The healthcare industry has labored through a challenging 18 months brought on by COVID-19, especially healthcare organizations that faced a record number of cyberattacks, which only compounded their ability to efficiently and effectively care for patients.
Unfortunately, these attempts by malicious actors to compromise healthcare systems and patient data show few signs of slowing. As a result, it’s more important than ever for healthcare organizations to implement systems and measures to protect themselves against digital attacks.
To help guide healthcare CISOs’ and CIOs’ efforts, Healthcare IT News interviewed Mac McMillan, who recently returned to the CEO role at CynergisTek, the cybersecurity consultancy he cofounded.
McMillan discusses the current healthcare security, privacy and compliance landscape, and how healthcare organizations can ensure safe operations and protected patient data in the long term. He also talks about key findings from CynergisTek’s annual report on healthcare systems’ cybersecurity, and industry trends and the future of healthcare cybersecurity.
Q. How do you see the current healthcare security, privacy and compliance landscape? What do healthcare CISOs and CIOs need to know?
A. The first thing that is safe to say is that it has never been more complicated or more important. Organizations across the board are going to have to devote more resources to these issues because they are receiving more attention from just about every angle – government, legal, insurance, you name it – as everyone grapples with the enormous impacts that cyber incidents are having on business, national security and everyday life.
The attack surface for all organizations has increased tremendously over the last few years to where attacks now come from all directions and within. For security, this means another paradigm shift toward better data, device and network security, building resilience into one’s program and operations, and less reliance on the old practice of guarding the gates. This is not something that most healthcare organizations have embraced yet.
This has been highlighted by recent messaging from the cyber insurance carriers who are asking questions regarding things like privileged access management, endpoint detection and response [EDR], etc. – very specific technologies designed to thwart the threat’s ability to exploit a target network.
One simple example of this is multifactor authentication. Most organizations accept and have deployed MFA solutions for external connections to their networks, but very few have implemented MFA internally, citing impacts to workflow. The sad thing is that when an attacker exploits the network by getting hold of a privileged account and deploys some malware that takes the network offline, it doesn’t just impact workflow, there is no workflow.
This frankly has to change. Compliance and privacy are grappling with dozens of regulations and laws as each state, foreign government, etc., enact legislation to protect personal privacy challenges. For organizations doing business across state lines or international boundaries, this just creates a complicated web of divergent requirements.
Q. What are some key findings from CynergisTek’s annual report on health systems’ cybersecurity?
A. Overall, the industry average improved, but this is slightly misleading as the top 35% did really well and pulled up the bottom 65%, who performed below average. This only reinforces what we have seen all along – that those organizations that put in the effort reap the benefits of a stronger program. We still see way too many organizations behind the curve in readiness, which only makes them and the industry more susceptible to harmful events.
Supply continues to be a growing challenge across the board. This is not something that is just limited to healthcare by any stretch. Just about everyone needs to do a better job of securing their expanded threat footprint, which for many includes a fair number of third parties that do everything from hosting to analyzing their data. Probably most alarming are the opportunities for disruption when critical systems or data are hosted by a third party and become unavailable.
Network segmentation is a problem for everyone. This problem has persisted for a very long time and seems to be almost an immovable barrier. The problem is, flat or unsegmented (truly segmented) networks are an open field for adversaries who breach the outer defenses, making movement laterally easier and the propagation of malware more efficient – both things that we really need to stop to avoid major impacts.
MFA is used externally but not internally for privileged accounts or general users, and this includes the use of PAM solutions as well. Again, another key contributor to exploitation. Attackers who are able to get a hold of a privileged account are far more effective at avoiding detection, moving laterally through the enterprise and causing damage. This can be removed by implementing MFA or PAM, and again, organizations then build more resilience into their defenses.
Readiness (testing/exercises) is not a regular practice for most organizations. We have all heard it – “I thought we were ready until we went down for more than a couple of days.” Most organizations don’t really appreciate the true impact of losing their systems or data for more than a week or several weeks.
We need to do a better job of preparing our whole organization for the eventuality of a major breach, but we also need to be more proactive in how we test the enterprise to find and address weaknesses before the bad guys do. Regular testing to validate controls and exercising plans to build muscle memory with staff can pay huge dividends in avoiding or mitigating incidents.
The majority of responders do not have full accountability of all of their information assets. It’s hard to paint an accurate risk picture if you don’t know where all of your assets are or what data is on them. Dynamic asset management is a must for risk analysis as well as risk avoidance and incident recovery. There are multiple integrated platforms that can identify, locate and interrogate what we have within our enterprise to produce more accurate, up-to-date inventories – and we need to adopt them.
Q. How can healthcare organizations ensure safe operations and protected patient data in the long term?
A. We have to understand that the basic threat landscape has changed and is continuing to change. What we did a year ago, or a few years ago, may not be and probably isn’t what we should be doing today.
The first thing organizations need to do is refocus their efforts on building resilience into their security and privacy postures. We need to have a well-balanced program across the NIST CSF focus areas, but I don’t know of a single CIO who has ever said I want to focus “right of boom” – or even have a boom.
We need to build resilience up front as we build out our controls and processes, by introducing more rigorous and continuous testing and exercises to increase resistance to incidents and our ability to manage them more effectively when they occur. We need to focus on fewer, better implemented and better managed tools. Having more tools that are not optimized does not lower risk – it adds to it.
We need to understand there is a cost to good security like anything else, but the cost of better security is far less than the cost of incidents. We need to invest in both technology and the people who use it.
Last, but certainly not least, understand that we have to partner for success. No one in today’s environment can go it alone. Whether it’s people, technology or expertise in cybersecurity, there isn’t enough to go around to meet all of the demand, so we have to find and engage partners to help get the job done.
Q. What are a couple industry trends in healthcare cybersecurity, and what does the future of healthcare cybersecurity look like?
A. We will continue to see healthcare as a prominent target for cybercriminals and nation-state actors. Healthcare is critical infrastructure in this country and represents 18% of our annual GDP. So, there is a lot of treasure tied to a very important business that cannot fail, which means it is a lucrative target.
Attacks are becoming, and will continue to become, more sophisticated and more frequent. They are becoming much harder to detect. This means that spending in healthcare on cybersecurity solutions will be necessary to keep pace. We’re also seeing insurance premiums for cybersecurity climbing a lot faster than before, and underwriting requirements are becoming more demanding and specific.
Breach activity will continue, the cost of protection will rise, the ability of insurance to be an effective countermeasure will diminish, and more emphasis will be placed on organizations doing a better job of protecting their information assets. Solutions like EDR, MFA and PAM will become more important.