Blake Dowling
The Florida Hospital Association (FHA) has been our state’s leading voice for health care since 1927. Most readers of this publication are probably familiar with their advocacy for our hospitals and health system at the federal and state levels.
However, they do a lot more than that! When a crisis hits, FHA serves on the front lines of hurricanes, pandemics, and cyber threats, serving as a liaison to Florida’s State Agencies in support of a health care provider’s needs to respond to the incident.
For example, did you know that during the recent hurricanes, FHA staff helped impacted hospitals coordinate patient placements to other hospitals so that our state’s health system could support the communities it serves?
Did you know that during the COVID-19 pandemic, FHA President and CEO Mary Mayhew worked daily to communicate important information to Florida’s hospital community and our nation’s media?
FHA represents all of us in so many ways. I got to join them and representatives from the American Hospital Association this month for a cybersecurity workshop at Valencia College, School of Public Safety in Orlando.
In my cybersecurity columns over the years, I usually close with a message that we all need to work with security experts and law enforcement to ensure we are doing everything we can to fight hackers.
FHA did this at a level I have not seen in 20 years of working in cybersecurity in our state. They gathered representatives from the Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, Division of Emergency Management, Florida Department of Law Enforcement, and Cyber Florida from USF in the same room with hospital and health system IT professionals and leaders. Together, they discussed the threat landscape and the impact of ransomware on health care facility operations, identified each agency’s specific response roles and responsibilities, highlighted provider best practices and conducted a discussion-based exercise centered around a disruptive cyberattack.
Most security events I attend usually have one of those groups, but not all of them. The FHA team brought our state’s best and brightest to the room to share information and ensure we are all on the same page in the war against hackers.
Our health care community has been hit hard worldwide by ransomware and other cyberattacks, as hackers see hospitals as a target-rich environment. While this is beyond unsettling on so many different levels, the bottom line is that just like the financial sector and all those who deal in personal information (everyone), hospitals and health care providers must do things more securely than anyone.
We saw UnitedHealth in the news about their recent breach, and it is a reminder that even the most protected systems are vulnerable.
The FBI agent in attendance said that hardware and software can be patched with the latest security updates, but people cannot be patched. While he is 100% correct, there is a lesson there.
Even with every cyber tool, you must relentlessly train your people on cybercrime tactics. If a network is secured, the hacker will try to circumvent it by calling the help desk and requesting a password reset. All organizations need a check and balance to ensure this is not an entry point for hackers.
Hackers have turned our communication tools, such as emails and text messages, into a threat delivery system, and the same applies to phone calls.
The testimony of Jim Witty, United Healthcare’s CEO, in front of Congress revealed the Change Healthcare attack was instigated by stolen credentials and the failure to have multifactor identification processes in place, which were to blame for the most significant hack on America’s health care system resulting in the breach of millions of health care records containing personal health information, according to TechCrunch.
Hackers use social engineering tactics in conjunction with stolen credentials from other breaches on the dark web to target specific persons.
To combat being targeted, change all your passwords from any impacted breaches to make sure your stolen credentials are not out there for sale. Plenty of mine are! For example, the Equifax breach many years ago – that info is still available on the dark web. We can protect ourselves from cybercrime by having good password hygiene and not using the same passwords at different sites. That tactic is called credential stuffing, and hackers use it all the time when looking for information on their targets on Linked In, Facebook, and other sites (that is what social engineering is).
While there is nothing to joke about regarding hacking, I will offer this information for your amusement. There are eight Valencia College campuses in Orlando. One was a mile from our hotel, and another 20 miles from the FHA event. This information could just save you from morning rush hour in Orlando.
Like traffic in Orlando, the war on hackers will not end anytime soon. However, working together allows us to share our stories and experiences, learn what works and what does not, and be more prepared when a cyber incident occurs.
I sincerely applaud Mayhew and John Wilgis (FHA VP, Member and Business Relations) for doing what needs to be done. Their work unites our hospitals, health systems, health care professionals, cyber professionals, and law enforcement in one room.
To the 900,000 Floridians working in or around our state’s hospitals, we salute you for being there for us. We all have needed or will need your services at some point in our lives, and we thank you from all of us. To the law enforcement professionals fighting hackers, we thank you.
Your behind-the-scenes work has saved so many from cybercrime, and we owe you. To FHA, thank you for fighting the fights that need to be fought, from pandemics to policy, and we will see you again soon.
___
Blake Dowling is the CEO of Aegis Business Technologies. He can be reached at [email protected].
