Boost appeal of healthcare IT to drive standards, says chief security strategist

Ask a young person with an interest in IT who they would like to work for, chances are they’re likely to cite Google, Microsoft or Apple, than they are the NHS.

But making the healthcare industry more exciting to budding cyber-experts could be key to transforming its IT hygiene and make it better-equipped to deal with threats, says a cyber security chief.

Steve Moore, former vice president of cyber security analytics at beleaguered healthcare firm Anthem, said healthcare organisations needed to “get friendlier with IT” and step up their recruitment efforts in order to stop internet and technology firms being first choice for aspiring tech men and women.

Speaking to Digital Health News, Moore said: “There’s a talent shortage. If you’re an up-and-coming young man or woman who’s interested in technology, there’s a lot of places to go. Is the first place healthcare, or is it an exciting internet provider or a search engine provider? [Healthcare] is less exciting.”

Moore, who now serves as chief security strategist for cyber security firm Exabeam, suggested that recruiting candidates before university and offering incentivised training schemes could help hospitals and GP practices pull better talent from the technology pool. “I think getting folks interested a little earlier is a powerful thing.”

He added: “Recruiting is difficult; getting qualified staff is hard in this career field. Organisations have to know their environment, they have to know what’s running about within in.”

Regarding IT as an after thought has left the industry particularly susceptible to threats from cyberspace, as demonstrated during May’s WannaCry outbreak.

Moore said making security higher in boards’ list of priorities was key to remedying this. “Rightfully so, quality of care should come first. I think in many cases, budgets are tight. Every penny or pound is managed to the end and it’s all focused on quality of care. But I think there needs to be a bit of a renaissance there to say, part of quality of care is appropriate security, especially of digital records.

“Doctors rule in a hospital, but I think there needs to be a sharing of that authority as well, because making sure we have hygienic and up-to-date IT systems is just as important as hygienic operating rooms…It’s just an order of priority. It’s a tough one, and there are going to be a lot of bad days, and a lot of information lost and expensive recoveries.”

Moore has first-hand experience of surviving the fallout from a cyber security breach. In February 2015, hackers broke into Anthem’s servers and accessed information it held on some 78.8 million people, much of which was identifiable.

As the point of contact during the breach, it was up to Moore to rally staff and formulate a response. Despite being equipped to deal with the incident swiftly, Anthem was hit hard, and it wasn’t just the commercial side of the company that felt the reverberations.

“Many people were scared,” Moore said. “It’s a blow to the ego when a breach happens, at a very human level…the first rule of my leadership principles today is, if people are afraid, they will not innovate. So as a leader, you need to take all the pain, all the failures, all the heat.”

Moore said that ensuring staff felt safeguarded was key to building resilience against future threats. “I needed people to think clearly and I needed them to respond quickly, and have them thinking about the future and how to better automate and better respond… you’re going to do that by having your people feel protected. They need to think about the future and how to do things better, faster and stronger.”

The Audit Office’s report into WannaCry’s impact on the NHS concluded that it would have been able to fend off the attack had it applied basic IT principles, not least ensuring computer software was kept updated.

Indeed, Moore said this should be healthcare organisations’ primary concern. “Focus on the foundations. Do I have weak passwords? Do I have multi-factor authentication or adaptive authentication? Do I have tools within my environment that tell me where tools are being misused?”

He added that organisations needed to assess their IT guidelines in order to make sensitive data a smaller target for hackers.

He singled out email in particular, which is the primary method of intrusion in most cyber security attacks. “Email’s going to be the vector. People need to take a stronger approach to what business processes they allow to occur. Do we allow email from every address, do we allow every type of attachment, do we allow every type of link? We shouldn’t.

“Many people will buy technology to try to secure email or filter it to make it less risky, but very few people will actually go through and audit it was a business process. Is it too open? Should we throttle it?”

Recent history has demonstrated the desperate need for the healthcare industry to get cozier with IT. It’s a deficit that can no longer be ignored, particularly with the frequency and scale of cyber-attacks due to increase as hackers adopt more sophisticated techniques.

“You can either plan for all of that ahead of time, and try to put pieces in place, or you’re going to get it in a hurry in the middle of a crisis,” said Moore. “Executive need to understand: whether you’re an administrator, or an owner in a clinic, the stakes are getting higher.

“People can no longer claim, ‘I’m small, no-one will be interested’…we have to take this seriously.”