Prevent, detect and respond are best practices in cybersecurity: Aimee Cardwell, SVP and Chief Information Security Officer, UnitedHealth Group.
In an exclusive interaction with Express Computer, Aimee Cardwell, SVP and Chief Information Security Officer, UnitedHealth Group shares some use cases of how to prevent cyber attacks in the healthcare industry.
Some edited excerpts:
How is cybersecurity an important aspect in healthcare?
As a matter of reliability, every health-tech company has an obligation to protect the privacy of their patient data and health information. Looking at patients’ data through a cyber lens, they are perceived as many targets spread over the place, and the interesting fact is that UnitedHealth Group wants to digitize these records as you want the doctor to be able to see all of the other things that you have had done to you; this would help provide both robust and rich healthcare. This shows that electronic health records are necessary for health care, but they have also become a target. So, if everything is in pen and paper, it’s a little harder for a cybersecurity person or a bad actor to take advantage of it. According to us, the best patient experience is to want electronic health records, which brings the point of their obligation and honour to hold those records as well as private records and not allow access to them externally.
- Please share some used cases of cyber-attacks in the healthcare space and how we can avoid them?
Generally, there are three primary vectors for cybersecurity attacks. The first is through email attachments or links, this is when people click on either of the two, and the computer is compromised. Usually, the computer is attached to a network, then the network gets compromised, and the criminal has his way around the system. The second is software vulnerabilities. As you know, a lot of software doesn’t get updated regularly, so when a bad actor finds a vulnerability, they find their way into the system. The third way is through open-source software or third-party software like Kaseya.
Our engineers build code, and then the code gets deployed, and the vulnerabilities become public. After this they spot the vulnerabilities and tell the engineer to fix it. However, what they’re trying to do is say, let’s not publish the vulnerability in the first place, and make secure coding practices so that we don’t have as big an attack.
- What are some of the emerging technologies like AI/ML, RPA, Automation helping to combat cyber threats?
A compelling method to look at patterns in the networks is through AI and ML and RPA. When patterns shift, these tools notice such abnormal behaviour. Like most other companies, there are always people trying to defraud us. We analysed all information shared with us by the ML model that it had generated by analysing all fraudulent activities over the years. Therefore, it helps us identify any anomalies that we can spot through AI and ML by observing patterns identified by information analysis by ML. That is why we continue to train the AI and ML model to spot fraud, and now we can see it before a fraudulent transaction takes place. Even if it is a fraud, we don’t lose money as we’re able to prevent it.
- How do you ensure that the data of customers is protected? What is the cybersecurity approach that you are taking for protecting the data?
The more electronic data, the better the healthcare service and the bigger the risk surface. The one suggestion I would give our customers to protect their data would be to use multifactor authentication. If I can guess your password, and a good ML password cracking system can guess your password, then your data is open to them. While true, cyber experts will say that you can get around multifactor authentication; you can use the SIM card. However, it makes it much harder. Therefore, that’s the number one way for customers to keep their data safer.
- Is there a growing demand for cyber security professionals? If yes, how can we meet this growing demand?
Today there are at least three and a half million vacant positions in cybersecurity. It is one of the most desired talents in all engineering in all of technology. More than half of people who are in cyber security have no actual formal cybersecurity training, this may lead people to believe that it’s hard because you have people with no training. The diversity of thought makes us much stronger and richer as a cybersecurity team. We reach out to everyone from our IT help desk all the way over to people in banking profession, look for clinicians interested in cybersecurity because they give an insight into the clinician experience and how that might be hacked.
We have cyber professionals all over the world and continue to lean into India and our other locations because the talent is so hard to find. It is also because we’re a global business and because our security incident response is 24/7, we want to make sure that we have great talent all over the world who are always monitoring, building new software, building new monitors, doing better reporting, helping their engineers be more secure, figuring out how to have our employee experience safer, and protect our patients, providers, and employees. For that reason, we continue to grow our presence in India, just like we continue our presence in the rest of the world.
- What best practices can the healthcare sector take in order to avoid data breach and ensure cyber security?
Prevent, detect, and respond are the best preventive measures. In the cyber world, we also do prevention, and we’ve talked about some of these things; filtering email so that we don’t let any bad things in or fewer bad things. We train all our employees. On every computer and every server, we have endpoint detection.
We have a Red Team that tries to detect vulnerabilities, then we fix that. We do external audits, bring in cybersecurity teams and ask them to look at our practices and tell us what we might be missing.
Our team possesses all sorts of detection capabilities. We have a 24-hour security incident response team that is always called in.