We cannot afford for healthcare security to be the “lowest-hanging fruit”
Healthcare organizations have never been more essential. Yet when it comes to cybersecurity, too many hospitals, medical groups and research centers lag far behind other critical industries.
While it is easy to blame this security deficiency on a persistent lack of investment, technology is not the only problem. A chronic dearth of cybersecurity expertise has left far too many healthcare organizations vulnerable to another type of virus: marketing.
These chronic security deficiencies leave too many healthcare professionals struggling to keep pace not only with threats, but also with other organizations, creating easy targets for attackers.
Protecting healthcare data “forever” must start now
In the early days of cybercrime, attackers tended to avoid targeting the healthcare industry, even though providers generate an abundance of sensitive data in the form of medical records that must remain accessible and secure forever. Financially motivated criminals generally focused on more direct means to make money, such as credit card numbers.
That began to change with the emergence of ransomware, which targeted nearly every organization with data to protect. This trend has continued through the pandemic as Ryuk ransomware spread across dozens of hospitals and healthcare organizations in the United States along with COVID-19. The extortion behind such threats is particularly effective when the need to keep operations running is a matter of life and death.
Targeting health data during a pandemic is particularly heartless, but a few attackers have gone to the next level and used stolen data to target patients directly. This was the case in the notorious breach of Vastaamo, a Finnish psychotherapy provider. Attempts to extort individuals with their mental health medical records terrorized 25,000 victims and led to Vastaamo quickly going out of business.
Security breaches cannot be filled with “shiny objects”
Many, if not most, healthcare systems operate on legacy systems that use outdated operating systems that may not even receive security updates. This makes them “low-hanging fruit” for well-resourced attackers.
There is a simple reason for this industry-wide problem: budgets.
Healthcare institutions are generally publicly funded and must fight for every penny they spend, especially those not directly spent on patient care.
A recent survey of industry decision-makers by the Healthcare Information and Management Systems Society (HIMSS) found that 73% of respondents said their organization needs more cybersecurity funding in order to remain “secure, effective and compliant,” yet only 40% expect that funding to come through.
The good news is that the market is getting better at delivering tools that can block, tackle, and adapt to new risks. And this makes sense; security solutions should be getting better. Still, as entities spend more, their technology often stagnates or even decreases.
Why? All too often, these organizations are looking at the wrong problems. A lack of internal expertise can make decision-makers susceptible to good PR and marketing, leading them to spend their money on “shiny objects” or engage with too many vendors, unnecessarily complicating their security posture.
More money is not enough or always necessary
Clearly, not every healthcare organization is going to be able to spend enough or even more money, on cybersecurity.
The path to improving healthcare security starts with administrators evaluating their current state of security and the tools implemented on their networks to ensure they are being used effectively, particularly the most expensive tools in the organization’s arsenal.
The organization’s CISO can use a scorecard or checklist to rank the security and defensive measures. Next, this evaluation can be broken down into categories and compared against an objective model such as the National Institute of Standards and Technology’s Cybersecurity Framework.
The overall goal should be to reduce the attack surface as much as possible by taking steps such as reducing complexities, eliminating vulnerabilities, and securing devices.
The next step to is to identify targeted investments. To do this, decision-makers must prioritize the evaluation of their security technology to determine its true value. This requires steering away from using technology because it is well-known and concentrating on solutions that deal with a specific problem within the environment.
But what if we do not know how to do that?
Healthcare entities that lack security leadership should consider contracting outside consultants, virtual CISOs (vCISOs) or a managed security service provider (MSSP) – or a mix of all three. By talking to industry peers, organizations can find the right outside help to fill that expertise gap almost instantly.
MSSPs can provide outsourced management, monitoring of security devices and systems, intrusion detection, VPNs, managed firewalls, vulnerability scanning, and endpoint protection.
By deploying high-availability security operation centers (SOCs), MSSPs can reinforce the organization’s IT security department with outside operation security personnel. Other advantages include the ability to leverage insights and strategies the MSSP has gained from protecting hundreds of thousands of customers.
But which MSSP should they choose?
The less someone knows about security, the more likely that person is to just go with the big name. vCISOs are paid to see through the hype and know what solutions work best and for whom. They have the time and experience to make these assessments—and their success depends on delivering the right answers.
Healthcare security: Reducing risk for patients and providers
If you go driving without a seatbelt or your glasses, you are putting yourself and everyone on the road at greater risk. Seatbelts and glasses do not eliminate risk, but they represent the bare minimum of preparations that must be taken when lives are on the line.
Healthcare organizations that fail to properly assess their own weaknesses or fail to address the expertise they lack are putting themselves and everyone they serve at risk. The urge to spend money fast may feel like a simple way to eliminate these risks, but when it comes to investing in cybersecurity solutions, quality matters much more than quantity. And only an expert can help assess if money is being spent well.
Shrinking the security gaps that put health data at risk must be an industry-wide priority. Better protection for everyone who must secure private medical information is the first step toward deterring the cyberattacks that could put society’s health and well-being in danger.