As new cyber risks emerge, strategies evolving – but basic principles still apply
In news that will surprise precisely no one, the list of lurking cyber threats putting healthcare data in peril continues to lengthen.
Healthcare, you may have heard by now, has developed a reputation among hackers, cyberattackers and assorted other bad actors as an industry that's both "target-rich and easy pickings." As such, it finds itself in the crosshairs of innumerable hackers and bad actors hoping to harvest mission-critical data or otherwise wreak havoc on healthcare IT systems.
Just look at the most recent HIMSS Healthcare and Cross-Sector Cybersecurity Report for a snapshot of where we are. The report offers a menagerie of creatively-named new species of malware of which to beware:
- Agent Smith (it infects Android devices and surreptitiously replaces their applications with malicious mobile apps);
- WannaHydra (an updated version of WannaLocker, which can harvest text information, call logs, phone numbers);
- The Astaroth Trojan spam campaign (an information-stealing malware that can swipe sensitive data such as credentials, keystrokes, and more);
- Sodin ransomware (it exploits a vulnerability in the Oracle WebLogic platform; unlike other ransomware, it doesn't require any user involvement).
And, of course, new breeds and mutations are discovered in the wild nearly each and every day.
To get a bit more perspective on the current state of cybersecurity, we checked in with HIMSS Director of Privacy and Security Lee Kim.
She sent us an email with a long list of links pointing to news coverage of various ransomware attacks, nation state threats and other cyber risks occurring around the globe – and then she sent several more emails, in quick succession, that were just as chock-full of cyber mischief-making:
- Louisiana declaring a state of emergency this past week after a series of ransomware attacks on school district information systems.
- A ransomware attack on IT vendor Net Health.
- A joint exercise between the U.S. and Indonesia militaries, hunting for cybersecurity threats in the Asia Pacific region.
- A story about spyware installed onto tourists' phones by the Chinese government.
- A warning to "be on the lookout for Dridex," a credential-stealing malware.
- A suggestion to "patch for BlueKeep," a vulnerability that exists in several older Microsoft operating systems, and enables hackers to perform remote code execution on unprotected systems.
Amid all this news of leading-edge cyber risk, however, Kim also reminded us not to forget the oldies-but-goodies: "Phishing is still king – and isn’t going anywhere anytime soon," she said.
"While cyber threats continue to evolve, basic principles still apply," Kim explained. "Users of all levels need to be regularly trained on how to detect phishing attempts (whether via SMS, web, email, etc.). Phishing still remains the primary mode of compromise."
Additionally, she noted, as if to highlight the ever-shifting nature of cyber risk, "vulnerabilities are often discovered after the release of technology. No technology is bullet-proof. There is no substitute for defense in depth, conducting regular risk assessments, having a robust patch management program, and managing the lifecycle of software/hardware/devices (i.e., responsibly migrating from legacy systems). Cybersecurity programs are not self-driving – yet."
Protecting PHI is top-of-mind, sustainable security programs a goal
But at least hospitals and health systems are finally prioritizing their cybersecurity programs – and, sometimes, making strategic security investments at a level commensurate with the risks – at the level they deserve.
Many providers are underinvesting in security. Many aren't vetting their vendors well enough. Many are way too overconfident in their infosec posture. But at least health system leaders are aware of the threats in ways they may not have been even just a year or two ago.
Recent HIMSS research polled IT leaders about their top cybersecurity concerns. Among the findings, in response to the question: "What are your organization’s top IT security or cybersecurity concerns?
- Protecting personal health information/patient data - 72%
- Securing connected devices - 56%
- Identifying/preventing fraudulent activity - 54%
- Addressing ransomware/malware attacks - 52%
- Sustainable data privacy compliance - 41%
To the question of what those health systems cybersecurity investment priorities for the next 12 months?
- Email security - 55%
- Data loss prevention - 46%
- Mobile device security - 38%
- Threat intelligence/detection/management - 38%
- Identity and access management (e.g., single-sign on, multi-factor authentication) - 38%
All well and good. And, perhaps, something appraching enough. But when the cyber threats are that ubiquitous and the risks of compromised data are so great, more must be done.
We'll be focusing on these challenges and others – but also the big advances being made in healthcare security every day – in our focus this month on Securing the Health Environment.
Focus on Securing Healthcare
In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.