Healthcare cybersecurity is in a rut, and hackers keep swinging
The number of breached patient records has declined from 100 million in 2015 to just 5 million in 2017, according to a recent Symantec report. But don’t take that at as good news: 10 percent more organizations reported a breach in 2017 than the previous year.
These results could be interpreted in a number of ways. First, possibly certain state actors, like China, have stayed away from healthcare data, said Axel Wirth, a healthcare solutions architect at Symantec. Findings may also suggest that larger organizations are becoming more secure, while smaller providers are still struggling.
But “it doesn’t matter how many records you hold hostage, it’s equally painful for the organization. It may explain why we see a lot of smaller breaches,” Wirth said.
So what does that mean for the healthcare sector? Hackers aren’t done with their attacks. In fact, the report found there’s been a 600 percent increase in attacks on IoT devices and an increasing target on mobile devices.
There’s also been a 200 percent increase in supply chain-based attacks in 2017, such as those used in the infamous Petya attack last June. And last year, cryptocurrency mining -- which leverages blockchain -- increased by a whopping 8,500 percent.
Wirth took these stats to Capitol Hill this month to shed light on this ongoing issue. Unfortunately, the situation is still dire.
To start, security budgets haven’t increased enough: 75 percent of healthcare organizations spend just 6 percent or less of IT budgets on cybersecurity, according to the report. That’s about half of what industries with more mature security invest.
And due to a lack of competitive salaries and attracting security talent, the security staffing issues have not improved from the June 2017 U.S. Department of Health and Human Services Cybersecurity Task Force report. The task force found three out of four organizations are operating without a designated cybersecurity leader.
In summary, hackers keep rolling out more sophisticated attack vectors, and healthcare is stuck wondering what to do about it.
Awareness is up, confidence is lacking
Fueled by the near-daily reports of breaches and cyberattacks, the healthcare sectors is, by now, well-aware of the risks from phishing, ransomware and other threat actors.
In fact, according to a recent HIMSS Analytics and Symantec report, 60 percent of healthcare providers now name risk assessments as the number one driver of security investments instead of HIPAA compliance. And about 40 percent have adopted cybersecurity frameworks like NIST.
C-suite involvement has also improved, with 80 percent of providers briefing the boardroom on cybersecurity issues -- although half said those meetings weren’t regularly scheduled.
And last year, no single healthcare breach exceeded 1 million records -- only the second time since 2009. It points to a trend of breaches getting smaller, Wirth said.
That’s all well and good, but despite an increased awareness, organizations are no more confident in their ability to thwart these attacks, the report found. Budget, staffing and skill-sets were named the top three barriers to improving a higher level of confidence in security programs.
The majority named both budget and staffing as the biggest issues. These results reflect another recent study by Gartner that found only 65 percent of organizations across all sectors have a cybersecurity expert on staff -- which leaves a third of organizations without a security leader in place.
“We do see healthcare organizations change their security strategy based on evolving threats and recognized vulnerabilities,” Symantec wrote in the report. “But overall, the industry is not keeping up with cyber adversaries and is in urgent need for improvement.”
The way out
Cyberattacks on healthcare pose a wide range of risks, from patient safety and privacy to national security, explained Wirth. And even when healthcare is not the main target, healthcare can still be impacted (i.e. WannaCry).
To get around this, healthcare needs to make some major changes. To start, the industry needs to shift its view of cybersecurity risks as risks to business -- not just an IT issue, Wirth wrote. “Any good cyber strategy requires close cooperation of internal and external stakeholders.”
End-to-end security, or Defense in Depth, should no longer be optional, but a requirement, wrote Wirth. Organizations should take the mindset that a cybersecurity event is inevitable and should adequately prepare and increase their incident response capabilities. And as a whole, security education needs to improve.
Lee Kim, director of privacy and security for HIMSS North America shared similar sentiments at the recent HIMSS Healthcare Security Forum in San Francisco. To Kim, the collaborative nature of the healthcare sector needs to continue both at conferences and between organizations.
“Cross-sector, we’re empowered to share the latest and greatest education, on threats, on mitigation, on what we could do to make us stronger,” said Kim. “Hopefully, as a positive snowball effect, we’ll be able to speak more, network more, work together and unify.”
“There are so many divisions in business, but I think we’re learning in cybersecurity, if we aren’t as organized as these nation state actors, cybercriminals (who are very organized as a business), how can we, being diluted in terms of our power and numbers, how can we match up?” she added. “The answer is: ‘We can’t.’”
Healthcare Security Forum
The forum in Boston focuses on business-critical information healthcare security pros need Oct. 15-16.