Tabrez Surve, Regional Director – Gulf, Levant & Turkey, F5 Networks explains why healthcare security is still at risk and points at the major overhaul required to establish a secure culture.
From test results and lab equipment to monitoring equipment and patient records, the healthcare industry is increasingly reliant on digital solutions.
However, an ever-growing skills shortage and a lack of financial resources to implement the right security measures means there’s a constant battle raging to stay ahead of a rapidly shifting threat landscape.
New dimensions of risk
The stakes are high. Healthcare organisations face entirely different dangers to the average business, with significant humanitarian and ethical dimensions to consider.
Unsurprisingly, healthcare organisations around the world conform to strict regulations. For example, the UK’s National Health Service has specific security policies and so does the US via the Health Insurance Portability and Accountability Act. There are many others across the world, all of which tend to be designed for rigorous data privacy. Patient data should only be accessible on a need-to-know basis and patients must have control over how their data is used and what is kept on file.
While that is all well and good, it is hardly a deterrent to determined hackers.
A recent study by Vanderbilt University’s Owen Graduate School of Management found that it takes healthcare facilities hit by a data breach or ransomware an extra 2.7 minutes to respond to a patient with a suspected heart attack. This could result in as many as 36 additional deaths per 10,000 heart attacks that occur each year. The study also found that at least 10% of the more than 3,000 Medicare-certified hospitals of the on the US’ Department of Health and Human Services (HHS) list were hit by a cyberattack.
Then there’s the WannaCry ransomware cryptoworm, which hit the NHS hard in 2017. Appropriate security patches had previously been pushed out but remained ineffective without machine reboots. The clean-up cost? Around £92m.
Establishing a secure culture
One of the weakest links in the cybersecurity chain is human error. The IT team can’t cope alone, and every employee needs to buy into a security-first culture.
Phishing remains an enduring favourite to catch people out. Based on analysis from the past year, F5 Labs believes phishing is now the most prominent attack method used to breach data, with the healthcare industry one of the most at risk (rubbing shoulders with other prone sectors like finance and education).
Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. The hardest part is coming up with a good trick email pitch to get people to click on, and a fake site to land on.
Meanwhile, phishing and spear-phishing attacks are evolving and no longer crude and easy to spot. A key recurring trend is that phishers continue to push for deceptive credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate. F5 Labs also found that 85% of analysed phishing sites that make use of digital certificates have them signed by a trusted Certificate Authority (CA).
Organised cybercrime groups and nation-states expend significant effort to understand their victims and take advantage of social engineering techniques, such as targeting victims when they are busy and overwhelmed (which, as most healthcare professionals will attest, is not an uncommon situation).
This exactly why Healthcare organizations need to ensure all employees understand the importance of securing the business’s IT infrastructure and the consequences of not doing so.
Recommended technical security controls include Multifactor authentication (MFA) and implementing web filtering solutions to prevent users from inadvertently visiting phishing sites. It is also essential to inspect encrypted traffic for malware.
At the same time, there is no room to skimp on cultural enhancements. Regular, mandatory compliance sessions and best practice courses can help. This should include streamlined and guiltless methods for users to flag suspected attacks.
Implementing new technologies responsibly
Traditional approaches to security, such as focusing on IT environment perimeters, won’t work as well anymore. IT teams across the healthcare industry need to learn from mistakes and oversights of the past, working closely with all end-users of the technology to create processes that ensure patches are carried out regularly and effectively.
Healthcare organisations also need to invest in technology that maintains data security that can expand across the entire network. For example, a web application security solution could simplify regulatory audits by tokenising sensitive data and help providers control the flow of data while maintaining the highest confidentiality standards and increasing the quality of care.
In an ideal world, the healthcare sector will evolve to be more agile, adaptable and attuned to the flourishing application economy. This means moving away from managing traditional reliability models to a more strategic, service-based approach that focuses on application-level service provisioning, automation, and orchestration. It will also mean creating, deploying, modifying, and extending services quickly to address variables impacting the security, reliability, and performance of applications and networks.
Securing board-level buy-in
Unfortunately, too many boards still overlook the importance of security.
Disconnects are prevalent. Studies among US and UK C-level executives by domain registry Nominet found that 78% admitted to gaps in their knowledge about malware. 68% concede to knowledge gaps about phishing. 66% need to learn more about ransomware.
Budgets are also sometimes assigned without context and overall performance suffers accordingly. Today, the voices of security experts should be heard loud and proud at the top table. There are many ways this could happen, but one obvious tactic is to elevate the importance of the Chief Information and Security Officer (CISO).
If the board doesn’t take security seriously, nobody will. If they don’t know what’s going on, everyone is at risk. All too often, the board sees cybersecurity as a bolt-on insurance policy rather than a fundamental element of both IT and business strategy. That can no longer be the case if healthcare organisations want to adequately and continuously protect staff and patients.