- Regular risk assessments, updating business continuity plans, and implementing a cybersecurity framework are all key ways for providers to follow a proactive healthcare cybersecurity approach, according to HIMSS Director of Privacy and Security Lee Kim.
The 2017 HIMSS Cybersecurity Survey showed that more organizations are prioritizing security. Even so, there is always room for improvement.
It seems that healthcare providers, mainly those in the acute care space, are taking positive steps toward improving their cybersecurity program, Kim explained.
“On the other hand, there definitely is room for improvement,” she added. “And as a result, there are certainly a lot of concerns in terms of cybersecurity, especially as it relates to relatively new technologies. This includes going to the cloud or connected medical device security.”
The survey results showed a strong baseline of the current state of healthcare cybersecurity, but that there is still “a tough road with a lot of challenges,” Kim said.
In terms of having a CISO or other senior leader in place, it was a pleasant surprise to see that many respondents said they do have such a position at their organization.
Specifically, 60 percent of interviewed IT leaders said their organization employs a senior information security leader, such as a CISO. These same entities are also more likely to adopt “holistic cybersecurity practices,” such as education and training or adopting the NIST Cybersecurity Framework.
“Even though the respondent pool was smaller for non-acute care organizations and others, it was nice to see that everyone seems to be universally realizing that we need a CISO with that in-depth cybersecurity experience and leadership,” Kim stated. “It’s needed to help really bolster and improve and push our cybersecurity program forward.”
The HIMSS survey also revealed that 71 percent of respondents said their organization allocates a specific part of its budget toward cybersecurity, with 60 percent using 3 percent or more of the overall budget toward cybersecurity.
“It's fair to say that with our previous surveys, we didn't really ask the question in terms of having a budget,” Kim acknowledged. “It's certainly good to see that a lot of folks this year have allocated budget towards cybersecurity.”
“I can't help but think that the organizations that only have 1 to 2 percent of their budget dedicated to cybersecurity, that they are someone in a pinch,” she continued. “Likely they're struggling with having old technologies or security solutions, which they want to upgrade but for lack of financial resources.”
Regardless, Kim maintained that it was “really nice to see” that a lot of organizations were spending 3 percent or more toward their cybersecurity. Increasing spending does not always solve problems, but improved financial resources can aid operating systems, software upgrades, security solution upgrades, firewalls, and intrusion detection systems, she said.
Implementing frameworks, opting for information sharing
The 2017 survey also found that 86 percent of healthcare organizations are using at least one or more security framework. Sixty-two percent said they use the NIST CSF, 25 percent reported to using HITRUST, and 25 percent cited ISO as their framework of choice.
HIPAA compliance on its own is not enough, Kim stressed. Healthcare organizations are being attacked more often, and entities need to do something more to build a security program.
“HIPAA really doesn't tell you how to do these things in terms of protecting information, safeguarding integrity, and confidentiality and availability,” she said. “But that's where a framework really helps you to understand how you can structure a security program, what to focus on, how to prioritize, which controls to put in place.”
“It literally gives you a roadmap in terms of how you may structure your security program and where to place your resources that you do have.”
There are many security frameworks out there, Kim continued. HIMSS included some of the more popular ones in its survey – the NIST CSF, HITRUST – but that list is not exhaustive.
It was also interesting to see the difference between respondents who had a CISO in place versus the entities that did not have a security leader.
For example, when there is a CISO or other senior information security leader in place, 95 percent of respondents said they use the NIST Cybersecurity Framework. When there is not a CISO or similar staff member in place, 30 percent of respondents said their organization utilizes the NIST CSF.
Kim noted that the 2017 survey questions were more general than some of the 2016 survey questions. Last year’s report was more focused on the specific tools and technologies that organizations had in place for data security.
Analyzing the two reports together though, Kim explained that there was a sense from the 2016 results that folks are realizing that the cyber threats are real.
“They're gearing up, maybe out of fear, maybe out of initiative, maybe out of both,” she said.
In 2017, these feelings have only continued to come to fruition. Respondents are accepting the reality that cybersecurity threats are not just simply abstract, or academic things. Most people acknowledge that cybersecurity can pose very real dangers to healthcare entities, and there are now more key focus areas.
“Folks are strengthening their business continuity and disaster recovery processes, based by the questions that we asked and the data we received from the respondents,” Kim stated. “It also seems as though, based upon analysis, that the current stance of the healthcare providers is that they have dug deeper into this area and are getting much more serious.”
“More providers seemingly are conducting mock exercises, testing for failure, things like that,” she continued. “Whereas before, perhaps it was more of an assumed thing that technology will work and you don't have to worry about, for example, the unavailability of a cloud resource.”
The 2017 survey definitely revealed that healthcare organizations are “upping their games,” Kim stressed. Providers have adjusted to the new reality that there are very sophisticated threat actors as well as sophisticated tools to combat those potential threats.
Looking ahead, Kim maintained that providers must remain aware of the potential open doors in their organization.
For example, a backend database that's connected to an organization’s systems and is accessible through the website – such as in a web form – it may be possible for someone to invoke a shell from a machine, she explained. That malicious threat actor could “essentially take complete control over the machine, executing a few commands, experimenting here and there.”
“Many of these open doors happen because we aren't really carefully auditing the security of our system,” Kim pointed out. “We aren't closing those open doors, such as unsanitized web input that gets fed to back-end SQL databases. We aren't auditing the software, or other things that we may have newly acquired or that we may acquire, to see how the impact is on the security of your system. We need to do that more.”
Information sharing can also be greatly beneficial to help the industry as a whole improve its cybersecurity, Kim stated.
“What's happening to other healthcare organizations may affect you,” she noted. “But definitely connect with your colleagues whom you trust and ask what kinds of threats are happening, what to be weary of, what they're doing that works, what they've found that doesn't work.”
Creating a more proactive approach in general is essential. The increase in penetration testing and building more thorough business continuity plans shows that healthcare is moving away from being reactionary.
“It's always good to still stick to the basic security principles of defense in depth, and have multiple layers of security in place,” Kim concluded. “You can't be too big or too small to be potentially compromised. Definitely have these measures in place. Be proactive. And get the security auditing done at least once a year by your organization.”