Healthcare Cybersecurity: It’s going to get worse before it gets better
It wasn’t supposed to be like this. Despite complaints about rising costs and byzantine bureaucracies, the healthcare industry is about helping people. With a significant portion being non-profit, the industry is hardly the epitome of wealth. There’s no doubt that the financial services industry is a much juicier target. And unlike defense contractors or the governments they serve, it’s hard to blame healthcare for the world’s conflicts. But like it or not, it has a target on its back. Like cigarettes in prison, healthcare records are perceived to have an almost mythical value with estimates going to fifty dollars or higher among those trafficking in illicit goods. And like prison cigarettes, that perceived value drives the market more than any actual return on investment. After all, successful identity theft is hardly a trivial exercise. It’s much easier to be a middle man.
So one should now expect these middle men to be salivating at the prospect of ever more intimate data being ripe for the picking as population health and telemedicine takes off. As I noted in an earlier post, population health requires a significantly higher amount of protected health information (PHI) sharing among many more healthcare providers. Entities will need the data to both influence and measure the health outcomes of their patients over time, thereby taking on more risk. This is both commendable and a necessary goal, as it will hopefully begin to address exploding costs and incentivize providers to be more accountable. Similarly, telemedicine and remote health monitoring offer significant savings, replacing expensive office visits with much cheaper virtual ones and offering the ability to monitor patient health real-time rather than through a series of unreliable snapshots. But that requires more intimate details about a patient’s life that can be targeted for identity theft, blackmail, sabotage, or worse. As one article noted, we face a similar risk with the growth of insecure medical devices within the hospital. In addition to the devices themselves, they also offer a gateway to the treasure trove of information stored within electronic healthcare records (EHR) systems. Undoubtedly the benefits still outweigh the risk, and that would be even truer if a significant chunk of the savings were applied to better security. Additionally, providers will need assurance that common controls are implemented across providers and the vendors delivering the infrastructure. Otherwise, we’ll be seeing major battles over indemnification.
While it’s easy to suggest that we just need government to stiffen the penalties and double down on audits, I’m not optimistic that the tweaking of regulations and their enforcement will do much good. The incentive to avoid being breached is much more effective than the threat of fines for non-compliance in terms of implementing effective security rather than opposed to checking boxes. We’ve seen much more attention to security in the last couple of years as a result of breaches than we’ve seen in the prior 17 years since the Health Insurance Portability and Accountability Act (HIPAA) became a law. The government can be most effective by showcasing examples of good security (not just compliant ones) through centers of excellence and supporting organizations like the National Institute of Standards and Technology (NIST) that foster ongoing improvement to the industry’s security posture. That said, many providers still fail to even meet the letter of HIPAA, let alone the spirit. For those, it may be worth some targeted and elevated efforts to identify the more egregious violators and penalize them accordingly. The government can also help by gathering and disseminating more metrics on the state of cybersecurity in healthcare and take advantage of peer pressure to encourage improvement and the facilitation of better actuarial data for insurance purposes.
Others would suggest that better information sharing about threats and incidents will finally allow us to stay on top of the hackers. Despite the recent passage of the Cybersecurity Information Sharing Act (CISA), which supposedly reduced the risks of sharing such data with the government and others, organizations cannot share information they don’t have and still have little incentive to build infrastructures to capture and disseminate threat data. And that is even truer for healthcare providers. Most don’t have the tools or talent to generate useful and actionable indicators of attacks and any data gathered as part of an incident response investigation would likely come too late to be of much help beyond some general trending information. Even healthcare’s ability to receive and incorporate threat intelligence is very limited. For many, the best option is to engage a managed security services provider.
Generally speaking, healthcare is slowly making progress in cybersecurity. The recent breaches are more reflective of the fact that healthcare records and the industry in general has been a popular target for hackers. This has been partly due to the perceived value of healthcare records over credit card and commonly stolen data. As the value of credit card information on the black market has declined, other personally identifiable information (PII) has grown in popularity with hackers. Additionally, healthcare is perceived (albeit correctly until recently) to having some of the worst cybersecurity than any industry. So when combined with the black market value of the data, attacks have grown in frequency and sophistication. Additionally, ransomware, which has seen ebbs and flows over the years, is now gaining in popularity based on the belief, which has proven correct, that healthcare providers and others will pay ransoms. We are likely to see escalation in these attacks in the near-term with higher ransom demands as hackers seek to avoid leaving money on the table while still ensuring a payout. Eventually such attacks will be harder to carry out due to improved hardening of infrastructures, and that will lead to migration to other attacks that are not detected. While not as flashy or lucrative in the short-term, the ability to exfiltrate PII for sale on the black market undetected for a much longer period of time will likely be the preferred route.
So the challenge is to make some real progress while we can measure it. Once the hackers “go dark”, we may never know the source of an identity theft, leaked embarrassing information on celebrities, the scandalous facts of a blackmail threat, or even the means to kill patients with the push of a button. After that, it will be harder to know whether our defenses are strong enough to sustain the threat and spending money on insurance premiums will feel like money wasted. And that’s because the absolutely worst position for a society to be in is where the people don’t trust the institutions there to serve them, and there is no easy mechanism for the institutions to reestablish that trust. If hospitals can’t prove they’re not being hacked, then patients must conclude they are putting their lives at risk any time they seek a provider’s services. That’s hardly a recipe for lower costs and better outcomes.
So let’s all commit to real action and not lip service. Funding will need to come from a variety of sources and not just the IT department. Cybersecurity is an enterprise risk, and it should be treated like one. Boards and CEOs are already asking if enough is being done. Fundamentally, cybersecurity is not hard. It just takes consistent commitment and acknowledgement that the job is never done. It is also not a hobby. The same discipline, hard work, and brain power it takes to be a successful surgeon is what is required to continuously thwart attackers. That may mean hospitals can’t do that on their own, but no one expects them to. The list of actions to take below are a few that Leidos believes are critical to effectively combating the threat:
- Know Your Data: If you don’t know what data you have and where it is, you have no hope of protecting it. Conduct regular data discovery drills and verify that only those authorized to see can access it.
- It’s People, Process, and Technology: While their marketing is often persuasive, cybersecurity products alone won’t solve a talent problem or broken processes. An effective cybersecurity program integrates all these elements together seamlessly.
- Monitor Everything: While that’s a bit of an exaggeration, the reality is that no organization can prevent every breach. Its best hope is to catch the breaches early. With the growth of data analytics, it is now possible to collect and automatically analyze a much larger set of data than was possible a few years ago. Those tools are still maturing, but they deserve to be considered, particularly those tools that can monitor anomalous behavior at the application level. Moreover, human analysis is even more essential once the automated tools have generated their output. That means “eyes on the glass” 24x7 through either an internal security operations team or, more likely, through a managed security services provider.
- Defense in Depth: While this is an overused term, it is still accurate. Hackers have to complete a series of often complex tasks in order to successfully accomplish their objective, something that is commonly called the “Kill Chain.” That means implementing protections at multiple layers through controls like two-factor authentication for remote access and system administration functions, network segmentation, regular workstation and server patching, removal of administrative rights, and application whitelisting.
- Policy Means Action: It’s hardly a revelation to suggest that policy dictates from the top often don’t always get implemented in the trenches. And there are often good reasons for that, including lack of funding and business process disruptions. But that doesn't mean we should treat audit failures and breaches as fundraising opportunities. Increasingly they can turn into unemployment opportunities. The best time to demand more funding and business flexibility is during the policy creation process and its associated exception process. If a practice cannot be implemented consistently and comprehensively, say so and explain why and then come up with a different way to achieve the objective. And no manager should ever assume that lack of objections is evidence of policy adherence. Doing so may be hazardous to your career.