- Cybersecurity continued to be a struggle for many in the healthcare sector this year, with several massive breaches, successful targeted phishing campaigns, and security events caused by human error. While providers struggled with the basics, like email errors and a lack of encryption, hackers have pummeled the sector with increasingly sophisticated attack methods.
Protenus won’t have the final tally for the year’s breached patient records until January. But the first three quarters of 2018 saw about 8.7 million records – well over the total 5.6 million reported in 2017.
With the addition of the 2.65 million patient records breached by AccuDoc Solutions and several other large breaches this quarter, 2018 is on pace to be one of the worst for security in the healthcare sector.
There are many things providers haven’t been focusing on enough, and that needs to change in the coming year. To David Finn, Executive Vice President of Strategic Innovation of CynergisTek, it boils down to two-sided swords.
“There’s so much happening in healthcare and in IT that you can’t even look at just the technology or information,” said Finn. “The industry is just now beginning to look into automating healthcare operations like scheduling patients, scheduling the equipment to do procedures and remote monitoring to automate some of these processes.”
“We’re learning that, yes, we need to automate, but there’s still an excessive number of breaches in security,” he added.
And while AI and machine learning can be used for analysis and forecasting, Finn explained that there are still an extremely high number of false positives and false negatives. The tools are still not reliable.
“This year we learned that AI still needs human insight and interpretation. And security is on the cutting edge of it,” Finn said.
Human errors, email challenges, medical device security and a lack of resources were some of the biggest challenges faced this year. HealthITSecurity.com spoke with leaders across the sector to understand just what will change in 2019.
Several reports throughout 2018 (and even in 2017) have pointed to a lack of resources and budget around cybersecurity. Fortunately, some organizations have begun shifting their focus to preventative measures and incident response.
And those investments will continue into 2019, explained Shefali Mookencherry, Principal Advisor for Information Security, Privacy and Disaster Recovery at Impact Advisors.
“This year we learned that AI still needs human insight and interpretation. And security is on the cutting edge of it.”
“Organizations will continue to progress toward incident response, security analysis, risk management programs, and invest in business continuity and disaster recovery efforts,” Mookencherry said. “They’ll also look at awareness and training programs that should be done during annual HIPAA training.”
“But I do think that because of the nature of the beast — the increase in the need for cybersecurity professionals and the shortage of them in 2018 — I think that organizations will invest in more people for security.”
However, the key will be to determine what makes a quality or certified security professional, explained Mookencherry.
Corinne Smith, a healthcare attorney with Clark Hill Strasburger, took it a step further: “Large healthcare entities will continue to add cybersecurity engineers to their workforce.”
For those smaller organizations, Smith explained that many smaller entities will turn to the cloud to address the shortage of cybersecurity professionals or outsource some obligations to vendors.
“Moving to the cloud doesn’t end a healthcare provider’s liability, but it does limit the need for engaging an army of IT professionals,” Smith said.
The Evolution of the CIO
But don’t expect those decisions to be made by chief information officers. New Black Book research confirmed that with the rise of digital innovation spreading throughout organizations, CIOs are seen as those delivering and working with those technologies, not making decisions around it.
About 88 percent of non-IT hospital leaders in the fourth quarter of 2018 saw the demand on their technology expertise “radically intensifying.” Meanwhile, the strategic role of CIOs is heavily decreasing as the shift toward decentralized tech management moves to department heads.
According to the research, CIOs controlled 71 percent of power over IT purchasing decisions in 2015. But this year, the figure fell to merely 8 percent.
“Traditionally, CIOs called the shots in IT purchasing after aligning with the department on its need, but digitalization is making a permanent change to the health systems IT purchase process,” Doug Brown, Black Book Managing Partner, said in a statement.
“As healthcare organizations transform work processes through digitalization the department leaders involved must logically uphold the authority of those processes,” he added.
“Moving to the cloud doesn’t end a healthcare provider’s liability, but it does limit the need for engaging an army of IT professionals.”
In fact, about 45 percent of the respondents said that more than a third of all IT funds will originate from outside the IT department in 2019.
“Some say the CIO title and role might just end up losing the ‘C’ over the next few years,” Brown said. “In 2018, only 21 percent of CIOs felt they were meaningfully involved in the creation of market-facing innovations and strategic departmental software selections.”
That number was upheld by the 29 percent of surveyed CEOs that said their CIOs are tactical, “not strategic enough to navigate the complex healthcare business systems to drive financial success.” And 88 percent of C-suite colleagues said CIOS are seen as developers and deployers of technology, not the source of innovation.
Finn also noted the role of the chief information security officer may be shifting, as well.
“There’s a great debate on whether the CISO should report to IT — or directly to another executive,” said Finn. “If there’s a standalone CISO or security function, they are more efficient than if they’re lumped in with IT.”
“In other industries, we’re seeing that move, but in healthcare it’s slower,” he continued. “It’s something to keep an eye on in 2019.”
Regardless of who is making those decisions, Mookencherry said all healthcare organizations need to put future priority around innovative technologies like blockchain, AI, medical device security, cloud, web, network security and telehealth.
Mookencherry also noted 5G and 6G networks, especially around mobile apps, should be focused on in 2019 and beyond.
“It’s a growing issue, if we can get ahead of it,” said Finn. “As it grows, everyone is going to want to want the newer faster network. But the new platform drives new infrastructure and operational models, which leads to new vulnerabilities, much like with other technology.”
“We can move more data faster, but that will drive more data out the cloud,” he continued. “It would be great for backup data, but it’s also going to cover other processes up there, like analytics, outcome monitoring. As we build out that 5G network, we’re going to cover those 5G networks off of those routers, connecting directly. It’ll be harder to connect those devices — a scenario in 2020.”
“If there’s a standalone CISO or security function, they are more efficient than if they’re lumped in with IT.”
To Smith, organizations haven’t focused enough on IoT and what that means for security.
“Mobile and tablet use continues to sky rocket,” said Smith. “In addition, there are wearables and other devices interfacing with electronic health records wirelessly. The trend to bring your own device means more phones and tablets are connecting into providers systems than ever before.”
“The more points of entry into the system, the more likely that there will be a security breach,” she added. “Identifying and resolving security gaps in EHR interoperability should be at the top of the list in 2019.”
For Finn, the attacks on medical devices and the growing awareness around the threat these legacy technologies can pose will continue into the next year, especially given the proliferation of IoT.
“We are so hyper-connected and so busy sharing data, and because everyone has multiple devices and IoT devices, like home assistants, we will see a blending of not only work life, but also the health life of patients. And we will see more data captured in transit.”
“Hackers go after those data streams because it’s flowing and easy to get to,” he added.
The Food and Drug Administration has increased its guidance around these devices and manufacturers are stepping up when it comes to security, Finn explained. But biomedical devices and IoT in general are going to continue to be a very big issue next year.
“What we saw in biomed and IoT is this new focus, which we need to continue in 2019,” said Finn. “But we need to make sure it’s an operational approach to dealing with this issue, and not the hysterical one, which results in spending a lot of money and spinning wheels.”
“The way to address it is not that dissimilar to what we needed to do to with laptops and other legacy technologies,” he added. “We haven’t been able to look into the vulnerabilities, but that is changing. It’s part FDA regulation, and industry initiatives.”
Those efforts will continue into 2019 and there will be some changes around security, but only “if we don’t go too far off the deep end,” Finn explained.
“Identifying and resolving security gaps in EHR interoperability should be at the top of the list in 2019.”
How to Meet These Challenges
To Smith, backup systems and cybersecurity insurance should be two major focuses for health organizations attempting to combat some of these challenges in the coming year.
While less frequent in 2018, a lack of backups can prove disastrous when an organization’s servers are locked down due to a cyberattack like ransomware. Smith explained that adequate backups are crucial with the explosion of sophisticated attack methods.
“With the explosion in ransomware and cybercrimes, the likelihood of a breach is significant,” said Smith. “Providers should have a robust back-up system and test it regularly to be sure they can restore and recover data in the event of catastrophe.”
“A loss due to cybercrime has a double whammy if back-up systems are insufficient,” she added.
As many security leaders feel that breaches are nearly inevitable at this point, the focus on cyber insurance has increased. At the moment, there are no standard, universal cyber insurance policies, so organizations will need to perform due diligence, as “there’s a shortage of excess carriers willing to underwrite cyber risk,” Smith explained.
“Some carriers are putting a maximum limit of $10M on coverage,” said Smith. “Underwriters are taking a cautious approach to provision of system failure and business interruption coverage.”
Healthcare providers also need to consider compliance beyond HIPAA, especially with the enactment of the EU General Data Protection Regulation, said Smith. Those providers who routinely handle EU patients need to consider their security programs, as there’s been an increase in GDPR penalties this year.
“There is an increasing need for insurance coverage to cover regulatory risk beyond HIPAA and HITECH,” she added.
Cybersecurity education and training should also be top of mind for health providers, Mookencherry explained. This should cover both hardware and software, along with the professional services related to them.
Organizations need to hone in on their security policies and procedures to rise to the challenges on the threat landscape. Mookencherry said that this includes evaluating access inventory, vulnerabilities and pen testing. Auditing and compliance are big issues, but acquisitions and third-party management will also need to be strengthened.
“Cyber analytics is here to stay, and I do believe that many health organizations have a limited set of key security indicators,” said Mookencherry. “There are many defense measures to look at in how to do security. Those metrics can help organizations know where the risks and resources are.”
At the end of the day, security boils down to people and organizations need to focus their attention there to improve their security posture.
“Some people see your employees as the last line of defense. But I believe the employee is the first line of defense,” said Finn. “But we’re not educating and training end users to take care of themselves, and then expanding [that methodology] to patients.”
“Tech is tech, we have to have it,” he continued. “But at the end of the day, security is a people issue.”