Editor’s Note: John Smith is a Principal Solutions Architect at IT analytics company ExtraHop. Prior to joining ExtraHop, John was a Cloud Architect at both Philips and McKesson and was previously a Principal Architect at the Centers for Disease Control.
Hardly a day goes by without news of a new cybersecurity threat or breach, and the healthcare industry is hit with more than its fair share. While unfortunate, it’s not hard to understand why. From personal health information (PHI) to insurance records, healthcare facilities are full of rich, sensitive patient data, making them prime targets for attacks. In fact, major cyberattacks on healthcare grew 63% in 2016, and one in four US consumers have now had their personal medical information stolen in a healthcare breach.
Statistics like these are scary for the entire industry, from healthcare delivery organizations to insurers and technology providers. They’re also terrifying for patients. When it comes down to it, if there’s any institution you want to be able to trust, it’s your healthcare provider. They take care of your health and well-being. It’s only natural to expect they can take care of your data. But consumers – rightfully so – are losing trust in health IT to consistently safeguard their information. We trust them with our lives, but we no longer trust them with our data.
The unease about healthcare’s ability to secure sensitive data and systems is not confined to consumers. Increasingly, health IT professionals themselves are expressing doubt and skepticism about their current security practices. According to a recent survey of 50 healthcare organizations, only 13% said they were confident that their existing security tools could defend against ransomware attacks.
The reality is that healthcare is acutely vulnerable to cyberattacks. And the sense of uncertainty and doubt about the efficacy of current security tactics is palpable. So what can healthcare organizations do to combat this issue, and regain the trust of both consumers and staff?
How Did Health IT Get Here?
The number and scale of healthcare cyberattacks has greatly increased in the last several months, which has significantly contributed to the deteriorating trust in health IT. So how did we get here?
First, it’s important to remember that the healthcare industry doesn’t have much experience with cyber threats relative to other industries. E-commerce professionals have been trading punches with bad actors for nearly 20 years now. As such, they’ve been forced to toughen their defenses and build up a high level of resistance. Up until 18-24 months ago, few health IT professionals had experience dealing with the frequency, variety, and severity of threats to which they’ve been subject recently. As such, healthcare infrastructures and systems haven’t faced the rigorous testing that’s now second nature to organizations in other verticals.
In addition to the relative immaturity of the security infrastructure itself, many healthcare organizations haven’t developed the robust processes and best practices that help other organizations stay ahead of the threat curve. Things like backups and regular updates don’t happen as frequently as they should, due in part to the associated risk of instability or downtime which can have far-reaching consequences in a hospital setting. Then there’s the overall entropy that tends to be present in health IT departments, which can lead to less stringently followed and enforced security protocols.
Finally, from my first-hand experience supporting healthcare over the last 21 years, we need to acknowledge that health IT workers, especially those working for smaller healthcare systems, are often overworked and tasked with doing a large number of important, complex tasks in order to keep critical systems going. Just as with any industry – from financial services to food services – things can fall through the cracks when employees are overworked. The difference is that, in healthcare, the stakes are so much higher when mistakes happen. System up-time can literally be a matter of life or death. Budgets are also often tight, so adding additional personnel or investing in a new security solution is not always an option, leaving staff to make do with what they have.
How can health IT improve security and restore trust?
We know healthcare facilities are being bombarded with cyberattacks, and we know there’s skepticism about existing security tactics. So what can health IT do to address these issues? It has to start with visibility. Trust and confidence are gained by having insights and knowledge at your fingertips. Information is empowering, and it allows IT professionals to make smarter decisions and address key issues. As health IT gets more complex – from connected devices to hybrid infrastructure – IT workers need to know what’s happening, when it’s happening, and why it’s happening. Otherwise, they’ll be trying to control systems blind
No one knows when the next big breach or vulnerability is coming, but I can tell you that it will involve communications between systems that are not supposed to be communicating at all. To succeed under those circumstances, it’s time for healthcare to realize that visibility isn’t a “nice to have,” it’s a “must-have.” The best thing that health IT professionals can do is find solutions that allow them to see – down to the transaction level – what’s happening across healthcare IT and clinical systems in real time. Now more than ever, IT staff need tools that can do things like discover applications and devices automatically, and rapid identify anomalies in IT and clinical workflows.
The first step in obtaining the right level visibility is first identifying which systems will either land you in the news, on krebs.com, or result in you getting fined in the event that they are breached. I understand that hospitals have sensitive data traversing multiple places, but we can at least start with where the crown jewels are, such as databases where PHI is stored and the systems that provide transit for them. Getting an adequate inventory of all of your high-risk systems will make your life considerably easier. It is entirely possible that the needed visibility within an environment of several hundred systems can be easily distilled into monitoring a few dozen systems that house sensitive data. The key here is not to start from the top-down but from the ground-up. Identify key systems that house critical data, then look into the ingress and egress of those systems. A common theme taking shape for cyber security is simplifying the task(s) associated with it. Simplicity starts with visibility, it doesn’t get much simpler than knowing, at the packet level, who is talking to who.
True visibility into and understanding of the interplay between critical systems has another advantage: it allows IT to run leaner. Many of the healthcare organizations I’ve worked with have, at least in part, implemented lean practices, and insight is critical to supporting those initiatives. For overworked health IT teams, this can make all the difference.
Think of it this way, most infrastructure today is akin to a dark parking garage. That lack of visibility would lead the average person to have less confidence and trust that the garage is safe. The same goes for health IT. CISOs and CIOs don’t lose sleep over the systems they know about. They lose sleep over the systems they aren’t aware of. To keep data, systems, and patients safe, you need to be able to see what’s going on across your environment in real time. For health IT, it’s time to bring everything into the light.