Fmr. White House security czar offers advice on standards, encryption and better planning
BOSTON—If hospital leadership understood the cybersecurity threats facing their organizations, they’d put more than 3 percent of their budget toward the effort, said Richard Clarke, former White House security czar, speaking at the Privacy and Security Forum.
He offered advice to attendees and the healthcare industry at large. For one, come up with standards for security. High reliability organizations had software and hardware that are held to a higher standard. “I would like to think that when dealing with human lives, if anything is going to be a high reliability organization, it ought to be healthcare centers.”
Get the government to clear out all the regulations that get in the way, he said.
Clarke also suggested that the U.S. healthcare system learn from the Bank of England which went through a process of creating voluntary standards. It then hired a third-party auditor to apply the same set of standards to all the major banks and do so annually.
There’s no reason not to encrypt everything, he said, because it is invisible and easy. “Universal encryption was difficult to do 3-5 years ago but that’s not true anymore.” But, he cautioned that it only worked if combined with multifactor authentication.
Completely change your standards and approach to medical devices, Clarke said. Hospitals are running really old software in a lot of places so devices easily become home to a bot sending out spam. Patching these problems isn’t enough. “We need a new approach where the device itself is secure. Companies today are designing inherently secure devices so why are you running old Windows software on medical devices? Why aren’t medical devices highly reliable?”
Healthcare needs to do what the financial sector is doing--strictly enforce supply chain discipline. They won’t buy anything from vendors that don’t live up to these standards. That pushes down from the big banks to law firms, accounting firms and other organizations that work with the big banks. “That has had the greatest effect on improving cybersecurity in the last five years. You can steal their playbook. Start telling vendors about standards. If banks can do it, you can do it,” Clarke said.
The international laws of war say you cannot attack a hospital. Clarke said federal and international law should say you cannot hack a hospital. Add penalties over and above normal penalties for hacking if the hack is a medical center. Every Fortune 100 co has an IT security item on its quarterly meeting agendas. “No one understands it, but they’re taking baby steps. You’ve got to start somewhere.” Board members now are required to have a certain minimum understanding of security. “Educate your CEOs and boards of directors. They will want to do more. If they don’t, Congress will make them do more.”
Microsoft got beat up for a long time when it came to security, Clarke said. But the company redid its approach to assume that all software would be attacked and had vulnerabilities. It slowed down its software development process. The strategy of being first to market and worry about security later doesn’t work. “It’s got to be inherently secure from the beginning. We’re seeing a lot of progress in that direction. The days in which vendors assumed there are no bad guys are over.”
Vendors can make safer devices but they can’t cost twice as much, he said. “The only way it will work is if major medical centers get together and say this is the only thing we will buy. If they do that there will be a market for companies who create inherently safe devices.”
The requirements for IT security jobs need to change, Clarke said. The CISSP credential requires 6 years of experience and most require a BS degree. “A lot of jobs in security could get by with a two-year degree. We need to totally retool the education system for cybersecurity.”