- Without the right information security training, healthcare providers could fall victim to numerous types of cybersecurity issues, such as a ransomware attack.
Employees at all levels need to understand the types of warning signs to look for in terms of a potential issue, but also require access to current technologies that will aid in their approach to good cyber hygiene.
Healthcare information security can benefit from organizations taking the time to invest time and money in a few key areas, Foley & Lardner LLP Partner Mike Overly told HealthITSecurity.com.
Several factors are coming together in terms of the nation’s overall cybersecurity, he said. The HHS Health Care Industry Cybersecurity Task Force report outlined six imperatives, and the Trump Administration is also urging various government groups to improve their cybersecurity.
The Task Force report also identified that healthcare providers are falling behind the curve with regard to information security, Overly added.
“Adding to the heap is the WannaCry incident, which highlights a couple of the things that are identified in the Task Force report,” he stated. “All of this comes together with, and this is highlighted in the task force report, that we need to obviously update systems. We need to replace antiquated systems. We need to have new and better technology relating to information security.”
Studies continue to show that the fundamentals are being overlooked, Overly maintained. Old, antiquated systems should be replaced with more current ones.
The WannaCry ransomware attack and other issues for healthcare providers arise out of a failure to observe the fundamentals, which are employee training and basic security patching that doesn't require the investment of large sums of money, he said.
However, it does require the use of appropriate time and effort to train personnel and to monitor readily available watch lists for security patches.
“If healthcare providers would do just those two things, studies show that they could easily avoid well over two-thirds of all security issues,” Overly noted. “At times there's always this approach of, ‘We need to get new and better technology to address these many threats that are out there.’ And in reality, while that's certainly helpful, if one really wanted to dramatically increase security at a healthcare provider facility, it would be to focus on those two fundamentals that don't require that.”
One of the top challenges for healthcare providers, or any organization in the healthcare industry, is limited funds, he continued.
“Unless you're one of the absolute largest providers, you've got a very strict budget,” Overly pointed out. “And even the largest providers have very strict budgets.”
It can be difficult to explain to executives that they need to spend $10 million to replace their current health information system with something newer. It’s a real challenge and one that has to be budgeted and worked on for a number of years to do the transition, he added.
“What we're seeing, and which is evidenced by the task force report, is that people just aren’t doing [those two fundamentals],” Overly said.
Knowing where data resides can help maintain security
While it may not be entirely fair to say that the healthcare industry is lagging behind other sectors, Overly explained that healthcare is held to a higher standard. Both healthcare and the financial services industry are two of the most infrastructure-critical in the US, and two of the industries that have the most sensitive information, he said.
“As was highlighted in the report, it's hard for healthcare providers to simply employ skilled information security professionals,” Overly said. “They can't pay them enough. There aren't as many in particular areas that are needed.”
For example, if a healthcare provider is located in a relatively remote area of the country, that organization may have been trying for over one year to hire an information security executive and simply cannot find someone. Even if that provider can pay double the going rate in that area, it can be difficult to convince someone to move there. Either because it’s not competitive with other regions in the country or because it can be hard to convince someone to move to a harsh climate.
Training can also be difficult for healthcare providers, he added, especially when it comes to new technologies.
“Physicians are more or less notoriously difficult to train,” Overly noted. “They're very busy professionals. They're interested in doing things like making sure they save lives and improve patient care, which are absolutely foremost in their minds. It's a very sort of backseat problem for them to start thinking about information security in the context of all of this.”
The Task Force report also noted the tremendously complex environment that even a small healthcare provider has with mobile devices and with cloud services. All of these things are coming together and there are healthcare professionals who are looking for workarounds when they find it difficult to use those tools, Overly said.
“An easy example is a physician who wants to provide better care to their patient,” he explained. “They start having patients email their personal accounts, accounts that aren't necessarily secured. Perhaps they’re sending photographs of a skin condition that has geolocation information in it, which identifies the patient’s home address. These are all very difficult things.”
However, one are the Task Force report does not mention is that the overwhelming majority of healthcare providers would say that one of the fundamental things that they need to do – and that they have not done – is conduct an inventory of where all of their data resides and who has access to it.
“While that's a simple question, that's a very difficult thing to answer when you've got cloud services, when you have sharing of information between and among healthcare providers and practice groups, etc.,” stated Overly. “You don't know necessarily where all of that data is and who has access to it.”
Healthcare providers need to sit down and map out where the data resides and who has access to it, he noted.
“Without answering that question, I don't know how you can secure that information,” Overly stressed. “There are a lot of fundamental problems here in the healthcare industry that need to be addressed. But, again, before healthcare providers jump to, ‘We need to address and deploy the newest technology,’ they need to address employee training and basic security patching.”
Learning from the WannaCry ransomware attack
Healthcare organizations should ensure that their systems are properly updated to help prepare for another WannaCry ransomware incident, Overly said.
“Even places that are running very outdated software, Microsoft had made available a patch that would have addressed this problem,” he stated. “They didn't deploy it. This is not a situation where an investment needs to be made to buy something new, but rather simply download what is readily available.”
“One of the fundamentals in information security is that you subscribe to one or more patch notification services that track security patches,” continued Overly. “CERT has one, and there are many others. Certainly the individual vendors of the software that you have in your facility make them available. You need to track those.”
Overly noted that when someone sees that a patch is available, it does not mean that they should “run willy-nilly” into developing every patch without thinking about it. However, if there is a patch released to address a problem, it needs to be deployed promptly.
“If you layer on top of that, simply training personnel to be a bit more careful when they're clicking through attachments or links in emails, you would have addressed an even greater percentage of the WannaCry problem,” he explained. “WannaCry could have been reduced to a relatively trivial problem if people had just addressed those two very fundamental information security approaches.”
Information sharing will also greatly help organizations across the nation better prepare for potential ransomware attacks or other information security issues, Overly added.
“Many healthcare providers are worried about the publicity associated with potentially being the target of an attack,” he said. “And there's nothing wrong with that concern. But that sort of reticence to step forward and say, ‘Hey, there's a problem here. I'm having a problem,’ and to share that information with other healthcare providers frequently leads to a problem.”
“If I knew that my neighbor at another healthcare provider down the street was having a problem that people were bombarding it with, say, spoof email that had ransomware in it, I ought to tell my personnel immediately about this,” continued Overly. “The problem is that information isn't being disseminated terribly well.”
One area that is being reviewed is HHS’ role in trying to facilitate the exchange of information so providers are less worried about potential liability, he noted. That is a very legitimate concern, but at the same time if people are talking in the community, that's a stronger community. That needs to be facilitated, Overly stressed.
“There have been discussions about, should it be absolutely mandatory that any ransomware attack be reported?” he said. “Regardless of whether there's an actual compromise of PHI? That way, other healthcare providers can take immediate action. It's a possibility.”
“Or is it better to try and incentivize this in another way to have people talking?” continued Overly. “Because, again, one person standing alone is not terribly strong. A community standing together provides a pretty good defense against this sort of thing.”