Health IT, MedCity Influencers, Telemedicine

Healthcare cybersecurity is doomed without staff-wide awareness initiatives

If you work in a hospital and you’re not a security professional, IT professional, or executive, you probably never even think about cybersecurity. And that’s exactly the problem.

Recently, shockwaves were sent through the healthcare industry not once but twice.

The first time was on September 17th, when ProPublica published the results of its investigation finding that the medical records of 5+ million patients in the U.S. and millions more around the world are exposed to prying online eyes due to insecure servers storing medical images and associated data.

Then the very next day, on September 18th, Greenbone Networks published its own report, having revised the number of exposed U.S. medical records upwards to 13.7 million, and noting a further 10.6 million from the rest of the world. Here too, the investigation revolved around insecure and under-secured imaging servers and systems.

What’s more, the Greenbone Networks report found that the 590 servers left open to the wider internet were subject to more than 10,000 confirmed cyber vulnerabilities. If exploited, those vulnerabilities — 20 percent of which are classified as highly severe according to the Common Vulnerability Scoring System (CVSS) — could allow malicious actors to slink deeper into hospital networks, compromising more personal health information, and wreaking more havoc.

As horrifying as these revelations are, few if any healthcare insiders are surprised. The sordid state of network and endpoint security across most hospitals has been an open secret for years. The best run, most secure healthcare operations typically trail other industries in their security tooling and practices by a few years. The rest have fallen behind by about a decade.

Crazier still is that even in the rare medical facility that’s using truly modern security solutions, fit for purpose, and smartly deployed, cyber awareness and training across staff is uniformly lacking.

It’s One For All and All For One
Let’s be clear: effective cybersecurity requires robust efforts escorted by a sophisticated and multilateral strategy in any environment. In a healthcare environment, it’s particularly difficult.

You need to install network monitoring mechanism(s) capable of identifying gateway ported and atypically connected devices. You need to map your connected asset inventory, audit for and patch/mitigate known vulnerabilities, define security groupings and trust relationships, introduce micro-segmented governance, close operationally unnecessary ports, establish and continuously monitor baselines for normal/healthy traffic.

Even with all that though, without basic cyber awareness training, you’re dead out of the gate.

Cybersecurity is the product of a lot of interconnected actions, policies, and controls. It is a chain and it’s only as strong as its weakest link. It may sound a bit harsh, but in healthcare, the staff is most often the weak link. In fact, healthcare is the only industry in which insiders pose a bigger threat to cybersecurity than outside actors, with 56 percent of incidents tracing back to staff misconduct. The majority of that misconduct is inadvertent rather than intentional, pointing a big fat finger at the lack of cyber training.

Hospitals must inject cyber awareness and basic security training across the whole organization. Make sure staff know how to spot threats and what to do when they find them. Use regular brush-up sessions to re-enforce the principles.

Staff training needs to cover general cybersecurity protection such as the basics of password management, not clicking on suspicious emails, restricting browser use on nurse’s stations and other clinical assets, adhering to BYOD policies, enforcing physical access controls, resisting social engineering ploys, etcetera.

It might seem obvious, but the staff needs to understand that clicking on the wrong link can trigger a malicious script that may ultimately compromise the delivery of care.

At the same time, training needs to build awareness around harder to spot and device-specific threats. Sometimes subtle changes in device behavior patterns can indicate malfunction or worse — tampering. Accordingly, anyone handling these devices will need to know what to look out for as well as to whom and how to report a suspected problem.

Training providers such as Sans Institute, MediaPRO and Intraprise have cybersecurity courses tailored for healthcare. Of course, you need to understand that ultimately the responsibility for cybersecurity in general and training, in particular, cannot be outsourced. Best-in-class hospitals that really want to get in front of the problem will develop training curricula around their specific needs and workflows. Administrators spearheading such projects will look to adapt some of the resources freely provided by Homeland Security, Cyber Aces, or Cybrary, among others.

Bottom Line
The bottom line is this: Healthcare organizations hold an abundance of sensitive data — on par with banks and insurance companies. Yet, to date, the efforts to protect that data and build awareness around that enormous fiduciary responsibility have been woefully lacking.

So far as that sensitive data is concerned, a digital breach is far and away the biggest threat. And yet cybersecurity is culturally cordoned off and treated as the domain of security professionals alone.

If you work in a hospital and you’re not a security professional, IT professional, or executive, you probably never even think about cybersecurity. And that’s exactly the problem. To be effective, cybersecurity has to be seen as a shared responsibility — across the organization. Doctors, nurses, and biomedical engineers don’t need to be cyber experts, but they do need to be cyber aware. Otherwise, you can expect many more upsetting revelations to come.

 


Safi Oranski

Safi is currently VP business development at CyberMDX, where he drives global strategic programs. He joins CyberMDX from Centrica Business Solutions where he was head of business alliances and IoT. Safi can be found speaking at conferences around the world, discussing the value of healthcare cybersecurity.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares0
Shares0