The former CISO of CarePoint Health and industry veteran Frank Attilio shares a few tales from the trenches and his thoughts on ‘getting back to the basics’ of healthcare security
In today’s episode of In Scope, host Mike Murray is joined by Frank Attilio, to discuss being a CISO and making budget cuts. The conversation begins with Mike asking what C Level executives should be focused on during this time. Frank says you have to focus on the new and old things. It’s the small things that gets you, so Frank encourages a strong focus on education, especially around phishing. Frank now has employees take a short test on cybersecurity and receive a certification. This certification also helps the company save money on cybersecurity insurance. Hackers are looking for the easy way in, so making it harder and more complicated for them to get your data is the best way to ensure they go some place else.
There is a big concern in health care that there isn’t money for cybersecurity. Frank says you have to be creative and innovate new low cost solutions to security problems. When you have no budget, good relationships can get you a long way. Frank stresses that treating his vendors well is an essential part of his business because vendors are critical to the business. Years ago the hospital was contained, that is not the way it is now. We’re using VPN, BYOD and NAM. These are helping secure medical devices, and prevent data from being hacked.
Not only does Frank work to innovate creative solutions when budgets don’t allow him to invest money in cybersecurity, but he also barters with vendors. Working with them to improve product and promote their brand awareness allows him to develop vendor relations and accomplish a lot with a little. Mike chimes in here, agreeing that from a vendor perspective, clients like Frank are ideal. They serve as collaborators who help make their products even better. Frank finishes by giving a piece of advice to all CISOs and healthcare C Levels. He encourages them not to write passwords down, or make them so complicated that they need to be written down somewhere.
The episode ends with an installment of Vital Signs, a segment on updates in the healthcare security community. One of the main reasons healthcare security can be so difficult is because it exists in three separate domains, each with their own set of challenges. The first is the traditional IT environment that exists within every modern corporation, they deal with phishing, malware, and vulnerabilities just like everyone else. The second environment is clinical technology and medical devices. The third environment is the center of healthcare security – Electronic Medical Records (EMR). EMR holds all of the patient data from personal information, to financial records, to medication and every interaction with hospital staff. A breach of the EMR is a breach of the entire hospital, but it isn’t enough to secure one environment. You have to be able to secure all environments and be able to track hackers across environments. That is the difficulty of securing healthcare.
0:21 – Mike introduces today’s guest, Frank Attilio
1:34 – What should C Level executives, especially those in health care be aware of right now?
5:41 – How do you handle old medical technology, low budgers, and cybersecurity?
10:38 – Franks talks about building relationships with vendors.
15:37 – Frank explains his philosophy, “think stupid and get the answer.”
24:32 – Mike and Frank discuss bartering with vendors to improve systems.
26:55 – Franks final piece of advice about passwords.
28:49 – Vital Signs – healthcare security update.