Cyber criminals have recognized the healthcare industry as a lucrative and easy target. Is the healthcare industry finally ready to step up their cyber security efforts?
Clearly, this should be the time to take serious action. Healthcare faces a growing assortment of threats from increasingly sophisticated malicious actors - whether we’re talking about nation states, hacktivists, or financially motivated cyber criminals. Attackers now have the capability, and have demonstrated the ability, to steal confidential data, ransom or blackmail hospitals, and disrupt or even shut down services.
But as we learned from HIMSS Analytics and Symantec’s just-released IT Security and Risk Management study of the healthcare industry, although we are seeing some signs of improvement, the industry still has a way to go.
On the plus side of the ledger, hospitals are budgeting more than ever before to protect their data against cyber criminals. But while healthcare providers have started to move the needle, the majority is still spending 6% or less of their IT budgets on security. That’s not enough. By comparison, consider the finance industry, which typically tends to spend 10 to 12% of its IT budget on security.
Healthcare Under Attack
I took encouragement from the finding that cyber security is no longer considered by healthcare providers solely an IT responsibility or a compliance issue.
The WannaCry attack that famously paralyzed the United Kingdom’s National Health Service last spring may go down in the annals as the proverbial wake-up call. Indeed, that attack had the most impact of any single event that I’ve ever seen in raising awareness within the healthcare sector of the depth of the threat it faced.
Cyber security in healthcare used to be mainly a HIPAA compliance concern. That’s now changed as the industry learned from first-hand experience the risks associated with ransomware attacks or advanced attacks like WannaCry.
Healthcare faces a growing assortment of threats from increasingly sophisticated malicious actors - whether we’re talking about nation states, hacktivists, or financially motivated cyber criminals.
In the last couple of years, cyber attackers demonstrated that healthcare’s exposure goes beyond protecting data; they can actually shut down hospitals and impact care delivery. Healthcare leaders are realizing that this was a lot more serious than the prospect of a HIPAA fine or audit. Simply put, if your clinical staff can't access data, there is a severe impact to delivering patient care. No surprise, then, to learn that 60% of healthcare providers now consider risk assessment, rather than just HIPAA compliance, their top consideration in their security investments.
Hospital security teams are already stretched thin and now we are asking them to focus on the advanced threats posed by highly sophisticated criminal actors or malicious nation states or cyber terrorists. I’m not saying that it’s bad to invest in HIPAA. But with limited funds, it’s difficult to remain vigil across the entire risk spectrum, yet it is vital to invest in all areas where there is a need.
This also requires a cultural change. Compliance is a slow-moving target where the requirements may change every 4 to 6 years or so. It’s a fixed target you can aim at. Security is the polar opposite where being nimble and adopting to rapid change is paramount for any security program.
The cost of IT infrastructure in healthcare is always going to be higher than in most other industries. The highly specialized equipment and software applications found in healthcare institutions not only cost a lot to acquire but it’s also expensive to maintain.
Meanwhile, security has to compete with other budgetary priorities that are easier sells within the organization and may provide more visibility. For example, the local paper may run a big story when a hospital spends a million dollars on the latest surgical robot or does something else that establishes its reputation for being on the leading edge of medical research or technology. But who is going to pay attention if the hospital spends the same $1 million on encryption or on tougher network security?
Still, there are reasons to be optimistic that, albeit slowly, things have started to move in the right direction.
There’s greater recognition of the broader security risks to the hospital network and the integrated medical devices. Over the last decade, healthcare has undergone a digital transformation and providers have become acutely aware how dependent they now are on the availability of digital systems and data.
As they’ve learned from being on the receiving end, cyber attacks can lead to a shutdown of equipment, thus disrupting a hospital’s ability to offer clinical services. You’re also starting to see the growing appreciation of the cyber security implications of an increasingly connected world. If a malicious hacker can bust in and tamper with the temperature of the hospital HVAC system, they can put operating rooms out of order and cause the cancellation of scheduled operations.
Another sign of change: Healthcare has traditionally been hiring CIOs or CISOs with healthcare backgrounds who ideally knew your organization from the inside. That mindset still lingers but more senior security positions now get filled with candidates who come from outside of the healthcare industry. That’s a good thing and also a welcome sign.
For me, however, the biggest source of optimism has to do with the cultural change that I’m observing and seeing in my interactions with customers. Both on a security level as well as on the business level, I’m having more engagements than before that indicate decision makers across the board are starting to wake up to the challenge of security. Evidence of a true fundamental and transformative change is becoming apparent.
There is no doubt, attacks will keep up in 2018 and hospitals are again going to find themselves in the cross-hairs. It’s up to the boards of directors to recognize this as the new normal. Cyber security can’t any longer be shrugged off as an IT problem or merely a compliance issue. Yes, it’s all that but this goes way beyond technical considerations. Above all, cyber security must be viewed as a strategic business concern.
Failing that, hospitals will be at risk to keep playing catch-up - and they’ll always be a step behind the bad guys.
Symantec is participating at the HIMSS18 conference next week where we’ll be sharing more on the findings from this research. So, come grab a coffee at our booth (#2429), and I look forward to continuing the discussion.