Want to read more on cybersecurity? Check out our comprehensive guide analyzing the cybersecurity trends and themes impacting healthcare in 2017 and beyond.
The healthcare industry is reeling from a spate of cyber and ransomware attacks this year. In February, Hollywood Presbyterian Medical Center paid cyber criminals a 40 bitcoin ransom (roughly $17,000) to regain control of their systems. A month later, a virus that prevented users from logging in forced Maryland-based Medstar to disable its computer network. Over the summer, hackers also put millions of personal health records stolen from four healthcare organizations up for sale on the dark net, stole Pilot Fish Technology’s source codes, and put them up for sale and hacked into Banner Health’s electronic system.
Hospitals have been attempting to improve their cybersecurity, and chief information security officers have had to step up their game. But many chief information security officers at U.S. hospitals aren’t even close to having all of the tools they would need to prevent cyberattacks or respond to them.
“CISOs are facing many challenges from security, privacy, and regulatory compliance issues,” says Kyle Lai, CISO and head of security consulting services at Pactera Technologies. “If a CISO is not careful, he or she will get very frustrated because there are so many vulnerabilities, so many tasks to do to protect the organization, but only a less than ideal budget and resources to manage the CISO organization.”
Todd Inskeep, a principal at Booz Allen Hamilton, agrees. “It can be challenging for organizations to keep up with the influx of new technologies being used on their networks on an almost daily basis,” he tells Healthcare Dive. “For healthcare delivery organizations like hospital groups, this is compounded by the number of people who belong to multiple organizations,” for example, doctors who are paid by one group while practicing in multiple locations.
To help facilities cope cyber threats, the HHS recently awarded $350,000 to an Ormond Beach, FL, nonprofit that focuses on health IT and security issues. HHS’ Office of the National Coordinator for Health Information Technology also awarded the National Health Information Sharing and Analysis Center $250,000 to improve information and education about cyber risks and the Assistant Secretary for Preparedness and Response awarded NH-ISAC $100,000 to develop an infrastructure capable of securely disseminating information about real and potential threats.
In the meantime, here are eight things hospital CISOs can do to help tackle today’s cybersecurity challenges.
1. Conduct an asset inventory exercise to identify where the sensitive data and systems are located.
“We think of this in the context of the NIST [Security] Framework — identifying the assets you want to protect, protecting those assets, establishing capabilities to detect attacks, responding to attacks, and establishing a full recovery that prevents repeats of the same types of attacks,” says Inskeep.
2. Assess the cybersecurity readiness and vulnerability of the IT environment and internet facing applications.
This should include internal IT security, perimeter security, malware and antivirus software, a phishing test, cyberattack simulation test, incident response readiness, internet facing application vulnerability testing and regulatory compliance readiness, according to Lai.
3. Prioritize vulnerabilities based on risk.
How severe is a particular vulnerability? What is the likelihood of it being attacked? And how severely would an attack of that vulnerability impact the organization?
4. Create a realistic roadmap that provides the CISO with a broad view of the system and all of its potential weak spots.
“The CISO cannot address every risk,” says Lai. “Create a register with all the identified but unresolved risks. Review and reevaluate if any specific risk has risen on priority and take necessary action to resolve the high and critical items.”
5. Establish some level of cyber information-gathering capability that integrates both internal and external information to detect potential attacks.
“This could … include a mix of in- and outsourced capabilities to deal with scale and learning from others while connecting to the specific organizational IT systems and practices,” says Inskeep.
6. Develop a strong backup and recovery capability.
With ransomware targeting several hospitals this year, CISOs and IT departments need ways to ensure access to hijacked data.
7. Have a response plan in place to deal with cyberattacks.
“Not only should hospitals and health systems have a plan in place, they should practice that plan a couple of times a year with the IT and IS teams,” says Inskeep. “Practice should includes executives across the organization at least once a year.”
8. Outsource security to a business that specializes in cybersecurity.
While this may result in more efficient and security management, it’s doesn’t come cheap and may require the CISO to secure additional funding from the CEO or CFO of the organization, Lai says.
Booz Allen advises its clients to balance their resource spending across the NIST Framework based on specific assets and an organization’s own tolerance for risk. “Organizations can’t protect everything equally, so leaders have to decide what to protect, how much to protect it and recognize that — with an internet connecting over 3 billion people — some attacks will be successful,” Inskeep says.