In Healthcare Cybersecurity, Be Sure To Take Care of the Basics
The healthcare sector has been through a lot of changes over the last seven to 10 years. Healthcare delivery organizations (HDOs) have rapidly adopted Electronic Health Record (EHR) systems to digitize their data. This transition was partially driven by government subsidy programs, such as Meaningful Use (now known as Promoting Interoperability), which provided financial benefits to healthcare providers that adopted EHR technologies. It was designed to provide benefits to both patients and providers, ultimately improving patient care.
However, some believe this program unintentionally contributed to rushed technology deployments, where organizations cut corners and did not include basic security in their deployments. The healthcare sector now finds itself in the middle of a cybersecurity crisis, where disruptive cyber-attacks are one of the biggest game changers the sector has seen in some time. To top things off, the industry has been forced to cope with the global COVID-19 pandemic over the last year and a half, which has shifted workflows and increased the attack surface for many providers.
Cybersecurity threats targeting the healthcare sector have skyrocketed over the last several years. In 2015, Anthem experienced a massive data breach where almost 79 million patient records were stolen. This breach remains the largest ever in healthcare. The following year, a ransomware attack on Hollywood Presbyterian Medical Center in California started an alarming trend of ransomware disruptions to HDOs. Things were getting worse in healthcare cybersecurity and it was becoming apparent that something needed to be done. In the summer of 2017, the U.S. Department of Health and Human Services’ (HHS) Cybersecurity Task Force presented a comprehensive report to the U.S. Congress entitled “Report on Improving Cybersecurity in the Health Care Industry.” This report sounded the alarm with its statement “healthcare cybersecurity is in critical condition” and the sector’s lax security practices were causing a severe risk to patient safety.
Surely things have gotten better since then though, right? Wrong. In fact, it has gotten worse.
Healthcare cyberattacks rose by 55% in 2020 alone, with more than 26 million people in the U.S. impacted. Data breaches in healthcare are also more expensive than any other industry, with an average cost per breach of $9.2 million in 2020, an increase of $2 million over the previous year. Patient care across the U.S. is increasingly being disrupted by ransomware attacks, which often require providers to divert or transfer patients to other facilities. When a hospital suffers a ransomware attack, caregivers often cannot access information needed for treating patients. When critical data like diagnostic images, medication dosages, and patient allergies are not available, patient care can grind to a halt.
Universal Health Services (UHS) manages more than 400 hospitals in the U.S. and they were targeted with ransomware last September. All of their hospitals were forced to operate under EHR downtime procedures and some insiders said the environment was extremely chaotic during the attack. In October, the Vermont governor deployed the Army National Guard to assist the University of Vermont Health Network after they fell victim to a ransomware attack. In Germany, a patient died in transit to another hospital after The Duesseldorf University Hospital was forced to divert patients after a ransomware attack.
How did things get so bad for healthcare? While there are many factors involved, a few things that make healthcare a favorite target for cyberattacks include: the high resale value of stolen medical records, the industry’s well-documented poor cyber defenses, and providers’ willingness to quickly pay ransoms due to the patient safety impact. Healthcare data, or PHI (Protected Health Information), is sold on the black market for many times more than financial data, such as stolen credit card information. A typical medical record contains a treasure trove of valuable information that can be used for multiple types of fraud which can be difficult to detect. So, it starts with healthcare having a valuable asset with a long shelf life – its data.
Innovations in healthcare technology have created many opportunities to improve patient care and HDO’s have flocked to these new technologies in droves. Their rush to deploy and create ad-hoc interfaces with EHRs have created two issues. First, it has created complicated hospital networks that lack standardization. This increases the attack surface and makes it virtually impossible for exhausted hospital IT teams to adequately manage and maintain these networks, much less secure them. Secondly, rushed IT projects sometimes led to cutting corners and oftentimes, that meant security was reduced or eliminated altogether. At the time, I’m sure many thought that was ok since after all, who would want to attack a hospital anyway? Unfortunately, relying on compassionate criminals is not a sound strategy.
So what needs to be done to address this crisis? There is no easy answer or silver bullet, but there are a few things that could help. For starters, healthcare can learn a lot from other sectors that have been more successful dealing with cyber threats. I’ve spent a good portion of my career in banking and I believe the healthcare sector should really take a look at how financial services treats cybersecurity issues and manages risk. In financial services, cybersecurity risk is owned by business leadership and treated like any other business risk. In healthcare, some organizations’ leadership still view cybersecurity as an IT or technical issue that should be “fixed” by the security team. This approach is only a pathway to failure. Cybersecurity risk is a business risk, no different than other organizational risks, such as financial, regulatory, reputation, and clinical risks. The sooner healthcare business leaders come to grips with this fact, the sooner the problems can be addressed. Success is found by treating cybersecurity as a business risk, owned by business leaders, and by taking a methodical and measured approach to digital transformation, where security is baked in from the beginning. Avoid trying to bolt on security after the fact. It’s rarely effective and almost always disruptive.
At a more tactical and technical level, healthcare must focus on the IT basics. When I first began working in the healthcare industry, I was shocked at the lack of fundamental IT hygiene. For instance, many healthcare organizations still struggle mightily with IT asset management. You can’t secure, or manage for that matter, an environment if you don’t have a clear picture of what’s in that environment, what systems are critical to the business, and where sensitive data exists and flows through systems. Healthcare also has an epidemic of legacy systems, unpatched systems, and exposed vulnerabilities. Standards, especially secure configuration standards, are in short supply in most organizations. Even though network segmentation has been used for years in other sectors, most healthcare networks are still flat, which allows an attacker to freely move from one system to another to get the organization’s most critical assets. I see many healthcare organizations still struggle to control administrator access and consistently deploy basic multi-factor authentication. There is simply no excuse for not having multi-factor authentication in place nowadays. None of these are advanced, next-generation security defense tactics either. It’s just basic, blocking and tackling that should be foundational in every network, no matter the industry or company size. Too often, I see technical teams chasing the shiny objects, enamored with the latest technology buzzwords, acronyms, and vendor promises that their solution will solve their problems. While some of these technologies and tools are great additions to a security program, how effective can they be without a solid foundation in place? I believe organizations would be better served to address the 80% by sticking to the basics before looking into advanced tools. No matter what – no defensive control will be 100% effective. That is why it is equally important for every organization to make sure they have adequate detection, response, and recovery plans and procedures in place so they are prepared for the inevitable.
Healthcare security teams own some responsibility here too. They must work to understand the business of healthcare and always keep in mind why the organization exists – to provide quality patient care. Successful businesses take risks each and every day. Security’s job is to identify cyber risks, measure the impact, inform management of the risks, and provide advice and consultation on potential mitigation strategies. They cannot own or fix the risks. The business owns risks and they may very well decide to accept those risks. That’s ok if they do. Security should have leadership sign off on the acceptance and maintain the documentation. That is security’s job. Their job is not to fix an organization’s security risks. Security teams also must avoid using scare tactics to frighten leadership into putting security in place. Fear, uncertainty, and doubt will only get you so far. A more sustainable model is to build trust and show you are a partner with the business’ best interests at heart.
HHS was right when they said healthcare cybersecurity is in critical condition, but it doesn’t have to remain that way. While the sector overall is behind on cybersecurity, I have also seen some healthcare security leaders doing some very good things to mature their organization’s security posture. This shows that things can be done better, without negatively impacting patient care.
Changing this trajectory will require leadership, support, people, and a sound and focused strategy. Difficult decisions will need to be made and clinical and business workflows will need to be changed. Healthcare and IT leaders must avoid the temptation to claim they can’t implement security because it will negatively impact patient care. The evidence is overwhelming that NOT putting the appropriate security in place is already negatively impacting patient care and patient safety, and we owe it to our patients to do better as an industry.
Steve Crocker is CISO at Methodist LeBonheur Healthcare and Advisor of the Global Healthcare Industry Council at Palo Alto Networks.