivalent services that global citizens can use.

Finally, in summarizing a sensible cybersecurity strategy at about 23:20 in the ITWC podcast, David Shipley stressed the need for organizations to get the basics nailed before agonizing about nation states attacking them. He referenced the NIST Cyber Security Framework fundamental controls of getting a handle on your IT inventory, and on Identity and Access Management. 

And what’s good for the commercial goose is also good for the IFH gander. We’re also using the NIST framework as the foundation for our sites’ cyber security guidance.

The Pitch

Our first product is a spreadsheet in which folks can inventory their online CyberServices. Next up will be one to inventory all the home cyber things and applications taking up space in our houses and on our hard drives and, BTW, presenting a juicy attack surface to the crooks of the world. Because the first step in a Cybersecurity program is to reduce complexity and fragmentation and to simply your environment so you can get a handle on it. And the way to start that is to make a list.

And we have an entire, evolving page on our site devoted to Identity, and how we can protect it.

Check out cyber-me.ca, stay tuned, and stay safe online. 😊

Popular posts from this blog

End-of-Life Tech - Is it time for “Best Before” stickers?

  Apple has condemned my MacBook Air to death. The execution date will probably be around the end of October next year. Samsung has probably already executed my Android Tablet, but I can’t find the information on their site. According to endoflife.date it’s been dead for a year. And Microsoft has condemned my fabulous Dell XPS15 laptop to death on Oct 14, 2025, and executed my XPS SE desktop and my Vostro 3500 Laptop 3 years ago. So I need to replace everything …. But Wait, Why? If I don’t bury all these systems, CyberScum around the world will try to turn them into weapons against me and my family. To extort money from me, destroy my digital memories and my online identities, and cause me untold pain trying to recover. Because that old tech no longer has security support   - from the companies that made it and sold it to me. Really? Is burying and replacing my tech the best, most cost-effective protection against the CyberScum? Or is the upgrade mantra just a more subtle
Read more

Chat with an AI about CyberServices

W e’ve been working for some time on our weBooks product-line and the first product, “ Cyber Services ”, is now available. So, we thought we’d ask an AI what we should have done for this. Our question to ChatGPT : What is the best way to manage my online subscriptions The answer:  To manage your online subscriptions, the best approach is to regularly review the subscriptions you have and make sure they are still useful and worth the cost. Here are a few steps you can follow to manage your subscriptions effectively: 1.      Make a list of all your current subscriptions, including the cost and billing date for each one. 2.      Evaluate each subscription and decide whether it is still providing value. Consider factors such as whether you use the service regularly, whether it is still relevant to your needs, and whether there are any cheaper or free alternatives available. 3.      For subscriptions that you no longer want or need, cancel them to stop further billing. Most onlin
Read more

Reprise, Chat with a "Plus" AI about CyberServices

  W e’ve signed up for the “Plus” version of ChatGPT and thought it would be interesting to see if the response to this prompt is different from five weeks ago. Our prompt to ChatGPT Pro : (Regenerate the response to the original prompt of Jan 12) “ what is the best way to manage my online subscriptions ” The Response : Managing your online subscriptions can help you keep your finances organized and avoid unwanted charges. Here are some tips for managing your online subscriptions: 1.      Keep track of your subscriptions: Make a list of all your subscriptions, including the name of the service, the date you signed up, the amount you pay, and the renewal date. 2.      Review your subscriptions regularly: Review your list of subscriptions regularly, at least once every few months, to see if you are still using each service and if it is worth the cost. 3.      Cancel unused subscriptions: If you find a subscription that you no longer need or use, cancel it to avoid continuing to
Read more