Healthcare and education are two of the most attractive industries for hackers. In 2022, healthcare organizations in the U.S. experienced an average of 1,410 weekly cyberattacks per organization, while educational institutions reported that loss of learning following an attack could extend up to three weeks.
Executive Mosaic spoke with Tim Boltz, Carahsoft healthcare and education verticals executive, about the current state of cybersecurity in these industries. Boltz has been with Carahsoft for nearly 15 years and has done business with thousands of organizations in healthcare and education. He leads a 475-person team that works with vendors across the healthcare and education sectors.
Read below for his full Executive Spotlight interview, in which he shares his perspective on cybersecurity challenges, the benefits and caveats of AI, cybersecurity best practices and more.
What are some of the primary challenges education and healthcare are facing when it comes to cybersecurity?
Educational institutions are part of the critical infrastructure of our country, and just like any other industry that falls under that category, they are being attacked by nation states trying to impede our children’s education and create chaos. We saw the damage that a simple ransomware attack can do when the Los Angeles Unified School District was forced to shut down for a couple of weeks last fall.
The most important thing K-12 schools can do right now is practice good cybersecurity hygiene. That hasn’t been easy given all the challenges our school districts have been dealing with over the past couple of years, but it’s extremely important.
Healthcare is more complicated. The industry has always been focused on cybersecurity and protecting patients’ data, as not doing so can easily result in millions of dollars in fines. But most of the security has been focused on protecting networks and data centers. As such, healthcare devices—CT scans, monitors and so forth—are not very secure, even though they’re connected to various networks. In fact, most medical devices do not have built-in cybersecurity.
Providers are responsible for securing those devices, but they’re busy dealing with post-COVID patient surges, getting reimbursed from insurance companies, and so on. They don’t have time to focus on device security, but they need to, because that’s where the biggest vulnerabilities are.
Are there cybersecurity-focused grant programs that educational organizations can use to kickstart their efforts?
The federal government recognizes that cybersecurity is a huge challenge at the state and local levels and within educational institutions. So, various grant programs have been launched within the past couple of years to help organizations become more cyber-resilient.
One of the biggest sources of funding is the Infrastructure Investment and Jobs Act. IIJA gives counties access to millions of dollars that can be used for training and bolstering cyber defenses, including within schools.
But accessing the funds is just the first step. Schools need to understand how to use those funds effectively. Unfortunately, I do not see that happening consistently. There are still a lot of schools that do not have a cohesive plan for cybersecurity. Instead, they’re using their funds to purchase low-cost point solutions as stopgaps.
They don’t have the benefit of guidance from an established organization such as the Cybersecurity and Infrastructure Agency, or the army of cybersecurity experts that a financial firm might have. I think there’s an opportunity for the federal government to provide that guidance, and it’s starting to do that.
In the meantime, my team fills that role. We work directly with our customers to provide them with the guidance they need so they can build a well-rounded and fortified cybersecurity program.
What about technology? Are there certain tools that organizations should invest in to protect against threats?
Artificial intelligence and machine learning tools are instrumental to an effective cybersecurity program. AI and ML can be trained to automatically detect, respond to and remediate threats. The more anomalies these systems detect, the more they learn how to defend against them.
These technologies will become even more important as cyber threats become more sophisticated and prevalent. They’ll be especially critical for resource-challenged schools and healthcare organizations, which may not have the personnel or expertise to track and respond to every event.
Of course, AI isn’t just great for cybersecurity. It can deliver actionable information to physicians and nurses right at the point of care so they can make the right calls and be more effective. And it can help save school administrators an enormous amount of time.
However, it’s important to leverage AI in a thoughtful and ethical manner. It’s too easy to think of a world in which someone can use a machine to write ransomware. So, we also need to think about how to use AI in a socially and ethically acceptable manner so that we do not compromise people’s privacy or come to the wrong conclusions.
To that end, what are some of the best practices you share with your customers?
The conversations always start with the same items.
First, what are you doing for multifactor authentication? Are there specific tools you are using? If the answer is no, we suggest five or six tools they need to start looking at.
Next, do you know what’s happening on your network? If you don’t, how are you supposed to protect it? That’s where network telemetry comes in. It’s a key piece that helps detect suspicious activity.
We can then get into deeper discussions of where to go next, but those are essential starting points. They are the foundation. Implement those and you are well on your way to building an effective cybersecurity posture.