A Conversation about Microsoft Healthcare Cyber Security
We recently had the incredible opportunity to speak with Danielle Thomas, a Healthcare Practice Lead in Cyber Security at Microsoft. We talked about a lot of great things around her journey to her role at Microsoft, cyber security, and sales, which I’ve summarized briefly in this article.
Danielle‘s background
Danielle graduated from McMaster University with a Bachelors in Commerce/Marketing in 2013. Out of school she gravitated towards digital marketing because of her affinity towards more tech-oriented roles, and took on Account Director roles at these digital marketing firms. Since then, an opportunity arose to join Microsoft in a sales role where she has spent the past 4 years and is now the Healthcare Practice Lead for Cyber Security.
One way cyberattacks occur
Cyberattacks can occur in many ways, but one method discussed was through a phishing email. You’ve probably received one before, where someone from an unfamiliar asks for sensitive information. Once an attacker gains access to an account, they can deploy a power shell script which installs a ransomware package that can prevent them from being detected.
The goal of a cyberattacker to access sensitive infrastructure and data, which they can then demand ransom for. They achieve this through “lateral movement” through an organization. In the case of a phishing email, an attacker will try to move across an organization to different departments and teams until they can get access to someone’s account that has admin access, and move vertically until they find sensitive data.
Cybersecurity in healthcare
There are three main models of cloud service:
- Software as a Service (SaaS) (eg. Dropbox, Salesforce)
- Platform as a Service (PaaS) (eg. Windows Azure, Heroku)
- Infrastructure as a Service (IaaS) (eg. AWS, Microsoft Azure)
These three models of cloud service serve as alternatives to in-house service. You can learn more about these models of cloud service here.
Microsoft offers three cloud services: Dynamics 365, Microsoft 365, and Azure. It’s common for organizations to have a combination of cloud and in-house storage. The healthcare sector is often slower to adopt new technology for reasons such as budget, HIPA, and low risk tolerance which often doesn’t align with adopting new technology.
Organizations in the healthcare have to be particularly privy to cybersecurity, as they often deal with very sensitive data such as patient information, or even life-and-death situations if you’re a hospital, which can be jeopardized by otherwise harmless attacks. For example, what if a hospital’s elevator system gets highjacked and shutdown? Transportation within the hospital may then be compromised, which can have a severe impacts on the patients.
One framework to help prevent these attacks is to implement something called “zero trust security”. Zero trust is the framework in which everyone in the organization needs to authenticate and verify their identity before they can access applications and data, and everyone only has access to what they need.
