- Cybersecurity is a major concern for healthcare executives as we head into 2017. After two years of a steadily increasing cyber threat landscape that resulted in record numbers of patient records compromised, health organizations extorted financially and hospital operations disrupted very publicly, 2017 is likely to be just as interesting.
Most organizations surveyed now report having had a major breach, making it all but expected that eventually having a cyber incident is a sure thing. Those incidents are also costing more - an average of $4 million an incident according to The Ponemon Institute’s latest study sponsored by IBM.
But as some healthcare organizations learned last year, the cost of a major cyber incident can also include significant disruption to operations and reputational harm. So as we head into 2017, what can we expect and how will organizations respond?
Improving cyber hygiene to prevent attacks
Hackers will continue to go after networks, systems, and applications that have been misconfigured or are not maintained properly. Good cyber hygiene will become a common phrase to describe how organizations should approach managing the integrity of the enterprise. Organizations can be expected to look to improve their vulnerability management, increase the frequency of technical testing, add penetration testing, address long overlooked weaknesses in network segmentation and replace/refresh end-of-life platforms.
Malware will intensify in number, as well as sophistication, continuing to be a major delivery vehicle for ransomware and other malicious payloads. We’re also likely to see even more zero-day attacks, making more sophisticated detection an imperative. Malware is delivered through a variety of methods and that is not likely to change, in fact it’s likely to increase. We can expect to see organizations continue to upgrade to next generation firewalls, web and email gateways, and advanced anti-virus and malware detection solutions.
Early warning and avoidance will become highly desired goals when combatting cyber threats. Achieving that is going to require organizations to step up their game in how they architect, manage and, most importantly, monitor what their networks and systems are telling them.
Last year we saw many more health systems embrace outsourcing of network, system, application and data base monitoring and event correlation through Security Information and Event Management (SIEM) with dedicated Security Operation Centers (SOC). This trend will continue as organizations realize manual ad-hoc auditing is no longer adequate.
Readiness will be the difference between organizations that suffer major breaches with harmful effects and those that will recover quickly with minimal impact. Readiness also will require greater situational awareness. Organizations will increase the use of external consultants to ensure objective security and risk assessments, penetration testing, and red team efforts to better understand potential weaknesses in the enterprise before the cyber criminals find them and critically review contingency plans. Cyber exercises will become mainstream hospital risk management events to increase readiness across the organization, not just IT.
Creating a well-rounded, current cybersecurity approach
Access - too much access, access with elevated privilege, poor or absent access control – has contributed to the success of many hacks. Hopefully passwords, poor password practices and the use of single factor authentication will start to disappear quickly.
Organizations are starting to recognize that the first step to reducing risk of compromise is reducing or controlling access more effectively. We should see more two-factor authentication, particularly as it relates to remote access, access to critical applications or elevated privilege, rendering social engineering attacks such as phishing less productive. Organizations will continue to implement vaulting solutions that eliminate elevated privileges making it more difficult for would be attackers to successfully compromise administrative accounts.
Reliance on third parties for critical services, systems and operational support has reached all time high levels in healthcare. Several incidents last year highlighted the risk that this extended supply chain poses.
The Mirai attack at the end of 2016 very successfully disrupted thousands of businesses by attacking the DYN DNS servers, essentially knocking out connections to critical SaaS systems like EHRs, web-based services like email, and web services. Attacks of this nature demonstrate that disruption to business associates can easily cause disruption to the hospital. As a result, we’ll continue to see more attention paid to vendor security management and due diligence in contracting processes.
The future of threat management relies on things like machine learning (AI) and advanced behavioral analytics and threat intelligence. The benefits of recognizing subtle changes in the system or anomalous behaviors in alerting or identifying potentially harmful events are huge.
The assault of ransomware attacks this last year raised everyone’s awareness that traditional approaches and rule-based detection systems alone were not enough. We are seeing and will see more adoption of behavioral analytics to monitor user actions and systems capable of recording and analyzing minute changes or deviations in systems to predict risk will increase.
Healthcare, like so many other industries, will also struggle to recruit, fill and retain all of the positions it needs for cybersecurity personnel. While true across the board, retention is even harder in certain geographic areas. With over one million positions unfilled today, this gulf is expected to grow to nearly 1.5 million before 2019. As a result, organizations are looking to third parties to help fill some of these needs. Services that are likely to increase include virtual CISO, managed services, SaaS, cloud services and general IT security staffing to meet the short-term need for headcount.
Working against the evolving cyber threat landscape
Last but not least, it wouldn’t hardly be about cybersecurity predictions without some mention of what is likely to happen on the threat front.
Cyber extortion will continue to take new forms and put healthcare organizations in some difficult situations.
IoT threats will continue to emerge and cause organizations to rethink allowing freedom on their corporate networks. With all the attention around IoT hacks, which are only a small step away from medical devices, I worry that this may be the year we see the inadvertent impact with patients that everyone is hoping to avoid before we find a way to finally secure those devices.
I also am concerned that the disruptive IoT attacks we saw in 2016 were just test runs for the real thing.
We may finally see malware that has AI properties that makes it easier to evade detection and, therefore, far more effective. I expect to see more disruptive attacks as they continue to have positive outcome for attackers when coupled with extortion.
Finally, we haven’t seen a very public hacktivism attack in a while, but with the current political climate, who knows. The problem with these attacks is that they typically involve collateral damage.
Most healthcare organizations are working hard to catch up with the cyber threats they’ll face in 2017 and will continue to look to external service organizations, technology, and managed services to make that possible.
Meanwhile attackers will continue to redefine the target and the rules, keeping everyone on their toes. Vigilance and innovation are going to be critical.
Successful organizations will be defined not by whether they have or haven’t had a cyber event, but rather by how well they manage the enterprise, are able to detect attackers, efficiently respond to events, and restore operations with minimal compromise or loss of IT assets and disruption.
Mac McMillan, FHIMSS, is co-founder and CEO of CynergisTek, Inc. He brings nearly 40 years of experience in security and has worked in the healthcare industry since his retirement from the federal government. McMillan participates on many advisory boards, and is recognized as a thought leader in healthcare IT for his contributions to industry publications and events on compliance, security and privacy.