Healthcare systems around the world are severely stressed. Medical staff have been putting forth a Herculean effort for years, and the burden on healthcare systems has only increased over the current three-year-long public health emergency. In turn, these pressures have caused tectonic shifts throughout the entire healthcare infrastructure across providers, systems, insurance carriers, workers, patients, and the means of communication with each. These changes have rightly brought up important conversations around systemic improvements that must be made in both tactical and strategic operations. Cybersecurity — how we protect patients, critical services, and personal data from cyberattack — must be part of that discussion.
“We need to do more!” is a common refrain echoed when addressing cybersecurity needs, but it is immediately followed by, “but I don’t know how!” Doing more with the same level of capability isn’t sustainable for anyone. In order to achieve the goal of “do more,” objective efforts need to be made to not only improve healthcare security outcomes but also to ensure that these efforts receive more support in the forms of additional resources, increased efficiencies, and outsourced execution.
From a people perspective, security leaders, regardless of industry, struggle to build and retain their security staff. I could insert the latest skills gap or workforce shortage statistics here, but everyone should know by now that there are significantly more open roles in the security field than there are qualified candidates. This has been the case for years and will be the status quo for some time. In the intense competition to find qualified security professionals, healthcare isn’t always a candidate’s first choice. Pay and technology exposure are prime factors cybersecurity candidates consider in an industry that tends to struggle for funding. The costs of “failure” in the field are also significant. The security of systems that drive effective patient care, including critical life-or-death services, is of paramount importance.
The pressures of taking on that responsibility are exacerbated by the healthcare industry’s growing attack surface and value as the target of compromise. In an industry where security concerns include every aspect of the IT/OT struggle, achieving parity of controls and effective monitoring is an incredibly daunting task, especially when the costs of loss are so high. The growing ecosystem of healthcare devices and platforms are often vulnerable, and they act as gateways to patient care and sensitive data.
In addition to growing vulnerabilities and exposures, healthcare systems have become additionally burdened by the pandemic. Modified work processes stressed and shocked the healthcare industry for obvious reasons, but it also accelerated digital transformation and pushed telemedicine into the mainstream. The digital attack surface then expanded significantly as telemedicine and remote services, like call centers and remote monitoring of ICU beds, became the new normal.
Defenders not only have to keep up with the technological exposure but also the intent of bad actors. Healthcare has been a prioritized target, shown by its status as the most breached industry vertical for the last eleven years. Accounting for the recent rapidly expanding attack surface, threat actors and cyber criminals undoubtedly see increased financial opportunities. With historical evidence showing that criminals are aware that healthcare providers surrender to their demands due to the dual loss impacts of customer care and sensitive data exposure, reports show that there has been a 94% increase in healthcare-targeted ransomware attacks between 2021 and 2022.
Unsurprisingly, this has brought back more government-level discussions about how to address these cyber attacks. Healthcare is already one of the most highly regulated industries in the United States, but enforcement has often lagged. HIPAA has made its way into everyday vernacular, resulting in heightened awareness and concern over data privacy. The standard, however, was established in 1996 and was written for its time, when data theft was the primary concern. It fails, as a required entity, to reflect the need for guidance against things like ransomware. HIPAA and other related standards need to be updated to consider the evolving threat space. Some efforts, like HITECH, have been introduced to add additional privacy and breach notification requirements, but they also suffer from questionable enforcement.
Cyber insurance is another issue that attaches itself to these concerns. With the commonality of breaches and evolving requirements for risk mitigation, cyber insurance is a critical path concern. Increases in pricing, changes to security program capabilities, and questions of coverage all create uncertainty and increased efforts needed to acquire and maintain adequate coverage. Healthcare is not the only industry with these concerns, but with its tight budgets and limited resources, this is an area of concern that plays heavily into programmatic and budgetary considerations.
Lastly, with many decision makers trying to define and enforce different sets of rules. Anyone trying to obtain compliance with recommended actions must consider multiple levels of demands. Requirements derive from both the public and private sectors, often with conflicting needs where the mix of “floor and ceiling” obligations contradict one another without a clear escalation path of who “wins.” Beyond the preventative components, escalation and notification requirements go even further afield as they navigate not only this regulatory minefield but then face the addition of security vs. privacy considerations.
All of these aspects considered, we need investment and concerted and prioritized effort to protect healthcare from endemic of cyberattacks. As a nation, we need to determine where and when to define requirements and provide support for healthcare security. Regulatory requirements need to align with the realities of healthcare system defenders, both in the sense of enforcing requirements and in enabling these under-resourced teams to practically meet those requirements.
When it comes to healthcare security, everyone wants to do the right thing. The public and private sectors, and the security industry as a whole, need to come together to get healthcare security on the road to recovery.