- More providers are adopting cybersecurity frameworks and prioritizing risk assessment, according to the third annual Symantec and HIMSS Analytics HIT Security and Risk Management Study. However, organizations are still underinvesting in cybersecurity, and suffering from a lack of budget and insufficient staffing.
Sixty percent of healthcare providers identify risk assessments as the number one driver for security investments, the survey found. Additionally, 94 percent of IT leadership and professionals said risk assessment was a driver for security investments in 2017. In 2016, 74 percent of respondents said the same.
There has been a continual trend of healthcare shifting from being a compliance driven industry towards realizing that security is something different, and requires its own attention, Symantec Healthcare Solutions Architect Axel Wirth told HealthITSecurity.com. Healthcare data security requires its own attention on both the technical level and on the business level.
Wirth noted that the survey showed a slight positive trend of more organizations’ boards asking about the status of security, what incidents are occurring, how the business is impacted, and what type of business risk may occur.
Healthcare data security is becoming more of a business discussion around an organization’s ability to deliver care, he stated.
The speed at which attackers are evolving is the single biggest challenge for the healthcare industry right now, Wirth said.
“The tools are getting better. Their skills are getting better,” he maintained. “And, to a certain extent, they have identified healthcare as a valuable and easy target. The concern across the industry is that even though we see this improvement of security posture in healthcare, the question is, is it improving fast enough?”
Healthcare needs to understand it is facing advanced and sophisticated attackers, sometimes nation state attackers, Wirth explained. Organizations need to have a security posture that is up to the task. This includes being able to protect sensitive data, protecting the organization’s ability to deliver care, having a quick response time, and ensuring a minimal impact should an incident occur.
Budgeting properly and making necessary investments are key for healthcare. There is never enough money for security, and organizations therefore need to wisely determine where to spend their money, Wirth stated.
“A risk analysis, risk assessment, risk management-driven approach is the right way of doing it,” he emphasized. “But understanding your risk and the spectrum of risk in healthcare is very broad.”
There are risks to data, patient safety, care delivery, reputation, the business itself, and even the ability to earn money by delivering healthcare. Covered entities must understand which areas of their infrastructure are at the most risk and how those risk areas must be addressed, Wirth explained.
“Sometimes that is very tactical, as in, an organization can segment a piece of the network off at a firewall,” he said. “But sometimes it's more strategic, as in developing a security partnership strategy or developing a security education strategy.”
“This all should be driven by an approach that is built around risk realization,” Wirth continued. “But entities must understand what the threats are, what their own abilities are, and what the resulting potential impact on them as a healthcare organization may be.”
Implementing a cybersecurity framework, employee training programs
Cybersecurity frameworks fulfill a number of purposes, in healthcare and other industries, Wirth stated. For example, a framework could help a company identify where it is in terms of risk, identify its goal for security, determine where security gaps exist, and how best to address those gaps.
“A framework also puts the organization on a common terminology in how it expresses its state of security and how it communicates about security within the organization and with external stakeholders,” he said.
“Which, again is important not only from a mitigation perspective but also from a communication perspective, from the technical level up to the business level and vice versa,” Wirth continued. “From the business level down to the technical level.”
The HIMSS and Symantec study showed that 62.5 percent of healthcare organizations adopted the NIST Cybersecurity Framework to help with HIPAA risk assessments, while 36.5 percent said they use HITRUST.
Cybersecurity frameworks can also help healthcare organizations express their risk tolerance or express their chosen governance approach. Entities can utilize frameworks for making decisions about security technologies, budgeting, staffing, and training. Executive decisions like that will eventually need to be communicated and executed on a technical level, Wirth explained.
“Frameworks also allow you to compare yourself against peers in the industry, if it is an industry-specific framework,” Wirth pointed out. “Organizations can even compare themselves to other industries, if it is an industry-neutral framework, like the NIST Cybersecurity Framework.”
Employee training in healthcare is essential for numerous reasons, Wirth stated. Every employee in a healthcare organization has a certain role to play in cybersecurity. Depending on what the job is, that role is very different.
For example, a clinical engineering staff member who works in the IT department has a different role than someone who is part of the clinical staff or is one of the executive decision makers.
“There is a twofold approach,” Wirth observed. “One is, I need to define my requirements and behave in a way as appropriate for my role.”
“So if I'm a clinician using, for example, a medical device or a workstation, I don't need to be concerned about firewalls and network protocols,” he suggested. “But I do need to be concerned about my behavior while I use that device and that I shouldn't be doing anything that would expose that device to a risk. For example, to personal email, some lunchtime shopping, or browsing on the device.”
The same employee training approach can be taken at the executive management level, Wirth said. C-suite and board members can receive very targeted phishing emails, because those individuals often have access to more aspects of a company.
Individuals who are part of the decision making process in healthcare also need comprehensive training and education. For example, clinicians who help in the purchasing of new equipment.
Those staff members need to understand that security is now part of that process, and that the hospital should make a better effort to buy more secure devices and buy from vendors that are more cooperative and supportive of security.
“Does it mean that, as a clinical specialist, I need to understand all the ins and outs about vulnerabilities and patch management and whatnot? No, it doesn't mean that,” Wirth explained. “But it does mean that I understand that security is indeed part of decisions going forward and it's not about buying a device from one company just because I like it best.”
If a device is not secure, the clinical specialist needs to understand and accept the fact that decisions may go in a different direction.
Avoiding a disparate cybersecurity program
A strong healthcare cybersecurity program needs a top-down effort, Wirth said. Security needs to be driven by the business and executed on the technical level, and those two need to connect on that, communicate about that, and set the right goals.
Choosing the right cybersecurity framework for an organization’s specific needs is also essential.
“Decide which one is appropriate for you and at what level,” Wirth explained. “Typically, frameworks can be implemented at a basic or more advanced level or anything in between. Make that decision and then decide on an organization-wide framework and then execute accordingly.”
Additionally, healthcare organizations must understand their capabilities and limitations with regard to security.
“Of all the security problems you're dealing with, which ones are you equipped from staffing, from a skill set, from a budgeting perspective, to address yourself and where do you need help?” Wirth posited.
This does not mean that entities have to outsource everything, he clarified. But organizations do need to know where to draw the line. Sometimes security issues can be handled internally, but other times it is more helpful to work with a third party.
Healthcare organizations can also hinder their cybersecurity measures by spending too much money on disparate security technologies, Wirth added.
There are always top options in security tools for data loss prevention, firewalls, network security, and endpoint security. But the responsibility of cobbling together all those individual best pieces can be a huge burden.
“Rather than taking the best-of-breed approach to security, it is much more efficient to use a partnership and strategic partner type of approach,” Wirth concluded. “This creates less overhead, less management concerns managing this technology, and also most likely creates a better vendor relationship. Organizations can have a deeper, more strategic relationship rather than just buying one technology here and another one there.”