Why is cyber security in US healthcare in such a poor state? HRMR explores the causes, the consequences —and the best solutions.
The sheer scale of the cyber security crisis facing US healthcare can not be overestimated. The Ponemon Institute has reported that 94 percent of medical institutions have been victims of a cyber attack, while a survey by KPMG found that healthcare organizations are on the high end of the spectrum when it comes to cyber attacks.
What’s more, security practices and strategies in healthcare are failing to keep pace with the accelerating threat. Results from the 2014 SANS Endpoint Security Survey indicate that attackers are bypassing perimeter protections en masse and do not need to use stealth techniques to do so.
Once compromised, these networks are not only vulnerable to breaches, but can also be used for attacks such as phishing, distributed denial-of-service (DDoS) and fraudulent activities launched against other networks and victims.
With virtually all software, applications, systems and devices now connected to the Internet, the potential for everything from identify theft to hackers remotely tampering with medical devices is increasing. In mid-2015, for instance, news broke that certain Hospira drug pumps could potentially be hacked and made to administer deadly doses of drugs.
This is typical of a growing problem around the use of technologically advanced, but poorly protected, medical devices.
“Devices have become more and more technologically aware and now live on the hospital wireless networks,” says Mick Coady, health information privacy and security partner at PwC.
“Information flows freely across the network and the devices themselves have never been designed with security in mind, so the manufacturers are equally culpable.”
Blissful ignorance?
The situation becomes more disturbing when you consider that the majority of healthcare organizations are simply not noticing when they have been breached.
“The payment cycles are long, so you can get a compromise and it can go on for months before you catch it,” says senior SANS analyst Barbara Filkins.
“Information flows freely across the network and the devices themselves have never been designed with security in mind, so the manufacturers are equally culpable.” Mick Coady, PwC.
A SANS examination of cyber threat intelligence provided by Norse revealed exploited medical devices, conferencing systems, web servers, printers and edge security technologies all sending out malicious traffic from medical organizations.
“Some of these devices and applications were openly exploitable (such as default admin passwords) for many months before the breached organization recognized or repaired the breach,” writes Filkins in the SANS Health Care Cyberthreat Report.
KPMG provides further evidence that when healthcare organizations do notice a breach, they are not reacting appropriately. Its recent advisory, Health Care and Cyber Security: Increasing Threats Require Increased Capabilities, states that organizations are failing to understand, track, report and manage threats effectively.
“Mature incident and vulnerability management processes are lacking in most organizations and thus, daily threats aren’t even reported or managed effectively by many organizations,” it states.
It adds that many organizations remain compromised and therefore out of compliance for months, during which time their equipment can be sending out malicious communications.
Taking a step to properly detect what is going on can be revelatory: one KPMG client saw a 1000 percent increase in incidents and vulnerability reporting to their enterprise once they implemented an effective Security Operations Center (SOC) to intercept, interpret, and report on threats.
Michael Ebert, KPMG’s cyber healthcare and life sciences leader, agrees that a large percentage of the organizations are underreporting security threats.
“They are probably compromised and don’t even know it,” he says. In fact, 25 percent of respondents surveyed by KPMG say that, based on their organization’s current protection systems, they did not have, or did not know their, capabilities in real time to detect if their organization’s systems were being compromised.
Facing the costs
The healthcare industry’s inability to properly address the problem is surprising when you consider the repercussions of poor cyber security. According to the 2014 SANS Endpoint Security Survey, the costs of failed compliance or compromises are increasing. These costs include not only regulatory fines, but also the notification of victims and immediate remediation costs.
“There are legal risks from class-action lawsuits incurred following a breach, potential fallout in stock prices and the intangible costs of brand damage when word gets out about the company’s missteps,” writes Filkins.
Of course, efforts are being made to improve the situation but the reality is that healthcare is lagging behind other industries when it comes to cyber protection.
“If you compare it with banking and retail, healthcare is one to two decades behind in terms of security,” says Coady.
“US healthcare is currently in year two or three of the 10-year transformation that needs to take place. In other industries people have centralised
systems for identity management, security information management, security event management, mobile security management and data
loss prevention. Hospital systems are especially weak in these areas.”
The situation is not helped by the fact that the regulations governing compliance typically lag 12 months behind the ever-evolving threat.
“When you start focusing on the compliance you tend to move away from what is really happening,” says Filkins. “The intent of compliance is good—it sets out to to improve the situation, but the problem is that the generation of regulations usually runs behind the state of the art.
“It’s important to focus not just on compliance but also on what is going on in the industry today: that puts the emphasis into things that you might otherwise overlook.”
The future
Coady agrees that a more proactive approach is needed in order to fully understand—and combat—the threats. As a starting point he recommends acquiring a solid inventory of the devices you have and categorising them by manufacturer and type.
“From there you’ve got to determine whether the devices can be retrofitted or fixed from a perspective of adding security to them, or whether you are going to have to network zone them—that is, put them into their own network and add compensating controls to them or additional layers of security in front of them.”
Filkins suspects that emerging technologies will use techniques such as predictive analytics and machine learning to maintain higher levels of security.
“These are techniques that from a security standpoint have either been in the lab for years or have been used in the payment industry,” she says.
She also envisions a future in which security responses can be better targeted, doing away with the need for the kneejerk, blanket responses that spread panic and damage reputations.
“I expect to see more granular capabilities: if you can tell who has access to information and you can see anomalies, you can either turn off that access or step it down and it doesn’t necessarily mean you have to impact everybody else in the organization.”
The role of IT
One thing the experts agree on is that in the future, the IT function within healthcare organizations needs to be better funded and elevated to a much higher level. It also needs to be better linked to the clinical side of the operation.
“A lot of times there is a disjoint between the clinical teams and the IT folk; they are not talking to each other,” says Filkins. “In some cases there is also too much of an emphasis on compliance and what is reportable by regulation as opposed to understanding that breaches are probably going to happen anyway, and you need to look at even the small breaches to try to figure out how to do things better.”
Filkins advises working to raise awareness of these issues, ensuring that clinical staff work directly with IT staff: they each have to understand what is going on in the other’s department enough to be able to put in place a security framework that works.
“As well as the division between IT and clinical, there is also a division between IT and security,” she says. “They need to achieve a common understanding so that they can work together.”
Coady echoes these sentiments, saying that risk managers need to start treating the chief security officer (CSO) role more as a risk management position and less as an IT position.
In the light of these changes, he adds, it may be necessary to rethink who holds the CSO role.
“Sometimes the people in those positions have been there for 20 years and are not that business-savvy. They are not the right people to hold an executive role in a hospital or insurance company.”
Finding the money
Recommending an enhanced CSO role is one thing but affording it may be another matter.
“The biggest risk over the coming 12 months is healthcare not finding the money to catch up to the level that other industries are working to,” says Coady.
KPMG’s spokesperson agrees, saying that the magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed.
“Healthcare providers generate the bulk of the information in healthcare, but there has been a significant under-investment in protecting information,” he says. “Hospitals have understandably invested in technology that saves patients rather than data protection. The risk from underinvestment is compounded by hackers who have become more sophisticated when it comes to infiltrating networks.”
KPMG’s Health Care and Cyber Security advisory concludes that investment in security needs to become part of a cohesive, coordinated digital strategy centered around a well-prepared and coordinated cyber security team and a security operations center.
“A successful approach requires appointing an executive with sole responsibility over cyber security, as well as capabilities for instant monitoring,” it states. “Other areas that need to be covered include managing the breach itself and communicating with various constituencies.”
The aim is increased cyber security awareness and capabilities at all levels within the organization—and within all departments, and it is worth remembering that cyber security is a business risk as well as a technology risk, meaning that cyber security executives need to be equally conversant in both.
“While the executive involvement typically boils down to the awareness component, it is important to have board members savvy about cyber security and able to help management in this area,” the report adds.
Recent high profile breaches are a reminder that at present, US healthcare providers remain wide open to attacks. Compliance only scratches the surface of what is needed to truly ensure that patients and their information are safe, and changes need to take place quickly to avert further breaches.
Greater communication between risk management, clinical staff and IT is undoubtedly a core part of setting healthcare organizations on the right path, as is investing in IT executives who can take a global view of cyber risk. Finding the money remains the challenge.
Mick Coady, PwC, Michael Ebert, KPMG, US, Crisis management
