FBI Director James Comey, a keynote speaker at this morning's American Hospital Association annual membership meeting, said one of the key approaches the bureau is taking to improve its cybersecurity threat response is to build stronger relationships with private community entities.
Hospital executive teams that don’t know at least one person at the FBI's local field office are “failing, and we’re failing.”
Comey provided strategies on how hospitals can prevent cyberattacks, and also explained how the FBI is tackling cybersecurity. He said closer ties are one of the key steps, and that hospitals need to let go of the potential fears that can come from enlisting the FBI. This is particularly important because the vast majority of cybercrimes are not reported.
“Together, we can confront the changing human experience,” Comey said.
The FBI had no interest in private information and data, he said, and any internal information will not be used against a provider. Instead, groups harmed in a cyberattack will be treated like victims of a crime.
He likened it to building a relationship with a local fire department. The firefighters aren’t expected to know all the nooks and crannies or secrets in a hospital, but they’ll know where the hydrants and water hookups are, and how to rescue people who may be trapped in the case of a fire.
Healthcare organizations are major targets for cybercriminals, Comey said, because the sensitive data they collect in droves can be sold at a high price for use in fraud and identity theft. Medical devices are also increasingly becoming a target.
He offered three areas for providers to consider as they develop their plans to avoid or mitigate cyberthreats:
- The “weak link” in cyberattacks is people, he said, so providers must provide a culture of security in their organizations. This includes training staff to recognize and prevent cybercrimes, and may require a second look at who has high-level access to a hospital’s database. The more avenues into the highest levels of security, the easier it is to breach, he said.
- Providers should also address vulnerabilities in the technology as well, by updating and patching systems regularly to prevent intrusion. Regular systems tests can also help flag vulnerabilities before a hacker can get in.
- A business continuity plan can prevent any down time, and could help providers avoid having to pay in the case of a ransomware attack. Real-time data backups can ease the pain of such an attack, as it allows an organization to continue work without having to give in to a hacker’s demands.