‘Cybersecurity has become a full-time job’ in healthcare

 

 

 

 

 

 

 

 

 

 

If 2015 was supposed to be the “year of the hack” in healthcare, cybercriminals really were just getting started. This year, we have seen the rise of ransomware targeting healthcare organizations, plus continued phishing attacks and even some good, old-fashioned laptop theft.

Then, on Oct. 21, hackers unleashed a series of distributed denial-of-service (DDoS) attacks on the East Coast, effectively shutting down access for millions to popular sites, including Twitter, Spotify, PayPal, Netflix and Comcast. According to Ilya Braude, vice president of technology at digital health consulting firm Medullan in Cambridge, Massachusetts, the attacks infected Internet of Things devices with malware.

“It didn’t target a specific product,” Braude said. “It attacked Internet infrastructure.”

That could have huge implications for healthcare, which is just starting to embrace the IoT.

“This is something that’s going to accelerate,” Braude said.

In other words, it’s been another rotten year for healthcare cybersecurity. Organizations, including providers, payers and even some vendors are scrambling to keep up as the nature of security threats evolves.

Case in point? Less than a week after the DDoS attacks, the Healthcare Information and Management Systems Society (HIMSS) issued a call to action on cybersecurity. The nonprofit group recommended the following:

• The healthcare industry should adopt “a voluntary, universal information privacy and security framework with use cases and implementation guidance—scalable for a wide range of healthcare organizations and inclusive of small, medium, and large providers”;
• The U.S. Department of Health and Human Services should create a “cyber leader” role in the form of an “elevated chief information security officer” to serve as an example for healthcare organizations nationwide; and
• Government and private organizations need to address a workforce shortage in cybersecurity.

The latter recommendation is especially important given how high-profile the issue is becoming in healthcare.

“Cybersecurity has become a full-time job,” Karl West, CISO of Intermountain Healthcare in Utah, said at AEHIX, an adjunct conference to the College of Healthcare Information Management Executives (CHIME) Fall CIO Summit this month in Phoenix.

“There is a call for all of us to do better,” West said. He said that healthcare may only be at 30 percent to 50 percent of compliance with the required security regulations. Healthcare trails other industries in this area because it has spent so much money on transforming care with IT, while cybersecurity has ended up taking a back seat.

At the annual U.S. News and World Report Healthcare of Tomorrow summit held earlier this month in Washington, D.C., Dr. Brian Jacobs, CMIO of Children’s National Medical Center, said that the hospital now dedicates 19 percent of its IT budget to security, Politico reported.

Children’s National certainly is an outlier. While the finance industry spends more than 10 percent of its IT budget on security, health insurance companies are at maybe 8 percent and healthcare providers at 3-to-5 percent, West said.

A study from the Healthcare Information and Management Systems Society (HIMSS) and Symantec earlier this year put that number at 6 percent. And frighteningly enough, the Ponemon Institute found that found that about half of healthcare organizations and their business associates had not increased their cybersecurity budgets in the last year. About one in 10 actually lowered spending on security.

But Himachal Mukhopadhyay, senior vice president of Infinite Computer Solutions, an IT services company based in Rockville, Maryland, said that healthcare organizations are starting to wake up to the reality of new threats in the last couple of years.

“Every organization has a separate security budget,” Mukhopadhyay observed. “They’re hiring chief information security officers.”

This person typically reports to the chief compliance officer rather than the CIO, he added. Infinite is sponsoring more privacy and security events at local HIMSS chapters, and Mukhopadhyay has seen a huge uptick in attendance lately.

Still, healthcare has much to learn from other industries.  Every project Mukhopadhyay sees outside of healthcare, security is a part of the IT development process; companies aren’t just reacting after implementation. Meanwhile, he believes that 70 percent of healthcare organizations are lacking in this regard.

“They don’t have processes to implement as a security policy and follow it continuously,” Mukhopadhyay said. “Users have to be trained.”

Another problem seems to be the lack of benchmarks to know how much the expense on cybersecurity should be as a percentage of overall IT spend.

“Healthcare doesn’t have good benchmarks on security spend as a percentage of IT spend,” said Bob Chaput, CEO of Clearwater Compliance, a healthcare security firm based in Nashville, Tennessee.

At the same time CIOs really want to understand how to protect data and how to benchmark against their peers, Chaput said, based on a focus group of CIOs that Clearwater Compliance convened at the CHIME meeting.

While Verizon Communications has identified the “Nefarious Nine” causes responsible for 96 percent of data breaches across all industries, healthcare appears to have only three culprits. According to a December 2015 Verizon report those are: lost or stolen assets; privilege misuse; “miscellaneous errors,” including information misplacement, misdelivery, disposal errors and publishing mistakes.

“There are fewer events in healthcare, but they are massive in scale,” said Chris Bowen, chief privacy and security officer for ClearData, a healthcare cloud storage and security company,

Plus, protected health information — what HIPAA is meant to safeguard — has a longer shelf life than other kinds of data. People can get new credit cards and bank accounts if those numbers are stolen, but health information is more constant, Bowen explained. “There needs to be constant vigilance around PHI,” he said.

“There’s no one magic bullet,” Bowen continued. “Approaching security is blocking and tackling every single day.”

That’s because there are so many ways to compromise health data and even patient safety. Hackers, like burglars, are going to go where it is easiest to break in. Healthcare CIOs at CHIME said it is an eternal struggle to remind staff not to click on any email links that seem suspicious.

Medical devices can be hacked through web interfaces.

“A lot of times, credentials are never changed from the default,” Bowen said. And a hack of a medical device could potentially kill a patient, particularly if someone changes the dosage on an infusion pump or adjusts settings on a pacemaker.

IoT devices do not often have encryption, according to Braude of Medullan. Even those devices with Secure Sockets Layer (SSL) encryption built in, the technology is not always properly implemented; devices may not authenticate users or require strong passwords, Braude said.

Bowen agreed.

“The Internet of Things in healthcare is something that people need to wake up to,” Bowen said.

However, currently the bigger threat is outdated devices, Braude declared. The National Health Service in Britain has had issues with computers running Windows XP, an operating system Microsoft no longer supports.

Another ransomware attack this year, on Norfolk General Hospital in Simcoe, Ontario, apparently resulted from the hospital’s website being built on an outdated platform.

“Plan to sunset devices and keep them up to date,” Braude advised.

With all the threats floating about, if HHS does end up creating a position for a chief information security officer per HIMSS’ suggestion to serve as a model for healthcare organizations, that person better have nerves of steel.

Photo: Flickr user Klearchos Kapoutsis