Due to a lack of adequate resources, many health care providers are falling far behind in their cybersecurity practices, according to data in the 2016 HIMSS Cybersecurity Survey.
“It looks like something I might’ve read about 10 years ago,” said John Worrall, CMO at CyberArk. In particular, he found the percentages of providers that use antivirus software and firewalls, 86 percent and 80.7 percent respectively, to be a concern, as these are staples in cybersecurity that are incredibly easy to access.
“I would say that’s fair, especially in terms of antivirus and anti-malware and firewalls,” said Lee Kim, director of privacy and security at HIMSS. This is the second annual Cybersecurity Survey conducted by HIMSS, and Kim said that the statistics from one to another really didn’t change much.
“Before we saw the results, I really thought there would be some sort of dramatic improvement,” she said.
“The health care industry definitely lags all other industries, except maybe higher education,” said Dave Damato, CSO at Tanium, adding that in some cases they could be five to 10 years behind. However, both he and Kim agreed that one of the main contributing factors to poor cybersecurity in health care providers is a lack of funding and resources.
The survey found that 58.7 percent of respondents found a lack of personnel to be a barrier to effective cybersecurity and 54.7 percent cited a lack of financial resources.
“One can infer from the lack of people that our improvement in terms of cyber has been stunted,” Kim said. She argued that upper management would need to be convinced to invest in systems and people in order to see real progress.
Damato pointed to a prevalence of legacy IT as a major problem for improving cybersecurity.
“They really weren’t developed with security in mind,” he said, adding that sometimes the systems can get so old that there really is no upgrade path except to scrap the current system and start over, which is costly. Damato also felt that many health care practices could be sacrificing security for accessibility, since quick access to health information systems could mean life or death to a patient.
“Their mission is to save lives,” he said. Yet the balancing of accessibility with security could be a double-edged sword, as too little security opens providers up to attacks that make it impossible for them to function at all.
“Ransomware is one of the most frightening types of attacks in health care these days,” Worrall said, adding that it is particularly dangerous because it prevents providers from functioning.
“Ransomware operators are targeting health care organizations, and many hospitals don’t have the capabilities to stop these sophisticated attacks,” said Matt Mellen, security architect at Palo Alto Networks. “Health care organizations should be evaluating their ability to detect and prevent malware like ransomware at their endpoints, on their network, and in their private cloud. Legacy antivirus and legacy firewalls are clearly not able to stop sophisticated cyberattacks that we see in the wild today.”
Beyond ransomware, Damato said that patient data is a major target as it is “more valuable than credit card numbers.” And to access that information, hackers often go for administrative credentials first.
“The common observation of the attack is that they have to capture the credentials of an insider,” said Worrall. “They basically have superpowers.”
The survey also found that health care providers were not overly optimistic about their ability to detect hackers in their systems, and therefore would not be able to report the attack to the FBI or other law enforcement agencies.
“I definitely agree with this finding, and it makes sense. If you don’t have the capability to identify threats on your network, how can you possibly stop them or report them?” said Mellen. “Health care providers need to be able to detect and prevent cyberattacks automatically at the network, on endpoints and in the cloud.”
“As in many industries, there’s a lot of work that needs to be done,” said Worrall.
“Overall we are making improvements, but we aren’t there yet in terms of where we need to be,” said Kim.