Getting Past Blame: A Community Strategy for Hacking Security

November 13, 2017

ACSC Staff

Getting Past Blame: A Community Strategy for Hacking Security

The ACSC was invited to speak at the recent HIMSS Healthcare Security Forum (Boston, Sept. 11-13), the only peer-to-peer networking event focused on healthcare’s unique privacy and security challenges and threats. ACSC Executive Director Michael Figueroa took to the stage for a session titled “Getting Past Blame, offering a community strategy for hacking security.”

Healthcare organizations spend untold dollars each year fighting the same cyber security challenges, often making the same mistakes due to the lack of shared intelligence. Rather than persistently blame them for the current troubled state of information security, Figueroa’s presentation focused upon how security professionals need to act like hackers again. He advocated a new community-oriented approach, discussing key ways organizations can apply limited resources collectively to build more effective cyber defenses.

“Cybersecurity is about facing adversity every single moment every single day. What we hear about is when they fail. We don’t hear about the success,” Figueroa told Reporter Tom Sullivan of Healthcare IT News. “We need to stop the negative conversations. “Bad things happen in every stream of business. We need to learn from them instead of blaming people.” (Read the full article, Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach, 9/15/17).

At the heart of the discussion, Figueroa discussed how hackers work as a collective, while security professionals work in isolation. “We must stop the blame and hack security, and counter the trend by committing ourselves to building a new baseline for security through three key actions,” said Figueroa. Just as hackers do, healthcare IT departments must:

Figueroa’s presentation showcased case studies of what has worked well, and shared lessons learned of what did not work well. Figueroa offered the unique insights that the healthcare industry can learn from the ACSC efforts in Massachusetts and New England—guiding business, academic and government to work together and establish community resources.  

“By harnessing the power of collective resources, we can overcome much more together than we could ever manage alone,” said Figueroa.

Security is too dynamic to support the concept of “best practices.” What worked well yesterday may fail today, Figueroa explained to the audience. Yet we can still learn from sharing “effective practices,” which promotes discussion about why decisions were made. He also urged the importance of building community resources, stressing the need to rediscover our hacker roots by emphasizing collaboration over isolation.  

“Hackers continue to collaborate, security professionals not so much,” Michael Figueroa said in his panel and to Writer Chris Nerney of Connected Care Watch. (Read: A clarion call for healthcare security collaboration, 9/18/17). “They might work in isolation physically, but hackers are some of the most collaborative security practitioners in the business today.” 

For more on Michael Figueroa’s presentation at the HIMSS Healthcare Security Forum, and how organizations like the ACSC are spearheading security collaboration, read the Healthcare IT News article, “Why hospitals should join an ISAC immediately, 9/13/17.