Andrew Coyne, chief information security officer of Rochester, Minn.-based Mayo Clinic, said his organization is continuing to build a proactive cybersecurity program by employing a team to monitor threats happening outside of healthcare, and by building IT systems with architecture and design that lacks vulnerabilities.
Mr. Coyne has been leading the Mayo Clinic's Office of Information Security since 2016. He spoke to Becker's about how Mayo Clinic stays on top of threat intelligence and how it continues to lower its cyber risks.
Question: How do you stay current with the latest threats and technologies in cybersecurity?
Andrew Coyne: We have a threats intelligence team here that focuses on identifying threats that are happening outside of the healthcare sector and beyond the horizon, and it has really paid off. For example, at the beginning of the Ukraine invasion, the team asked, "What could be the potential impact for Mayo Clinic?" and we could see that DDoS attacks were increasing as a result of that invasion and so we took some steps at Mayo Clinic to be more prepared for that.
Because we had a bit of foresight, we were able to dodge that bullet.
Q: What do Mayo Clinic's security posture and security investments look like for this year?
AC: We continue to see large healthcare organizations threatened by ransomware, and Mayo Clinic takes that threat very seriously. So we are continuing to improve our preparedness relative to ransomware.
Q: How is Mayo Clinic working to lower its cyber risk to become a harder target for attackers?
AC: So attackers are really using two ways to break into organizations. They're either exploiting security problems in existing systems, or they're tricking users to try and get them to click on phishing emails. So when the adversaries are taking advantage of security problems in existing systems, those security problems are really tied to a dimension of the quality in the IT systems.
So what we're thinking about is how do we build our systems without vulnerabilities in the first place. And how do we apply robust implementation standards, robust security controls, and sound approaches to architecture and design of IT systems.
If vulnerabilities do creep into our systems, Mayo works fast to find those vulnerabilities quickly utilizing scanners and different types of manual testing.
The other side is the phishing email. We simulate phishing emails to our workforce so they can build that muscle memory. We also regularly educate and inform our people about the latest problems.
Q: What concerns you most about the current healthcare cybersecurity landscape?
AC: If you look at the healthcare cybersecurity landscape, the average community hospital doesn't have the margin to run a robust information security program. And so ransomware continues to take advantage of these. And with the ransomware folks making money, they're not going to go away anytime soon. So I think my concern is fundamentally that a lot of folks just can't afford to spend a lot of time on this because they're too busy trying to help patients. That's really the underlying issue here.