HIMSS

A Chronic Illness: Why the Healthcare Industry Needs an Update

According to the 2020 HIMSS Cybersecurity Survey

With the continually expanding concerns of cyber-attacks on the healthcare industry, organizations must invest in secure systems. Breaches happen to healthcare organizations of all sizes because they are rich sources of sensitive information. The findings of the 2020 HIMSS Cybersecurity Survey suggest the rate at which healthcare organizations are improving their cybersecurity posture is not enough to keep pace with new threats.

Healthcare organizations and hospitals are targeted because they are ‘high value’ to threat actors. The sensitive data housed within healthcare provider systems can be used for identity theft, fraudulent medical care, and be sold online to other cybercriminals. Patient medical records and PII are aggressively marketed on the Dark Web.

In the HIMSS survey, a staggering 70% of respondents indicated that their organizations experienced “significant security incidents” in the past year. The results of attacks on health care organizations vary widely but include the interruption of data processing and business operations (about 30% of respondents), leaking of confidential information (about 20%), violations of HIPAA policy and resulting fines, and the dissolution of patients’ trust in their health care providers.

The HIMSS survey data makes a strong case that healthcare organizations should increase budgets for enhancing cybersecurity. At the moment, budgets are still tight, and they are also mainly static, despite the increase in digitally based operations. The survey, which reviewed feedback from 168 U.S.-based industry professionals, revealed that typically 6% or less of the information technology budget was allocated to cybersecurity, with no growth in the budgets from last year. As a direct result of too little funding, IT professionals don’t have access to the security solutions that they need to fully secure a complex healthcare environment. This may not be a surprise; many healthcare organizations are resource-strapped in all departments, not just cybersecurity.

But some organizations don’t seem to realize that the cost of the average data breach is not only a hit financially, but it has long term repercussions. Given that the average cost of a data breach, according to IBM, is 3.86 million dollars, and that 70% of organizations surveyed experienced some kind of breach in the last year, there are certainly preventative solutions, that are also cost-effective, available to organizations of any size.

More communication between cybersecurity specialists and hospital administrators will expand awareness about threats and emphasize the need for increased budgets. Providing education and training to employees will also facilitate the sea-change the industry needs.

Once additional budgets can be secured, healthcare enterprises need to adopt next-generation technology to protect themselves. This may involve archiving old data, updating legacy systems, and providing security awareness training of all personnel.

Other additional security advancements might look like investing in firewalls, doing complete risk assessments, and instituting Multifactor Authentication (MFA). These solutions can all be useful increases to security, but they all have their cons as well, whether financial expense or the interruption of user experience.

One of the most efficient changes to make would be to start screening employee user credentials. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), ‘over 80% of hacking-related breaches involved the use of lost or stolen credentials. Whether the attacks come in the form of phishing emails or through brute force attacks, compromised credentials are an origin point for security concerns.

People, including clinical staff, are wont to follow the path of least resistance when it comes to passwords. Individuals often choose simple passwords (maybe even with the hospital name in it), with minor variations, and reuse them between home and work. Unfortunately, cybercriminals are aware of typical substitution and common variation patterns, so these are very risky behaviors.

Habitual password reuse also leaves system administrators in a difficult position that is challenging to address, as they want to make the digital side of health care just as important as the patient-facing side. Screening employee credentials would be a relatively low cost and low-friction layer of security that would have a high likelihood of increasing employee safety.

As organizations seek out cybersecurity resources built specifically for healthcare enterprises, there are several ports of call. However, in the 2020 HIMSS survey, the data indicated that their many organizations aren’t tapped into what standards they should be following in the first place. For example, only 53% of respondents surveyed were aware of the FDA’s Health Industry Cybersecurity Practices (HICP), and of those organizations, only about half used the guidelines.

If organizations are looking for structured guidelines, HIPAA (Health Insurance Portability and Accountability Act) is a good place to start for procedures as it allows some flexibility for the size of the organization.

For more specific advice, healthcare organizations can turn to the National Institute of Standards and Technology (NIST) and the HITRUST Alliance for guidance on the best standards. Both NIST and HITRUST publish security guidelines that ‘highlight suitable measures organizations can implement to enhance their cybersecurity postures’. Details from both NIST and HITRUST include articles such as employee awareness training and screening for compromised passwords.

In an ideal world, cybersecurity would be increased without disrupting the employee’s experience, so that healthcare professionals could continue to focus on patient care. Arguably one of the most efficient cybersecurity moves a company can make is to strengthen existing password policies. The best-case scenario would be engaging with a service that can screen for weak and compromised passwords continuously, without changing the user interface.

Bronwen Hudson