Is Healthcare in Crisis?

The Department of Health and Human Services seems to think so. It just published a report suggesting six ways the medical industry can fix its cybersecurity failings.

Healthcare Cybersecurity HHS

A federal task force released its report to Congress last week about cybersecurity in healthcare, the No. 1 breached industry. This inspired some choice doomsday headlines: Healthcare is in critical condition; it’s on life support; it’s in dire need of help.

In reality, the industry’s shortcomings are still fixable. If the medical field has been slow to adopt new, “smart” advancements, they have been downright glacial in embracing the technologies necessary to protect them. (The WannaCry global ransomware attack was a sobering reminder of this.) The “Report on Improving Cybersecurity in the Health Care Industry,” which comes from the Department of Health & Human Services, reiterates that proactive security is where meaningful change can happen immediately. Below, we expand on each of the HSS’ six recommendations.

Define and Streamline Cybersecurity Leadership and Expectations
Companies must hire a leader, such as CISO, who’s dedicated to bolstering security. But their entire executive team should likewise be stakeholders in that strategy. Although it’s paramount to have a response plan to mitigate cyberattacks, it’s just as important to have a corporate infrastructure that nurtures risk management. The prior is business-protecting, but the latter is business-building. This can include securing big-data expansion and remaining compliant to HIPAA during that growth spurt. In this way, a formidable security solution would also deliver executive insights into workplace activity and a vivid view of an enterprise’s entire threatscape.

Increase the Security of Medical Devices / Protect R&D and Intellectual Property
We’re lumping these two imperatives together because, at the end of the day, compartmentalizing threat detection is part of the problem. Universal visibility will be the biggest game-changer in an enterprise’s security detail. Any solution that leans on rules or thresholds (think SIEMs and endpoint products) cannot achieve that. A strong security platform will almost immediately find anomalies in everything from users and computers to files and applications—painting a who-what-where-when-how picture. Add machine learning to these multidimensional analytics, and detection will sharpen as data sources grow larger. Some of the hardest-to-spot attacks, such as inside jobs and metamorphic/polymorphic malware (which constantly change appearance to hide in the network) will swiftly surface.

BREAKDOWN OF HEALTHCARE BREACH TYPE: There were 329 healthcare breaches last year, up from 270 in 2015. (chart courtesy of HIPAA Journal)

Develop a Technically Capable Workforce That Can Prioritize Security
We already know there is a pretty critical job shortage in cybersecurity. Hospitals, in particular, struggle with budgets. Beyond the economics of employment, healthcare organizations prefer cybersecurity professionals with actual industry experience. They must understand the nature of electronic health record (EHR) incentives, diagnostic coding systems, not to mention regulations. Those prerequisites then include the specific skills required to deploy and maintain security solutions such as SIEM systems—which, together, is simply unrealistic. The nuances of healthcare can be learned, but a company’s security should not be rocket science. Streamlining security is the solution: finding an easily deployed platform; eliminating rules-based security, which creates blind spots and requires constant updates; and finding a solution that can integrate with existing security investments to easily optimize them.

Increase Cybersecurity Education
Employee negligence can be a major blow to the efforts of security teams. The need for IT and HR departments to work together to create company security policies and to educate work teams cannot be understated. (A legal team may factor into this collaboration, as well.) The surge in malware attacks underscores the fact that everyone from the CEO down to an intern can benefit from being coached in spotting the signs of virus-laden emails, protecting their credentials, and using safe IoT connections. Additionally, the security-operations team should use actionable intelligence to continually improve company best practices based on intercepted threats and areas of weakness. The most efficient IT teams view security less as monolithic software and more like an evolving risk-management strategy that grows smarter over time.

Improve Info-Sharing of Threats and Weaknesses
The Cybersecurity Information Sharing Act of 2015 essentially stated that governmental support of private enterprises is a function of national security, and that there is power in numbers. The thinking is that intel about, say, exploited vulnerabilities and attack paths could hopefully prevent future attacks. (The government has made small strides in the tech industry: After suffering their breaches, both Yahoo and Google reached out to the Feds, who in turn tracked down the Russian cyberspies behind those acts.) Some healthcare companies have been hesitant to share particulars for privacy reasons, or lack the incident-response plans to offer any insights. At the very least, the HSS’ recommendation nudges companies toward the latter with a more useful, analytics-based approach.