Healthcare is Paying a Big Price by Neglecting Security

Healthcare, now the No.1 target for cyber criminals, suffered a bruising 2017, taking into account even just ransomware attacks which soared an estimated 89%. Cyber criminals have predictably continued their attacks in the new year with malicious hackers interrupting service and holding data hostage in return for ransom.

The string of attacks carried against the healthcare industry made news headlines around the country and painted a picture of an industry under siege. But there was also a silver lining: Hospitals now know that they’re in the cross-hairs and are fully aware of the changing threat landscape.

But heightened awareness doesn’t always translate into effective action. In many instances, in fact, the industry’s approach to cyber security remains one that is still too reactive– to the point where it’s essentially management-by-headline. At that point, it’s too late because the bad guys have already won.

And let’s not kid ourselves by thinking this is a temporary crisis. Consider the following:

·      There is no sign that attacks will let up in the foreseeable future as they grow in number and sophistication.

·      Ransomware is here to stay as attackers follow the money.

·      These more potent attacks threaten to do great harm and could severely impair healthcare delivery.

·      It’s not always a cyber stick-up. Hospitals are also prey to “hacktivist” attackers out to make a political point.

If the healthcare industry is ever going to regain the upper hand, it needs to approach the challenge with strategic urgency. To be sure, we’re seeing more hospital leadership and boards take interest – and even ownership - of security. But improved security investment across the board is still lagging and many health organizations are still challenged to improve their security posture.

Some of the recent attacks have forced hospital management to make some very difficult decisions. After being forced to switch to pen-and-paper, Hancock Health in Greenfield, Ind. decided it was worth paying 4 Bitcoins, worth about $55,000, to retrieve access to its digital data.  Realizing that their main systems were held for ransom and their access to backup data was also compromised, the company’s CEO said, there was no choice other than paying a small ransom. Also consider the amount of research data a hospital holds. If not backed up properly, years of critical research could be in jeopardy if a ransom attack is successful, forcing a hospital to pay up.

I get it. Hospitals are under tremendous pressure to restore care delivery operations and can’t just tell patients to return next week. Hospitals can’t accept downtime and so it’s easy to understand their need to get back online and serve their patients as rapidly as possible. No institution wants to wind up like Erie County Medical Center, which incurred millions of dollars in remediation costs and business losses after deciding not to pay a $44,000 bounty demanded by ransomware attackers last April.

Security experts and even the FBI advice that paying up is the wrong thing. Giving into ransomware threats only encourages future acts of criminality while also financing the attacker’s business model. It’s also a band aid, a manifestation of what I call management by headline where a healthcare organization’s leadership opts to jump on the latest threat or reported event. It’s also a reactive and tactical approach to cyber security that’s bound to lead to problems later on.

Healthcare is Different

When it comes to cyber security, healthcare is different from other sectors in several ways. It’s an industry with an IT infrastructure that’s far more complex and varied than any other, ranging from million-dollar imaging equipment all the way to one-off devices. Such diversity leads to an interwoven ecosystem of systems and devices, running on many different platforms and with differing security maturity, creating dependencies and limitations that make security and change management a complex task.

It’s also a compliance-driven business where regulations about the protection of patient data create unique needs. But being able to comply with HIPAA requirements and pass an audit to evade a financial fine doesn’t also mean that you’ll be able to defend your organization against a motivated hacker intended on carrying out a malicious attack. Auditors may sound scary but even more terrifying are cyber criminals that can wreak havoc within your organization and compromise the safety of your patients.

And let’s also recognize the blunt truth that healthcare has traditionally not attached that much importance to cyber security. I am generalizing because, yes, there are lots of security-conscious hospitals in this country and abroad. But too many have needed a wake-up call to jolt them out of their lethargy.

So, what should they be doing differently to more strategically and proactively manage security risks?

Board leadership is Key

This is the time for senior leadership to step up and insist that cyber security become a strategic component that aligns with the hospital’s overall business objectives. It also requires them to define overall governance and set goals, including a proper definition of their level of risk tolerance.

Risk Management

No hospital has an infinite amount of money to lavish on securing every widget, monitor every employee 24/7, and purchase all the latest boutique security technologies. Still, they can get the most out of their budgets by adopting a top-down and risk-based approach. Instead of talking about technology first, the security discussion should center on identifying the risk priorities, establish enterprise wide security objectives and strategy – and then figure out the budgets, processes and technical requirements needed to combat those threats. For hospitals, there’s the extra burden of expanding their understanding of today’s threats to build a capable security program, not just thinking that HIPAA compliance is the final world.

Deeds, Not Words

Top management needs to walk the talk, establish a culture of security and take responsibility for implementing a mature security program. That means allocating sufficient budget to cover the requirements of staffing and promoting cyber education throughout the organization to foster a real culture of security.

Security is Everyone’s Responsibility

This is a perennial challenge for all organizations – and the challenge is compounded in an environment where so many people freely walk in and out the door each day. But every hospital employee needs to understand that security is part of their job description. If they fail on that count, it can wind up harming patients as well as disrupting the hospital’s ability to deliver care.

Based on government incentives under the HITECH Act, hospitals have become digital organizations faster than any other industry and they now need to respond to the changing security demands of doing business in the 21st century. For that, they can’t manage by the seat of their pants. They need leadership and establish a strategy that is up to the task.

Keeping the Cyber Discussion Going

With HIMSS18 just a month away, this is a great opportunity for us to come together as an industry to discuss these very real challenges and exchange ideas on how to address them.  Symantec is very excited to partner with HIMSS again this year to share information and recommendations that can help healthcare providers improve their security posture. And I invite those attending to swing by the Symantec booth (#2429) on the expo floor, or visit us in the Cyber Security Command Center and take our Ransomware Challenge. Hope to see you there.   

 

If you enjoyed this blog, you may find these links helpful:

Symantec Internet Security Threat Report 2017: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

Businesses most at risk from new breed of ransomware: https://www.symantec.com/blogs/threat-intelligence/ransomeware-risks-2017