“Forget about ‘protecting the perimeter’ because that philosophy is gone,” Ewell said during an interview. “You can’t put up larger walls, you can't post more guards, you can’t do those things to keep the people out, therefore change your philosophy to ‘they’re already inside.’”

Texas Health Resources CIO Ed Marx recommends building resiliency into hospital security programs — and following clinicians’ footsteps into making decisions informed by information.

“Our security program is based on measurement and based on data, not emotion,” Marx said, explaining that his team has a daily rhythm to identify current threats. “We’re able to take that data and then do some proactive intelligence.”

When Marx and Chief Security Officer Ron Mehring heard about the attack on Community Health Systems, for instance, the team was able to evaluate what happened to the other organization and address any similar potential problems or security holes Texas Health might have within 48 hours.

Aetna’s Routh added that seeking cybersecurity intelligence and sharing information help him make better decisions if only because they know what's out there, understand priorities to guard against immediately, and can grasp those threats that are perhaps not as bad as they might appear before conducting such analysis.

“Risks are everywhere,” Marx said. “If you think about it all the time you’d never sleep and have less hair than I do. That’s no way to live.”

More exposed than ever
Part of the problem is that healthcare is among the last American business sectors undergoing industrialization and, as such, security has been something of an afterthought.

“We’ve kind of flown under the radar,” said Nathan Russ, director of healthcare for security vendor Symantec, while the focus has been on attacking other industries. Claiming that “Symantec sees more ugly stuff out there than anyone in the world,” Russ explained that healthcare is now more exposed than ever.

“Security is underfunded in healthcare,” Russ said. “Not enough people, too many threats.”

Sometimes cyber and non-cyber attacks can alter fate. Take the Boston Marathon bombing in April 2013, for instance.

As John Halamka, MD explained it, Beth Israel Deaconess Medical Center, where he is concurrently CIO and acting CISO, did not previously have a buttoned-up cyber risk management framework prior to the attack.

“We just had people get together and discuss what we believed to be the biggest threats at that particular time,” Halamka said. Since then, however, BIDMC has instituted a framework and engages in the sort of cybersecurity threat intelligence Marx and Routh espouse.

So when Community Health Systems was attacked, Halamka and his team were able to determine that CHS was running a Juniper SSL VPN, just like BIDMC, that uses the OpenSSL stack vulnerable to Heartbleed and, had they not already taken corrective action when Heartbleed was first revealed, BIDMC would have been able to quickly plug the hole. 

Hacktavism is real
“It all started in March,” Boston Children’s CIO Nigrin said. “It was a shot across our bow — a real event that we suffered through.”

The Anonymous attack began with threatening posts on Twitter and Pastebin. Nigrin explained that the information the hacktivists obtained initially, such as Boston Children’s IP address as well as some names and phone numbers, are “not too hard to get.”