When a large hospital in an urban area is shut down by ransomware, the IT disruption can be significant, but when a rural hospital faces a similar cyber outage, the impact on patient safety and the community can be extreme, said Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency.
“When you look at larger organizations, large cities, where you have multiple hospitals, the loss – while still impactful because of the significant patient load that needs to be transferred – you [at least] have redundancy and backup, you have other healthcare providers within minutes,” he said.
“But when you go into rural America, you’re potentially talking about hours to get to another healthcare institution. So, the criticality in these communities to make sure these healthcare organizations can continue to deliver emergency care and subsequent care truly is critical,” he said.
Providing cybersecurity resources to aid healthcare entities in rural communities to build resilience against cyberthreats is absolutely imperative, he said. But compounding the challenge is that small and rural healthcare organizations often don’t know where to start or how to make use of available cyber resources.
“CISA has regional cybersecurity advisors, physical security advisors, communications experts that are in communities across the nation,” he said. Having more than 700 employees in communities throughout America and U.S. territories ensures that CISA “can be that local conduit to decipher the information that’s out there that can help you prioritize which tools and resources work” for their organizations, he said.
“If I’m a small organization that doesn’t have a lot of cybersecurity capability, this is what a good next step is,” he said.
In this audio interview with Information Security Medical Group (see audio link below photo) conducted at the recent U.S. Department of Health and Human Services-hosted HIPAA Summit, Natarajan also discussed:
- Resources available from CISA, other federal agencies, and the private sector to assist rural and small healthcare providers improve their cyber posture;
- Supply chain and resilience lessons for critical infrastructure sectors emerging from the Change Healthcare ransomware attack in February that disrupted thousands of healthcare sector entities for weeks;
- Top emerging and persistent cyberthreats facing the healthcare and other critical infrastructure industries, including Volt Typhoon, a People’s Republic of China state-sponsored group.
Prior to joining CISA, Natarajan served in a variety of public and private-sector positions spanning over 30 years. Most recently, he served as a consulting firm executive. Natarajan also held a number of federal government roles, including deputy assistant administrator at the U.S. Environmental Protection Agency, director of critical infrastructure policy at the White House/National Security Council, and director at the U.S. Health and Human Services, overseeing healthcare and public health programs.