It became painfully clear in 2016 that hackers had found their prime target in the healthcare industry. They hit hard in the early months of the year with massive ransomware attacks that disabled entire health systems, and then just kept punching.
But it didn't stop with ransomware: Hacking, theft, attacks on third-party business associates – the list goes on and on. By the end of the year, it was apparent the healthcare industry has a long way to go when it comes to cybersecurity.
We spoke recently with four security experts: Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney; ESET Security Researcher Lysa Myers; CynergisTek co-founder and CEO Mac McMillan, and ICIT Senior Fellow James Scott. Here's what they said were the biggest weaknesses, threats and lessons learned from 2016.
- Human error. "People have become a huge attack surface," McMillan said. Attackers find careless or unsuspecting users and prey on those weaknesses to infiltrate systems with ransomware and other hacking attempts.
- IoT and outdated technology. The massive DDoS attack on DYN that shut down some major websites, stemmed from unprotected digital cameras. In doing so, it shed like on IoT weaknesses due to what Scott called a "Frankenstein method of security" that could affect patient safety. Further, computers "moldering in the backroom somewhere using outdated software or insufficient protection against attack" have become a big issue in healthcare, said Myers. Criminals find these neglected machines with automated tools and pivot to more crucial machines within a network.
- Vendors and third-party business associates. Many of last year's breaches stemmed from vendors - such as a covered entity's business associates. According to Hepp: "These breaches illustrate the importance of thoroughly evaluating vendors and having strong business agreements in place."
- Ransomware. This virus is more than a nuisance: It's disruptive to operations and can take down entire servers. "Ransomware isn't going anywhere because it's easy to do, including 'ransomware as a service,' Scott said. "It's a start for actors to send in another, more specific attack able to start mapping the system."
- Hacking attempts on the rise. The reason? "Medical information is valuable, both in the hands of hackers for their own use, as well as to the healthcare organizations that depend on such information to operate," Hepp explained.
- Backups, backups, backups. "Easily accessible backups are the single most important thing that we need to have in case of a wide variety of emergencies," Myers said. Not just to avoid paying a ransom, but also to reduce system downtimes and outages.
- Cyber-hygiene. "Awareness training needs to be more relevant, provided more often and include experiential opportunities," McMillan said. Architecture, segmentation of networks, hardening and patching of systems and other areas also need to be tightened up. But Scott felt he hasn't seen much progress in the industry in best practices that would "thwart 99 percent of those social engineering attacks."
- Cybercrime as an industry. Cybercrime is profitable and healthcare is a lucrative target, McMillan said. The industry relies heavily on its systems, making it a prime target for extortion.
- Contingency planning and risk management. "Contingency and disaster recovery plans are of vital importance, if a system outage occurs or to mitigate the effects of a breach," Hepp said. McMillian added: The industry needs "real plans with actionable steps that address worst case scenarios. We need to treat the enterprise and data as critical components of the mission."
- The need for partnerships. "Most healthcare organizations don't have the resources or expertise to execute their cybersecurity strategy successfully alone," McMillan said. "Partnering smartly can help fill those gaps and provide added benefits in greater knowledge and due diligence." From a political standpoint, Scott said these silos have been protected for far too long. However, after all of the year's attacks, federal groups such as HHS and the Department of Homeland Security were exhausted. So much so, they all started to throw the cards down and share information. This needs to continue with the new administration.