An increase in the frequency of computer hacks is prompting public and private entities to make big investments in cybersecurity, and that's creating opportunities for New Mexico tech startups that can help thwart incursions.
The number of known cybersecurity incidents in New Mexico has risen considerably in recent years, according to a November memo from Janelle Taylor Garcia, a program evaluator from the state's legislative finance committee. One of the incidents led to $1.9 million in restoration costs while another included a demand for a cash ransom, according to the memo. The state recently drafted plans to work with vendors to develop a risk management framework, according to a January project charter from the New Mexico Department of Information Technology.
“Cybersecurity threats are on the rise and targeting industries and small businesses that are core to New Mexico’s economy," Myrriah Tomar, director of the NM Office of Science & Technology, said in a recent statement. Certain sectors, such as health care, have emerged as targets.
Just last month, Haven Behavioral Hospital of Albuquerque provided notice of a cybersecurity incident that affected documents which "may include some combination" of information including medical history and health insurance info, according to a release. Haven, which offers mental health and substance abuse treatment, didn't disclose how many people may have been impacted.
The situation is creating growth opportunities for startups that can help health-care organizations secure their information.
Michael Herrick, founder of Albuquerque-based cybersecurity risk assessment firm Matterform, said business in the health-care market "more than doubled" last year. Cybersecurity standards are "evolving constantly," Herrick said, but relatively simple measures can prevent attacks.
Insufficient password practices, unsecured networks and unencrypted devices are some of the more common security flaws, he said.
The rise of telehealth during the pandemic has also presented a prime opportunity for cybersecurity-focused businesses.
"That’s become a huge [growth] market for us," said Michael Davis, founder and CEO of Santa Fe cybersecurity firm Merek Security Solutions Inc. The company provides cybersecurity risk assessments, which can include policy development and compliance. Most of its clients are in the medical space, according to Davis, who said the firm had $120,000 in revenue last year.
Researchers have expressed concerns about telehealth security during the pandemic. A December letter from Harvard University researchers said telehealth "has flourished during the pandemic, forcing implementations that may have taken years without such a catalyst," and health-care organizations must "enhance (if not revolutionize) their cybersecurity infrastructure by developing stronger prevention and detection protocols, both administrative and technological."
"Emerging fields, such as artificial intelligence, the Internet of Things, and blockchain can also be employed as prevention and detection tools to combat cyber threats more effectively. To leverage these technologies, health-care organizations need to partner with telemedicine and cybersecurity vendors to understand how to best implement and use their infrastructure and products," the letter said.
Information from health-care organizations around the state has potentially been exposed. In 2019, Roosevelt General Hospital in Portales discovered malware on a digital imaging server that contained patient information, according to a notice that appeared in The Roosevelt Review. Artesia General Hospital in eastern New Mexico notified patients of a breach involving emails that same year. Additionally, Presbyterian Healthcare Services previously sent about 276,000 letters to patients in response to a data breach, the Santa Fe New Mexican reported.
Some experts have identified cyberattacks and data fraud as a top threat to companies. A World Economic Forum survey of its community of risk professionals and the professional networks of Marsh & McLennan Cos. and Zurich Insurance Group from a year ago found that 50% of respondents said cyberattacks and data fraud "due to a sustained shift in working patterns" were the most worrisome risk for their companies from the pandemic during the next 18 months.
An October advisory from the Cybersecurity and Infrastructure Security Agency, the FBI and the Department of Health and Human Services notified the public of ransomware activity aimed at the health-care and public-health sectors, declaring that they had "credible information of an increased and imminent cybercrime threat to U.S. hospitals and health-care providers."
"These issues will be particularly challenging for organizations within the Covid-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments," the advisory says.
It's not just health care that is reacting to the increased threat. The Department of Defense is putting uniform cybersecurity standards in place for defense contractors, starting with a pilot program this year. Contractors will be required to receive a third-party assessment under one of the five tiers in the Cybersecurity Maturity Model Certification.
