[BreachExchange] Why Isn't Healthcare Doing More To Protect Against Cyber-Attacks?

[Audrey McNeil]

http://www.healthitoutcomes.com/doc/why-isn-t-healthcare-doing-more-to-protect-against-cyber-attacks-0001

Three steps to reverse the trend.

It’s well established that healthcare is one of the most targeted
industries for cyber-attacks. Over the past five years, attacks on
healthcare institutions have risen 125 percent, and personal health
information is now seen as 50 times more valuable than financial
information on the black market. Reports from the likes of the Institute
for Critical Infrastructure Technology further prove what a significant
problem cyberattacks are for healthcare organizations:

- Of the 16 top vertical sectors, healthcare suffered the most data
breaches over the first six months of 2015 — 21 percent of the 888 reported
breaches.
- The average healthcare organization has battled at least one cyberattack
per month over the last year.
- Eighty-one percent of 223 healthcare CIOs, CTOs, Chief Security Officers,
and Chief Compliance Officers surveyed report their organization was
compromised by at least one cyberattack in the last year, an improvement
over the prior statistic but still an indication hackers are winning the
battle.

Furthermore, recent headlines such as Healthcare firms invite cyberattacks
and Report: Healthcare the least prepared sector against cyberattacks make
it clear that, not only is this problem not going away, healthcare
organizations are allowing it to continue.

This begs the question — what’s holding healthcare organizations back from
doing more to protect themselves?

They’re Focusing More On Productivity Than Security
Doctor/nurse efficiency and productivity has been seen as a major driver of
healthcare IT changes over the past few years. Productivity has been the
call to arms, rather than security. Doctors need to be able to move quickly
from system to system and device to device without obstacles.
Unfortunately, in many cases, productivity and security have been seen as
an either/or decision. That’s not true across the board, certainly not with
identity and access management technology, for example, but that thinking
has spread enough that many in healthcare view the situation in that light
and they’ve chosen productivity as the priority.

HIPAA Leads Them To Focus On Compliance More Than Security
The national compliance standard, intended to protect the privacy of
patient data, can be partially blamed for the inaction of healthcare
organizations in securing that data. HIPAA instructs medical providers on
when they can share patient information and with whom. It also states
healthcare organizations must protect patient data and information. What it
does not do is establish how that data must be secured. HIPAA contains very
few mandates on the protection of patient information. This leads many
healthcare facilities to build an infrastructure that is compliant with
HIPAA rather than secure. It’s actually created a false sense of security
among many healthcare providers. Many that are in compliance with HIPAA
actually are not securing patient information very well at all, as the
multitude of recent cyber-attacks has revealed.

Executives Are Not Prioritizing Security
Amazingly, even with all the data and evidence demonstrating the clear and
present danger of attacks, security doesn’t seem to be a priority for those
running healthcare organizations. On average, healthcare providers spend
less than 6 percent of their IT budget on security. Their counterparts at
financial institutions spend at least double that (12 to15 percent of their
IT budget) while the federal government spends 16 percent of its IT budget
on security. Another sign security isn’t receiving adequate attention in
the boardroom is the fact 60 percent of healthcare boards of directors only
get security updates on an as-needed basis, compared to regular quarterly
reports on finances and operations.

All of these issues have contributed to the growing problem healthcare
institutions face with cybersecurity. The longer they’re seen as
vulnerable, easy targets, the more the attacks on them will continue. With
the use of networked medical devices continuing to increase, we can only
expect hospitals and other healthcare providers to become even more
appealing targets for attackers.

Healthcare organizations must begin improving their security programs,
protocols and solutions now. To reverse this trend and begin proactively
securing their organizations, healthcare providers should take three steps
toward a company-wide shift in security.

1. Focus On Security First
Security has to become the foremost priority. Healthcare providers must
stop sacrificing security for productivity and compliance. They need to
seek out the solutions that don’t require them to make trade-offs. These
solutions do exist. There are technologies built to protect an
organization, which also enable greater business agility and compliance.

2. Invest More Resources In Security
Maybe it’s budget. Maybe it’s bodies. The specifics depend on the
organization, but healthcare providers need to direct more resources toward
security. With all the breaches we’ve seen of late, it’s clear more
attention must be given to security. This could mean those in charge of
budget allocation need to shift their approach to analysis, or perhaps
those requesting budget for security solutions need to change how they
position their request. In many cases, when budget dollars are up for
grabs, more attention goes to patient-facing technologies that can be used
to improve patient care or drive new revenues. The ROI for solutions like
these can often appear to be greater and sexier than the ROI for security
infrastructure.

To overcome this unintentional ROI bias, those making security requests
must supplement their ROI analyses. Instead of relying solely on ROI, add a
Risk Assessment Report or a Security Audit to the decision. This Report or
Audit would cover the technology that funding is being considered for — IAM
software or a firewall or an intrusion detection system, for example. It
would define the breaches the technology can prevent and analyze the
vulnerabilities the organization currently faces without the technology. An
Assessment Report would also determine the probabilities of the breaches
identified, as well as the likely losses if it were to take place.
Complementing the projected ROI of the solution with this numerical risk
data can make a more compelling case for security technology when
positioned against patient-facing tools for budget. The numerical risk data
can become even more helpful when using real-world examples of breaches,
along with the costs the attacked organizations had to spend in the
aftermath.

Ultimately, the costs of proactive preventative security solutions are
minimal when compared with the expenses of dealing with a cyber-attack,
especially when factoring in the eligible HIPAA fines which now reach the
millions.

3. Centralize Security
Healthcare organizations often consist of a hospital, a clinic, and a lab
all working with the same patient information but with different medical
and patient record systems using varying degrees of security. This type of
infrastructure — with multiple, unconnected security systems — actually
increases an organization’s risk. Each patient record has multiple points
of entry through the disparate security systems an attacker could target
for intrusion. In instances like this, healthcare providers must have one
central security team, managed by a CISO to manage and oversee all security
projects. Access can still be decentralized by department or group, but the
systems must be connected. Limited entry points mean limited points of
attack. The CISO and security team should also implement a security
awareness program across the whole organization so employees can understand
the risks they could encounter and are trained on how to react when they
do. A central team is more likely to be successful in rolling out
comprehensive training programs and communicating to the employee base than
an uncoordinated, loosely affiliated group of multiple security teams.

Healthcare organizations must get proactive in dealing with their security
instead of waiting for something to happen to make changes. Cyberattacks
have become too damaging and too costly to sit back idly and wait. Systemic
change is needed at healthcare organizations, from systems admins all the
way up to the CEO and board. The right people, technologies and protocols
need to be implemented that can prevent attacks and minimize damage in the
event of an attack.

Failing to get serious about preventing attacks like those we’ve seen
recently, means we’ll continue to see alarming, damaging headlines. Take
action now. Don’t become the next headline.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160517/3d449dc3/attachment.html>