There is really no need to tell healthcare they are under attack - - every headline tells them that. This is not new nor is it news. In 2015, the primary cause for loss of data shifted from “accidental” (lost devices, lost back up tapes, jump drives) to external attacks. None of those “accidents” would’ve been reportable breaches if encryption had been deployed.
Then came ransomware and if all the details on the “Wall of Shame” since 2009 didn’t get our attention, ransomware should have. It should have changed how healthcare thinks about data. Cyber security is neither an IT nor a Security issue. The data is how you run your business. No one pays ransom so the DBA can run backups or to make the CIO feel good about his uptime. Healthcare pays ransom when they can’t take care of people. That’s bad for business and it can be really bad for patients.
Healthcare data is among the most valuable data in the world (to patients, caregivers and the black market) and healthcare has been historically bad at protecting digital information - - thus the increase in attacks.
I have the privilege of talking with a lot of people who work in health IT and Security. They want to fix the problem. I don’t meet with as many CEOs or CFOs in healthcare but when I do, they want to keep from having a security issue at their organization. You notice the difference in approach.
Short-term solutions rarely fix systemic problems. Staying out of the headlines (temporarily) is not only a short-term goal it is short sighted.
Healthcare has been like a lazy dog on a hot summer day since 2003 when the privacy rule went into effect. The security rule made the dog roll over and go back to sleep. Even HITECH, PPACA and the final Omnibus Rule caused the dog some twitching but not a fundamental change in the way we addressed IT.
We need fundamental changes in the way we think about information, IT and security in healthcare. We seem to be doing that for reimbursement and care delivery models - - those changes are inextricably tied to IT and security. This is all about information and the information technology to collect, store, share, analyze and protect that data.
In this country, this is the time of year we say goodbye to the dog days of summer and head back to school. Each year you can start back where you ended or maybe you have to get a bit of a refresher and cover some stuff you’ve already done but you come back and move ahead because you have the basics down already.
And this is what we’ve not done in health IT - - mastered the basics so we can meet the new threats by building on a strong foundation. Because of the pressure on IT - - headcount, budgets, and training at all levels - - we look for the latest, greatest thing that prevents [insert the healthcare threat of the day here]. It could be “ransomware” or “insider threat” or “the Chinese” or “hactivists” or, well you get it. And we should have tools - - new tools, because the threat landscape is quite different than it was even 5 years ago.
But here is the systemic problem that will have to be addressed before the “new tools and technologies” can actually become effective.
Healthcare will have to get IT right before it can get security right. Healthcare has legacy systems and biomedical devices running that are, in security terms, ‘ancient’ or built on outdated designs. They can’t be protected appropriately. I still see ‘flat’ networks with little segmentation - - the kind of networks most industries abandoned years ago. Healthcare providers have asset inventories that are out of date, incomplete and not maintained (if they have them at all). An asset inventory for IT must include all hardware, software and the data itself - - what it is, where, who uses it, how it got there and where and how you ‘share’ it. If you have that kind of inventory you should have an idea of what is at risk and then you know what needs to be secured and “maintained”. I have seen:
- Servers that haven’t been patched in six years and Network-Attached Storage (yes, clinical systems) that has gone 18 months without backup.
- Biomedical devices that are 15 years old - - not old in biomed terms, but try to manage/protect them.
- Organizations that have no security protocols; in fact they still don’t have any security policies let alone the procedures that should support those policies.
- Annual security training for staff members although roughly 1.2 million new variants of malware are created each day.
- And while role-based security, which is not easy in healthcare, is an ideal - - I don’t even see basic identity management, control of remote access, or mitigating controls around BYOD.
- And then there is the lack of encryption.
This is basic stuff. If you are into sports analogies this is “blocking and tackling”. This is the ante to get into the game.
I’m all for new tools and technologies. I just want to remind everyone that all that new stuff really doesn’t add much value if you aren’t doing what you need to do to keep the wheels on. If this were school we’d be on academic suspension. It is time for a little remedial work and then we need to invest to keep that education current, efficient and effective. Good security is good for IT. Good IT is good for the business. And a well-run healthcare organization should be good for patients. No one buys a Da Vinci surgical system if they don’t have a modern surgical suite and surgeons. Why would we expect security to fix everything with some new instruments when they don’t have the tools or staff to do the basics?