As hackers become more destructive, security needs an all-hands approach
BOSTON -- While healthcare organizations proved to be the most promising target for hackers in 2016, with 88 percent of attacks on the industry, this year has become more democratized, according to Stuart Madnick, who hold the position of John Norris Maguire Professor of Information Technology at the Massachusetts Institute of Technology.
That’s not to imply the threat has reduced. And it’s not just about stolen credit information.
“There tends to be a concern about stolen data. But it’s not only credit information and so on,” Madnick said at the Healthcare Security Forum on Monday. “Breaches not only affect your information, but your safety.”
Highlighting some of the world’s most destructive cyberattacks -- such as government shutdowns, electrical grid disruptions and the like -- Madnick explained that these types of threats are the most pressing.
Healthcare organizations may find these attacks fascinating -- but providers should also be concerned.
“What if your organization lost electrical power -- not just for three hours or three days but for three weeks,” said Madnick. If someone were to physically attack a hospital, the government would help.
“But with a cyberattack, who’s defending you? It’s up to you,” he added. “The good news is the good guys are getting better. But the bad guys are getting worse -- and faster. In fact, the gap is growing.”
For Madnick, this is due to several reasons, the biggest is that cybercriminals are offering hacking tools for sale on the dark web. Madnick said that, for example, parts of WannaCry were created by tools stolen from the NSA.
“You can create your own cyber weaponry for about $14,000,” Madnick said. “It’s easy to become a bad guy -- and easier to become an effective bad guy.”
So what can be done?
“Security isn’t just a matter for top executives, IT or infosec people,” said Madnick. “It requires the involvement of the whole organization.”
Madnick referred to what MIT calls the house of security, which involves perceptions, awareness, maturity and the like.
“But it’s hard to measure reality, as perceptions affect behavior,” he said. “If you don’t understand people’s perceptions, you won’t understand their behaviors.”
Secondly, there’s an assumption among executives that security is merely a technology issue that should be left for the IT people to resolve, said Madnick. But even if an organization keeps its door bolted, so to speak, if the key is left under the mat -- it’s not really secure.
“A lot of times we groupthink ourselves into a lot of naivety,” he said.
So organizations must look at the current state of its security and determine where it needs to be, then analyze the gap to determine its plan of action. Madnick said as the industry moves into automation and IoT, it’s only a matter of time for these things to become security risks.
“We need to be more creative in our workforce,” said Madnick. “You and your organization need to be vocal about security.”
Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ Why hospitals should join an ISAC immediately
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach