- The 2017 Health Care Industry Cybersecurity Task Force report painted a damning picture of cybersecurity in healthcare, including the discovery that three out of four hospitals operate without a designated security leader.
Those providers have been forced to get creative with security, including sharing chief information security officers with other health organizations or elevating staff to fill the position (among other creative workarounds).
However, considering the number of breaches in the past few years and the continued onslaught of attacks, the health sector hasn’t made much progress. A Ponemon report found 75 percent of health providers admitted their IT security teams are understaffed, and they struggle to attract qualified candidates.
It begs the question, could automating some of these processes alleviate some of healthcare’s resource woes? Yes, and no.
Where It Works — With Human Interaction
Automating health data security processes sounds like a simple method. That is using technology for complex business needs, explained David Finn, Executive Vice President of Strategic Innovation for CynergisTek. Using machine learning and other forms of artificial intelligence, automation can speed up and streamline rote processes.
For example, automation is ideal for password resets, password standards (length and format) and applying updates/patches.
“In the ‘old’ days this was a very labor-intensive issue: You had to talk to a human being,” said Finn. “Today, because we can identify and authenticate a user and/or device, password resets can be accomplished online, at any time, without a call and without having to tie up another person who may be dealing with a user who is having issues with their computer or an application they’ve never used before.”
But automation isn’t a set-it-and-forget-it tool. It requires human interaction and well-defined, well-documented processes to be effective, explained Finn. Security leaders must outline rules for how the process flows and specify trees with finite outcomes.
The alternative is that “your automation efforts may result in more chaos, more work, bigger issues and perhaps less security,” said Finn. “You also need to have defined steps for when the process ‘breaks.’ We’ve all been frustrated when we can’t get something done and there is no person to talk to.”
“Automation doesn’t mean the elimination of people, it means the re-deployment of people to do the work that can’t be automated — work that requires real-time decision-making outside of the prescribed rules,” he added.
No Silver Bullet
Far too often in healthcare, organizations make the mistake of being drawn to a silver bullet solution to remedy security flaws. Automation can help, but it won’t solve every problem.
“Automation doesn’t mean the elimination of people, it means the re-deployment of people to do the work that can’t be automated.”
In fact, the Ponemon report found that automating may be compounding the security skills gap issue. About 76 percent of IT and security professionals believe that machine learning and artificial intelligence tools and services aggregate the problem, as it increases the need for more highly skilled security staff.
Further, only 26 percent of organization use automation as part of its security program. And just 15 percent believe that AI is dependable and trusted security tool. But despite these low numbers, 41 percent plan to invest in automation, which has been fueled by the staffing shortage.
So, just where does automation fit?
“Too often we think technology will be that ‘silver bullet,’ even after decades of learning and re-learning that technology is not a silver bullet, but it’s just another tool,” said Finn. “Tools are used by people in processes.”
“Automating bad processes (or ill-defined processes) and not teaching people how to use the tool or making it simple enough so it doesn’t require any training – are recipes for failure,” said Finn.
To implement automating successfully, and as it should be incorporated into a security toolbelt, organizations need to focus on processes that allow a picture to be drawn of “the process that moves logically from one binary decision to another,” explained Finn.
Otherwise, automation will be difficult. Further, he explained that “if an untrained person can’t negotiate your diagram, no one will be able to use the automation tool.”
As a result, Finn said that security leaders must test the potential automated process with the people who will actually use the tool before it’s programmed — and after.
The Future of Automation
While there are obvious weaknesses to automation, the tool will be crucial in healthcare moving forward. A recent Gartner report found that by 2020, 15 percent of organizations with five or more security professionals will adopt SOAR (Security Orchestration, Automation and Response).
The shift will be fueled by the increase in security alarms and the lack of staff to address them, according to the report. Currently, security teams have to manually collect and piece together threat information — a process that leaves a lot of health organizations struggling to keep ahead.
The impact was highlighted by a phishing incident on the Minnesota Department of Health and Human Services over the summer.
The state agency was hit with a series of targeted phishing campaigns over the course of two months, and some employees were tricked into clicking the link, breaching 21,000 patient records over the course of a month.
“Automating bad processes (or ill-defined processes) and not teaching people how to use the tool or making it simple enough so it doesn’t require any training – are recipes for failure.”
When grilled by state senators as to why the breach went undetected for months, Joanna Clyborne, Minnesota IT Services Commissioner boiled the issue down to timeliness and a lack of resources, along delays in forensics backlogs.
“The breach is indicative of a growing and invasive cyber threat,” Clyborne said at the time. “It requires our constant vigilance, attention and innovation. The fact of the matter is, however, that the [security team] is not resourced fully to address these persistent threats.”
She further explained that the onslaught of phishing attacks made it impossible for her IT team to keep up. Given the continued alerts from the Department of Health and Human Services, Department of Homeland Security, security researchers, and other federal agencies, hackers will continue to ramp up attacks — especially on the healthcare sector.
Driven by the shortage of skilled security professionals, the explosion of IoT devices, and the progress of AI and machine learning, “automation will be a key part of security going forward,” said Finn.
“The need to review and assess massive amounts of security data (logs), and the need to move from forensic review to near real-time action on security incidents, will require automation,” said Finn. “This will need to be evolutionary not immediate, as there will be ‘unintended consequences,’ and security is not an area to use as a petri dish.”
“We see today with many security and privacy tools false positives or false negatives, but this is how you begin to understand your ‘norm’ and can fine tune those tools to determine what is normal, what is simply incorrect and shouldn’t be allowed and what is an outlier and requires human intervention,” he added.
The next step in security automation is “orchestration,” Finn explained. At the moment, there are too many data sources for any one person to understand or assimilate. But by using login data tied to endpoint security tools and other data, overlaid with data from network tools, firewalls and DLP solution, security leaders can “really begin to move toward security decision support.”
“The caveat, once again, is that until you have strong baseline data that will help you define ‘normal’ flows and processes you won’t be able to effectively automate it,” Finn said. “But that is coming.”