Why The Healthcare Sector Must Demand Real Cybersecurity Change
In late October of this year, a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warned of an uptick in ransomware activity targeting the healthcare and public health (HPH) sector, specifically hospitals and healthcare providers.
The advisory came just over a month after reports out of Germany documented the first patient death directly tied to a hospital ransomware attack. That’s right: The healthcare cybersecurity situation has now become a matter of life and death.
Healthcare cybercrime such as ransomware is especially egregious during a pandemic, as illustrated by Bitdefender data (via Security Boulevard). But it is now sadly all too commonplace. Also far too commonplace is the seeming inattention and inaction in the face of rising threats.
Shockingly Weak Defense
For context on the sorry state of healthcare cybersecurity, just spend a little time perusing the data in the HHS health information breach website. As of the time of this writing, you’ll find 689 health data incursion events under investigation this year — impacting well over 11.5 million individuals whose private health records were subject to theft, loss, hacking or unauthorized access. There have been nearly 200 such breaches documented since the start of September alone.
Any breach of a health information system during the course of one year is cause for concern. But particularly troubling is the fact that so many have reported multiple breaches in 2020. And it is absolutely shocking to me that there are some healthcare organizations reporting multiple breaches during just the past three months — some with more than one breach in the space of two weeks. Furthermore, it’s possible that attackers are using well-known exploits that could have been patched or remediated months prior to the incidents but may have been left wide open for abuse.
All organizations handling health information are required to meet cybersecurity compliance baselines regulated by the government. And our federal institutions do their best to keep the public informed of what’s afoot.
But it’s pretty obvious to me that current healthcare cybersecurity practices are shockingly weak. The truth of the matter is that the U.S. health system as a whole is not up to the task of truly protecting its IT infrastructure or data. Collectively, I’ve noticed that the industry often lacks the staff, expertise and equipment to properly secure the assets it relies upon to function — and cybercriminals know it. Meanwhile, such assets are both sensitive and valuable, which makes the entire sector an irresistible target for the likes of ransomware attacks. It’s almost too easy.
Need For Leadership
I propose that health organizations need to invest immediately in instituting a security-first culture. And I don’t just mean the usual hand-wringing, apologies and commissioning of reports, reviews and one-time trainings after breach incidents. It seems to me that most of those efforts, while they can be informative, are largely performances for the appearance of indemnity and not serious attempts to actually improve IT security posture.
Healthcare cybersecurity demands a continuous, state-of-the-art level of proficiency, professionalism and investment that’s afforded to other critical assets in the sector. Just as we require board-certified practicing physicians and staff, or verifiable supply chains and uncontaminated pharmaceuticals, we need to implement health data and IT infrastructure security that isn’t such easy pickings for cybercriminals. I believe that if medications were under the same level of threat, there’d be an uproar and immediate action.
But cybersecurity has never been the sector’s forte. Recent research suggests the healthcare industry lags far behind others in digitalization, and the funding and resources required to properly modernize — much less beef up — security simply haven’t been prioritized.
That has to change.
Recognizing you have a problem is the first step toward progress. Alerting behavior and seeking assistance are next. Establishing a security-first culture requires a serious commitment from healthcare leadership, but it can’t be spearheaded by health organizations alone. The technology providers participating in the sector bear responsibility as well, and they need to own up.
From The Top Down
Tellingly, in early September, retired U.S. Army General Keith Alexander was named to Amazon’s board of directors. Alexander has served as the commander of the U.S. Cyber Command, director of the National Security Agency, chief of the Central Security Service, a member of the President’s Commission on Enhancing National Cybersecurity, and a director of CSRA, an IT provider for government clients. In short, General Alexander is a heavy hitter in cybersecurity.
It’s not as though Amazon is automatically more secure just because it has added Alexander to its core leadership team. But his appointment does indicate something of great importance. It signals that the company is damn serious about cybersecurity, which will undoubtedly color corporate management, oversight, and resource allocation moving forward.
I’d like to see similarly decisive cybersecurity statements and a real investment from all the big tech companies serving the healthcare IT realm.
And there also has to be some level of cooperation among all the players involved — or at least the major influencers. I’m not suggesting healthcare companies and their technology partners surrender their intellectual property to the cause, but they should establish some means of supporting a strong and united front if we are ever to establish more competent and more comprehensive cybersecurity in the sector. The threat is pervasive, and the situation is dire. Everyone needs to pitch in, and the most capable need to step up and start leading.
The healthcare sector must demand real cybersecurity command of itself — and that requires real investment and commitment. It must also demand the same of its IT partners and service providers. As 2020 is showing us, anything less could be an exercise in futility.