The Change Healthcare cyberattack that disrupted nationwide health care systems earlier this year—affecting a third of Americans at a total loss of $100 million—was a major wake-up call: Such attacks in the health care industry are on the rise. And they should be treated with utmost seriousness, agreed a panel at Fortune’s Brainstorm Health conference in Dana Point, Calif., on Tuesday.
“In my world, it's almost an act of war,” said Stephen Gillett, chairman and CEO of Verily, a life sciences company. “It's that level of aggression toward infrastructure. Those are people's lives, their personal information. That is not something that should just be a tech issue that we're solving for.”
He believes this aggression calls for a response akin to what would happen if another country were to sink a U.S. ship off its coast.
“It should be taken with that same level of seriousness above and beyond the technical response,” he said. Especially since “the money these bad guys are getting from these [cybercrime] exploits is now surpassing all of the illegal drug trafficking in the world combined,” he says.
In the case of Change, it was a Russian organization that exploited very simple configuration issues with multifactor authentication—which should dictate how companies prepare themselves to respond to future attacks, noted the panel’s experts, also including Andrea Downing, president and cofounder of the Light Collective, and Bob Segert, chairman and CEO of Athena Health.
“Security used to be [thought of] as a perimeter: Let's put up this perimeter. And let's protect the bad guys from coming in the perimeter,” Gillett said. But that’s an antiquated mindset.
“The bad people are already in the perimeter. How do you protect the data and the information and intellectual property that is critical to your business, critical to your infrastructure, even critical to your government?" he said. "To do this, it's not just about buying some spectacular piece of technology that you deploy, and everything turns into a secure rainbows-and-butterflies scenario. That's not how it works.”
Instead, “you have to really bring together the people component,” he said. “So, it's not just your security team that worries about this. It's all of the company. There needs to be a culture of security and privacy particularly in health care.”
That’s especially true because of the level of sophistication seen with recent attacks—including an alleged attempt involving the Dalai Lama, who had reportedly been scheduled to receive radiation for prostate cancer several years ago at the Mayo Clinic. An enemy nation, Gillett said, “had worked to infiltrate the radiation system so that when the Dalai Lama went in for his treatment, they would deliver a lethal dose of radiation.”
It was stopped, and he received his treatment. “But had that happened? You would just read the Dalai Lama passed away due to exposure, and you would never know the sophistication of the attack,” he said. “And when you when you start hearing these kinds of asymmetric stories, that's why the term warfare comes to mind. Because we have to respond to this almost like a NATO for security and have all of the organizations around the world working on the things. No one country, no one city, and definitely no one industry can solve this problem on their own.”
