October 20, 2022 Episode 047

Former Department of Defense Leader Tim Kosiba Interprets the Real Cyber Risks in Healthcare

Tim Kosiba was first exposed to the healthcare industry while working at the FBI in the 1990s as part of its Computer Analysis Response Team (CART). For more than 30 years, he worked at the highest levels of government driving the cybersecurity, digital intelligence and offensive cyber practices that keep the country’s critical infrastructure safe.

Former Department of Defense Leader Tim Kosiba Interprets the Real Cyber Risks in Healthcare

Tim started his career in the Navy, working for the organization now known as the Naval Criminal Investigative Service (NCIS), where he was successfully investigating digital crimes before the field of computer forensics was even established. In this role, he collaborated frequently with, and was soon asked to join the FBI, which was building its Computer Analysis Response Team (CART) to pioneer processes for investigating computer crimes and examining digital evidence.

At the FBI, Tim worked closely with the National Security Agency, until he was asked to join the NSA directly. After more than a decade serving both domestically and abroad, Tim left NSA and joined the private sector to help advance the collaboration between public and private organizations on national cybersecurity interests.

Tim now works closely with the American Hospital Association and healthcare organizations across the country as CEO at bracket f, a wholly owned subsidiary of [redacted]. And yes, “[redacted]” is the company’s name – it’s a startup built by a team of cybersecurity veterans with resumes that rival Tim’s. The company is focused on leveling the playing field by identifying and stopping threats, legally pursuing attackers, and bringing cybercriminals to justice.

In this episode of Healthcare is Hard, Tim shares some of his insider knowledge with Keith Figlioli on topics of growing urgency for everyone in the healthcare industry – from providers, payers and life science companies, to the innovative startups transforming healthcare. Issues they discuss include:

  • The state of healthcare cybersecurity. Tim says the healthcare industry has a lot of catching up to do. Unlike other industries, where security has always been part of the equation, the fact that security was not a primary concern when digitizing medical institutions has put healthcare behind. While he says things will get worse before they get better, Tim is optimistic for the future and sees positive activity like increased public/private partnerships. For example, he cites efforts to declassify more information and share it in a way that doesn’t divulge sources and methods so the industry can use it to be better prepared.
  • Who’s attacking healthcare and why. The trend is very specific, according to Tim. He says it’s primarily state sponsored groups, often based in Russia. Some groups are directly sponsored by the state, while others are simply allowed to operate with impunity. The motivation is usually cash or chaos. After all, healthcare is part of a nation’s critical infrastructure and disrupting it can cause havoc and hardship, compromise intellectual property and much more.
  • Implementing the basics. Tim recognizes the challenges healthcare faces balancing security with the demand for better consumer experiences. But he points out that many hospitals he works with don’t have cyber security basics in place, like incident response plans, penetration testing or two-factor authentication. He says there’s a knowledge problem, but it’s something that can’t be addressed until the industry accepts the cost of cybersecurity. As cyber insurance becomes hard to get and insurers mandate procedures like two-factor authentication, he says it may cause the tipping point we need.

To hear Keith and Tim talk about these topics and more, listen to this episode of Healthcare is Hard: A Podcast for Insiders.