Changing the cybersecurity culture
Ransomware and malware attacks continue to plague hospitals and institutions, scoring frequent and disruptive hits. Internal data breaches are commonplace. Risk-laden network links with external agencies and partners abound. Security weak spots are discovered in legacy systems and new applications alike. Clinicians working around medical device security protocols expose chinks of vulnerability in the IoMT.
Anyone building a picture of the state of cybersecurity in healthcare globally would struggle to find encouragement for the beleaguered hospital CIO, with many organisations apparently unable to break out of a reactive cycle and shift to more proactive defence strategies.
Bold statistics do little to improve the anecdotal picture. In April, the U.S. Department of Health and Human Services reported 44 healthcare data breaches for the month, a record. The fact that the number of individuals affected fell by 29% from 963,794 to 686,953 compared with March was not exactly grounds for optimism, given the potential scale of the impact.
Cyber risk and privacy management specialist IT Governance publishes a monthly blog of data breaches reported worldwide. The healthcare sector is well-represented and while these lists are a litany of phishing, ransomware and distributed denial-of-service (DDoS) attacks, they are also peppered with more banal cybersecurity failures that hint at the cultural challenge of managing risk in many institutions. These range from unauthorised employees accessing patient records to coding errors that unwittingly expose records.
The June post referenced the accidental sharing of 37 patients’ email addresses in an invitation to a support group distributed by NHS Highland. Meanwhile in New York state, a member of the Independent Health Insurance company was emailed documents containing personal information on more than 7,600 fellow members. And a web advertising company helping law firms sign up possible clients exposed 150,000 records from an unsecure database, containing personal details of accidents, injuries and illnesses.
Verizon’s 2019 Data Breach Investigations Report underlines the extent to which, when it comes to managing cybersecurity risk, internal processes and policy enforcement failures (59%) are more likely than external threats (42%) to leak data. Despite this, leading cybersecurity experts suggest there is cause for cautious optimism in the way some hospitals are building more proactive strategies despite their complex cultural and technological legacies.
Signs of progress
Dave Kennedy, founder and senior principal security consultant at TrustedSec, says a number of his healthcare clients have made significant cultural adaptations and now do a very good job of cybersecurity management. But this is not something that can be solved overnight by throwing more people and resources at it.
“Being more proactive means having the ability to fix issues as they are identified over time,” he says. “The biggest challenge for a hospital CIO is being able to communicate the likelihood and impact of a breach and introduce whatever is necessary prevent it. And describing possible impact to a board is difficult.”
Kennedy advocates recruiting people specifically to build sustainable programs that will help an institution move away from an infrastructure riddled with missing patches and misconfigurations. A more frequent patch management program for applications and systems is a core recommendation, alongside enhanced – and enforced – multifunctional password management.
He says it is also vital for IT leaders to have high visibility into their infrastructure, with comprehensive log management. The window of risk is often greatest between an attacker’s initial breach of an administrative system and their subsequent passage into clinical and patient record systems – the point at which it becomes a major issue.
“On average it takes two hours to respond to a breach,” he says. “You can’t prevent everything but you can try to respond to and remove the threat faster than the attacker can break through to other systems.”
Elliott Frantz, CEO of Virtue Security, has previously spoken of the cybersecurity weaknesses caused by hospitals running unnecessary IT services and, in particular, the vulnerability of applications in their runtime state. He agrees that system visibility is crucial to seeing and understanding the risk level at any given time. Proactively aiming to reduce the hospital’s overall risk and exposure is, he says, a more effective strategy than what has often seemed the default setting – an ongoing game of “crushing ants”!
“These are such highly connected environments,” he says. “A lot of employees need access to a lot of systems – and this creates inherent risks. Traditionally, a hospital has wrapped technology around its business, leading to multiple segregated pieces. Instead, they need to use technology to solve security by design. The positive sign is that a lot of new network and virtualisation technology is helping to create less exposed infrastructures.”
He would like to see more being done to improve application security. “We have seen a lot more hospitals taking a bigger interest in tackling application security problems, and that’s a good thing,” he says. “But the picture has not improved substantially.”
For Jason Gillam, CIO at Secure Ideas, the main issues to be addressed are often more cultural than technological. He points out that low-level attacks and breaches are particularly successful – and do not necessary require sophisticated high-tech solutions.
The threats themselves remain relatively unchanged, and healthcare is a soft target made softer by the nature of "businesses" that have never considered themselves to be technology companies. This often leads to lax technical competence when it comes to cybersecurity. Where a breach occurs because of a misconfigured server or database, it is generally because somebody did something at a relatively basic level without understanding the consequences for security.
“In healthcare security, we’re taught above all else that life and limb are important,” he says. “So data and personal information are not always the top priority, and this drives what happens. A lot of activity that might be considered suspicious in any other industry is overlooked. We need to make a cultural shift from cybersecurity as a compliance check-box to doctors treating the protection of their patients’ personal data as a priority,” he says.
While Gillam has noted some examples of this happening, the sea change is nowhere near enough. Healthcare faces a major challenge in invoking such a huge cultural shift across its often massively dispersed environments – and as the statistics suggest, progress continues to be at shuffle pace. Cybersecurity is not about to relinquish its status as the biggest thorn in the CIO’s side any time soon.
This article was first published in the newest issue of HIMSS Insights, which looks at cybersecurity in healthcare. Healthcare IT News and HIMSS Insights are HIMSS Media publications.