Former Department of Defense Leader Interprets the Real Cyber Risks in Healthcare

Tim Kosiba was first exposed to the healthcare industry while
working at the FBI in the 1990s as part of its Computer Analysis
Response Team (CART). For more than 30 years, he worked at the
highest levels of government driving the cybersecurity, digital
intelligence and offensive cyber practices that keep the
country’s critical infrastructure safe.

Tim started his career in the Navy, working for the organization
now known as the Naval Criminal Investigative Service (NCIS),
where he was successfully investigating digital crimes before the
field of computer forensics was even established. In this role,
he collaborated frequently with, and was soon asked to join the
FBI, which was building its Computer Analysis Response Team
(CART) to pioneer processes for investigating computer crimes and
examining digital evidence.

At the FBI, Tim worked closely with the National Security Agency,
until he was asked to join the NSA directly. After more than a
decade serving both domestically and abroad, Tim left NSA and
joined the private sector to help advance the collaboration
between public and private organizations on national
cybersecurity interests.

Tim now works closely with the American Hospital Association and
healthcare organizations across the country as CEO at bracket f,
a wholly owned subsidiary of [redacted]. And yes, “[redacted]” is
the company’s name – it’s a startup built by a team of
cybersecurity veterans with resumes that rival Tim’s. The company
is focused on leveling the playing field by identifying and
stopping threats, legally pursuing attackers, and bringing
cybercriminals to justice.

In this episode of Healthcare is Hard, Tim shares some of his
insider knowledge with Keith Figlioli on topics of growing
urgency for everyone in the healthcare industry – from providers,
payers and life science companies, to the innovative startups
transforming healthcare. Issues they discuss include:



The state of healthcare cybersecurity. Tim says the
healthcare industry has a lot of catching up to do. Unlike
other industries, where security has always been part of the
equation, the fact that security was not a primary concern when
digitizing medical institutions has put healthcare behind.
While he says things will get worse before they get better, Tim
is optimistic for the future and sees positive activity like
increased public/private partnerships. For example, he cites
efforts to declassify more information and share it in a way
that doesn’t divulge sources and methods so the industry can
use it to be better prepared.


Who’s attacking healthcare and why. The trend is very
specific, according to Tim. He says it’s primarily state
sponsored groups, often based in Russia. Some groups are
directly sponsored by the state, while others are simply
allowed to operate with impunity. The motivation is usually
cash or chaos. After all, healthcare is part of a nation’s
critical infrastructure and disrupting it can cause havoc and
hardship, compromise intellectual property and much more.


Implementing the basics. Tim recognizes the challenges
healthcare faces balancing security with the demand for better
consumer experiences. But he points out that many hospitals he
works with don’t have cyber security basics in place, like
incident response plans, penetration testing or two-factor
authentication. He says there’s a knowledge problem, but it’s
something that can’t be addressed until the industry accepts
the cost of cybersecurity. As cyber insurance becomes hard to
get and insurers mandate procedures like two-factor
authentication, he says it may cause the tipping point we need.



To hear Keith and Tim talk about these topics and more, listen to
this episode of Healthcare is Hard: A Podcast for Insiders.