It has been almost two years since I started this incredible journey at CynergisTek and in healthcare. In that time, what I have found to be the most impressive is the amount of ongoing and constant change. Particularly, I have seen how security has changed in healthcare IT over the past few years and how as an industry we are responding to it to improve our ability to protect patient information.
Security Professional Shortage
Today, it is more common to work with healthcare organizations that have dedicated information security staff than it was just a year ago. Last year, HIMSS reported that 60% of organizations had a dedicated CISO, whereas the year prior that number was only 50.7%. As for non-executive and dedicated staff in 2017, 80% of respondents say they have dedicated security staff as opposed to just 42.7% last year. While we are seeing this increase, there is still a serious shortage of cybersecurity professionals. If we don’t keep working to find solutions, we can’t expect things to keep improving.
Proliferation of Ransomware and Malware
The industry has seen several cybersecurity incidents in the last few years, and even months, that were major eye-openers. Numerous ransomware and malware attacks have brought down hospitals and large portions of healthcare systems around the world. Some of these incidents jeopardized the hospital’s ability to provide care to the patient and have cost organizations billions of dollars. According to a study in late 2016 by Solutionary, the healthcare industry was the targeted victim of 88% of ransomware attacks in 2016.
While the amount of ransomware and malware is alarming, the good news is that these attacks are causing leadership and executive boards to realize the importance of addressing security and privacy. We are even starting to see some organizations obtain an increased budget to proactively take measures to address risks and vulnerabilities. These organizations are conducting internal and external security tests, such as penetration testing and security assessments, and discovering there is a lot of room for improvement.
In the past two years, we have also seen an outbreak of attacks that targeted outdated operating systems and networks. Patch management is one of the most critical corrective steps that can be taken in IT today and as evidenced by the numerous devastating attacks, it’s obvious we are not there yet. Below is a short list of a few of the most serious attacks that recently effected healthcare organizations with outdated operating systems and/or networks:
Each of these attacks – and numerous others not mentioned – could have been avoided if the organization had properly managed its systems and networks. Many cyber attacks today are reliant on unpatched vulnerabilities.
The impressive resilience and growing strength of the healthcare industry was highlighted by numerous natural disasters this year as well. We all watched in horror as entire cities have been under water, hurricanes have pummeled multiple coasts, and even earthquakes and wildfires have threated to stop healthcare organizations from providing care. But, over and over again, these entities have proven just how resilient they are by remaining open and providing care through the troubling times. For example, hospitals in Houston were able to evacuate patients at hospitals that could not remain open and did not experience a disruption of care despite the devastation caused by a hurricane.
While it has been incredible to see how healthcare organizations are responding to these events, we are still far from where we need to be. To continue moving the needle forward, we need to keep striving to improve our disaster recovery (DR) and incident response (IR) capabilities. One of the most effective things an organization can do to be better prepared to respond is to perform comprehensive tabletop IR/DR exercises. These will help highlight security and response gaps, as well as to update plans with the latest threats.
Looking Forward to 2018 and Beyond
As we begin to think about 2018, we need to think about the plan to improve security and include initiatives in the budget. Most organizations need more in-depth and frequent security assessments, as well as a focus on improving network segmentation. There are many specific things that can be done to address some of these challenges, such as:
- End-user training and awareness: This is the first step we must take as an industry to move forward and better ourselves. Security awareness should be an enterprise-wide initiative from the executives all the way down.
- Penetration testing and vulnerability scans: These will highlight unpatched and vulnerable systems so proactive measures can be taken.
- Staffing resources: Many organizations do not have the budget to hire full-time security professionals, or if they have the budget, they cannot find the specialized talent that they need. We are starting to see how third-party offerings are an effective way to get the help and resources needed. Many healthcare organizations are enlisting the help of managed service providers and even utilizing “virtual” CISOs .
- Conduct mock exercises: This could be a mock OCR or Meaningful Use audit or a tabletop disaster recovery exercise. Either way, these exercise highlight gaps and vulnerabilities before it is too late and help your organization measure its ability to respond to the real thing.
- Phishing exercise: These exercises help educate users on how to be more aware of phishing attempts and how to recognize some of the typical signs it is a phish. This will help your staff be ready for when a real one happens.
While security and the threat landscape continues to evolve, organizations must also continue to adapt their security programs. Whatever it is that your organization does, remember that we have to keep moving forward and growing as an industry. That way healthcare can continue its mission to keep the patient safe and healthy. CynergisTek is well positioned to help you too. We have experts that can help to proactively identify your security gaps before the bad guys do. To learn more visit our professional services page.