Cybersecurity: Innovating staff buy-in and avoiding silver bullet tools
The healthcare security landscape is always in flux. From ransomware to phishing attacks, hackers have continued to target the sector at a steady pace over the last few years. While the attack vectors may shift, the fact remains security must continue to develop and innovate to keep pace with hackers.
A report from security firm SentinelOne saw less ransomware attacks in 2018 than reported the year prior, while fileless attacks have increased by 94 percent. However, with three major ransomware breaches reported over the summer, it’s yet to be seen whether reporting is down -- or the use of the malware.
Not only that but, according to Symantec, 10 percent more organizations reported a breach in 2017 than the previous year.
“The threat environment -- the vectors, the types of attacks, the sources, the actors -- are always changing,” said David Finn, CynergisTek executive vice president of strategic innovation. “You have to keep an eye on the threats and where they are headed, the trends, movements, developments.”
Credit: Forcepoint illistration of UEBA
Innovating staff buy-in
Insider breaches are consistently the top threat to the healthcare sector. Whether it’s opening a malicious email or intentionally snooping on patient records, employees are a risk when not properly trained.
To avoid these errors, organizations should “make these products as ‘compatible’ with the employees and their workflows,” said Lee Kim, director of privacy and security for HIMSS North America. It will “mitigate the chance of workarounds and circumvention.”
And as always, awareness, training and education are paramount, explained Kim.
“At the end of the day security is really a people problem,” Finn said. “Machines don’t click on bad links or provide credentials or leave themselves in cabs or create bad passwords -- people do.”
“We need to, not only make security training an ongoing exercise, but we need to actually explain why we have security, why we have to have it and maybe most importantly, that this is as much about their personal protection as the organization’s and its patients and following the law,” he added.
According to Finn, one of the bigger trends in security is User Entity Behavioral Analytics (UEBA). The tool provides insight into users’ activities, helping to “identify everything from illicit activity, to disgruntled employees doing dastardly things to stolen credentials.”
The tool can’t be made completely invisible to the user, which Finn explained will give security the chance to explain to employees what they’re doing and why.
“Everyone should be looking at this in some way,” said Finn. “It isn’t really about catching people doing bad things, but you will see a drop in bad behaviors simply because users know that someone can see when they do it.”
“Security is really about the business and the risks that not doing certain things presents to the business -- clinicians, billers, patients,” he continued. “The more you can engage the people using the technology and the information, the easier it is to implement the technology.”
Avoiding the shiny object syndrome
Security leaders have consistently warned against the shiny object syndrome. Many security vendors tout the next silver bullet: a single security tool that will shore up all vulnerabilities. But there’s a catch: Cybersecurity needs to be an ever-evolving system of tools, policies and procedures to be effective.
“The security market is broken -- and not just the security startups,” said Kurt Hagerman, chief information security office at Armor, a security firm. “All of the solutions get over-marketed as the silver bullet, as able to protect and keep the bad guys at bay.”
As many healthcare organizations are running on notoriously tight budgets, investing in the next big thing may not even be an option. In fact, security budgets have not increased enough: 75 percent of healthcare organizations spend only 6 percent or less of IT budgets on cybersecurity, according to the Symantec report.
To Finn, organizations need to evaluate their needs before looking to buy the next tool.
“The people selling you solutions will always be trying to sell you the next silver bullet,” said Finn. “There is no guarantee their predictions are any better than yours. So, yes, you always have to be looking at the new products, but they have to make sense in your environment, they have to protect against the risks you face.”
“Don’t look for a tool to solve your security problem: Look for a solution to the problems you are having,” he added. “Focus on the problem you are solving, not just on finding a solution. Frankly, we haven’t mastered basic cyber hygiene and until we can do that, buying the bright shiny object is not likely to improve security.”
Considerations for next-gen tools
While it’s important to not just buy a tool based on a sales pitch, organizations should still consider security advancements to bolster network vulnerabilities.
“If you want to be secure, you need to look at advancements in security,” said Lee Kim, director of privacy and security for HIMSS North America. “AI, machine learning and other cutting edge technologies will help advance the state of the art and overcome present day limitations.”
Machine learning and heuristics, for example, create a system able to prevent, detect, thwart and recover automatically from ransomware attacks, explained Kim. Monitoring tools will automatically detect and fix vulnerabilities before attackers can exploit them.
Biometric authentication devices can be integrated into computer systems. Established tools like fingerprint, face and voice biometrics are going mobile, while nontraditional models like iris/retina scans are showing promise.
But for those organizations moving their data and or networks into the cloud, Finn said the focus needs to be on moving users and identities into the cloud and securing the data.
“The cloud can be well protected, but if your users are using insecure ways to access that data or those systems, you might be making things worse,” said Finn. “If you have a major business initiative that will rely on mobile user, then you need to focus on security around mobility.”
“More and more healthcare organizations moving more and more data, systems and functions to the cloud,” he added. “We’re seeing some very impressive tools for cloud-security and even cloud-based security for on premise systems.”
As the shift continues to the cloud, “protecting data and our users’ identities becomes more critical,” explained Finn. Organizations should look for tools related to data loss prevention in the cloud or Cloud Access Security Brokers -- a tool between a provider’s on premise infrastructure and the cloud.
“More importantly, look for these tools to communicate with each and share information that enhances security for everyone,” said Finn.
To Kim, organizations need to do their due diligence when considering these tools, on both the business and clinical side. They also need to make sure to consider the budget and its limitations.
“I do see customers who still see the latest and greatest and they will run out and get it -- or some cheaper version of it and they find it doesn’t meet their needs,” Finn added. “Worse, it never gets implemented properly.”
Cybersecurity is not a static task but, instead, dynamic and always changing. That means healthcare has to keep pace.
“When security breaks, we need to not just fix it, but ensure that we become more resilient,” Kim said. “Sometimes, that involves selecting and vetting the appropriate next-gen security product. But do your due diligence. Don’t just rely on what the sales people tell you.”
Focus on Innovation
In September, we take a deep dive into the cutting-edge development and disruption of healthcare innovation.