The Future of Healthcare Security

The start of a new year causes us to reflect on the past year and determine both the current state of the industry as well as where we are heading. As 2018 began everyone poured over the 2017 annual reports and were, once again, bemoaning the sorry state of the healthcare industry’s security posture. According to HHS, there were 289 breaches reported in 2018 which is more than last year, but the total number of records lost has gone down some.

Increased awareness of the top threats, coupled with the fact that criminals continue to target healthcare, has kept the threat of a breach top-of-mind for knowledgeable leaders. Because of this, more organizations are implementing programs and solutions to help keep their systems secure. However, all the gains are for naught if the industry does not continue this momentum and improve security even more in 2019 and beyond.

Presenting Security to Executives

Believe it or not, continued targeting of the healthcare industry has a silver lining for those concerned about the security and privacy of data stored on healthcare networks. The increasing attention of criminals and major breaches costing millions of dollars is exactly what is needed to move the needle in the right direction.

However, the issues need to be brought to appropriate groups in language that is clear and accessible to them. This year the goal should be to make the threat known to everyone from the board members down to part-time staff and even volunteers and patients. Communication should be appropriate for the audience and stabilizing, not adding to the chaos. The best way to get non-IT staff to understand the importance of security is to put it in their terms.

For example, when presenting the need for increased security budgets and staffing to executives or board members, translate your needs into business terms (e.g. money, operations, time) they are more familiar with. When you talk to the providers, talk about patient safety and their continuing ability to provide care. Those are just two possible suggestions, but every single organization – regardless of size and makeup – is different from the next and the only way to truly communicate is to make security apply to them. Make it about their own risks: operational, financial, care to patients, etc.. It not only has to be personal – it is.

IT Budget Allocation for Security

According to a 2018 survey, most healthcare organizations spend less than 3% of their annual information technology (IT) budgets on security, with many organizations allocating less. It is vital that this statistic changes in 2019. For too long IT has been considered overhead and has been budgeted as such. There is no industry where the business is more dependent on timely, accurate, and reliable data than healthcare. Few healthcare organizations can function for extended periods without access to information and information technology. IT is crucial to keep healthcare running, and the loss of IT can quickly lead to delays and the inability to provide full care services and conduct the business of healthcare (scheduling, orders, billing, etc.).

The Impact of Downtime

Downtime procedures are usually applied because of IT and EHR issues, but can affect the entire organization’s ability to function. Technology is a cornerstone of the ability to provide care to patients, and unless everyone in the organization understands and takes security seriously, progress will not happen. In addition to recognizing that IT needs to be a key budget item and a cost of doing business, standard practice should be that information security is not a subsection of IT. Information security is a strategic business budget item and should be treated as such. Building an IT strategy that is not properly secured will adversely impact the business to a much greater degree than IT or information security.

Trending Types of Attacks

The threat landscape is a cyclical process; it tends to surge with certain types of attacks, while others become less common. In 2017, ransomware and malicious software disguised as ransomware were the most prevalent threats. While ransomware remained a serious threat in 2018, with some statistics showing a decrease in overall attacks, there was growth in crypto-jacking malware that hijacks processor power to “mine” crypto-coins. Last year, the industry also saw a major increase in phishing emails designed to redirect employee payroll. It is expected that similar cycles will continue in the foreseeable future; however, this phishing trend appears to be in an early evolutionary phase.

In December there was a very public escalation of phishing attacks when dozens of organizations across all verticals received phishing emails claiming there were explosive devices planted in their building that would be set off unless a ransom was paid. This is incredibly frightening, especially for an industry like healthcare where patient safety is of paramount importance. It takes time to search an entire building or campus for explosive devices and causes major disruptions. Even when the authorities were able to confirm that there was no evidence of an explosive (which turned out to be the case in all of these particular attacks), it had major impacts on the targeted organizations. In fact, one Colorado local high school ended up closing the school for the day after received these bomb threats. An hour of downtime costs upwards of $500,000, and these bomb threat phishing emails can easily cause more than an hour while searches are conducted.

The Goal for 2019

Based on the trends revealed over the last few years, it is very likely that we will continue to see bad actors pay significant attention to healthcare. To move the needle forward, organizations must be prepared for when an attack happens, not pouring all of our efforts and resources into the fruitless attempt to prevent all attacks.

As an industry, there is a need to move forward toward a better understanding of everyone’s responsibility to protect the organization. As was mentioned above, an organization cannot have a truly effective security and awareness program without buy-in from the top down. In 2019 the most important thing that healthcare can do is to make security a priority and no longer an afterthought.

April 2nd, 2019|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).