The lesser-known security threat concerning a Symantec exec most
Government Health IT asked David Finn, health IT officer at Symantec, to weigh in on the most recent security trends, what tops his list of concerns, and exactly how a worst-case scenario might play out.
Below are his answers, edited for length and clarity.
Q: We hear a lot about the evolving threat landscape, hacktavists, nation-state attackers, ransomware, et al. But what are some of the lesser known threats?
A: Security has not, historically, been a function or career track in healthcare, so we don't have people waiting in the organization to move into these roles. And because of salaries in healthcare IT, as professionals learn the skills and get the certifications, they often move on from healthcare to other industries where security is a "career" and salaries tend to be higher.
For many years IT in healthcare has lagged all industries in spend as a percent of revenue. That has created a situation where IT is already behind, so it lacks some of the IT disciplines – for example, patch management, robust testing, and change management – that are best practice in other organizations.
The one threat that most concerns me and is not getting the attention and focus inside the provider space that it deserves: biomedical devices. While this has been a theoretical threat for a number of years, we are now seeing actual attacks, breaches, and incidents in hospital settings. Rarely does Biomedical or Clinical Engineering fall under IT, and you cannot protect the network, other systems, or the devices until you align security across all network-based technologies and have a comprehensive, single vision. Today, you can't necessarily protect a medical device the same way you protect a laptop or desktop, so they are often overlooked. What's more, is that medical devices may not even be the target of the attack, but they provide hackers with a fast, easy way onto the production network where the real targets live. Medical devices may contain ePHI on hundreds of patients, however, so they do represent a potential breach situation themselves.
Q: How long will it be until health data privacy and security are not such interesting topics? Meaning they've largely been solved?
A: I wish I had a happy answer to that question, but unfortunately we are in the midst of some great social changes and healthcare is caught in the middle. First, information about people is more valuable than the "things" they own today and healthcare keeps more information about people than any other industry. Providers did not have this data in the past, and even when they did have it, it was on paper, which is hard to move and sell. Healthcare organizations are facing new challenges as they move to an entirely new cultural thought process. Finally, healthcare is the only industry "required" to share data with other providers and payers. And since the Final Omnibus Bill in 2013, which provides individuals with increased protection and control of their personal health information, bad guys are getting smarter, moving faster, and are not constrained by budgets, processes, rules, or laws. Every time you share information or provide patients, employees, and stakeholders with access to information, you create a new risk vector. Is it the right person/entity? Is this person/entity who they claim to be? We have to protect not just the data today, but the identities of the people and organizations that need the data. This will not be a quick change, but rather a generational shift.
Q: What is the worst-case scenario?
A: Unfortunately, the worst case scenario is the one we are starting to see more often. That is a network intrusion – an attacker – infiltrating an organization's network almost a year before the organization discovers it. While the number of days has dropped from 243 in 2012 to 205 days in 2014, the bottom line is breaches can go undetected for years. If you are under a Denial-of-Service attack or even a phishing attack, you know it and you can take action. If you don't know you are sitting on a ticking time bomb, well, you are just unknowingly waiting for the bomb to go off. These new advanced threats infiltrate your network, find all of the valuable data – whether it is electronic protected health information (ePHI) or Intellectual Property – map the network, learn the traffic patterns, and wait for an opportune time to exfiltrate that data. These new threats require new tools; new intelligence; and new ways to monitor data, systems, networks, and users as well as secure identities.