Budget restraints, aging infrastructure loom as security risks
A just-released HIMSS survey shows organizations are trying to do more to face down phishing attacks and ransomware gambits.
Cybersecurity professionals in healthcare continue to face a steady onslaught of cyberattacks from the outside, but organizations appear to be increasingly vulnerable as computing platforms age and security budgets remain stagnant.
Those are among the findings from the 2021 HIMSS Healthcare Cybersecurity Survey Report, which offered some challenges for security at the nation’s healthcare organizations.
Security budget restraints at some organizations and aging infrastructures come even as threats are rising for attacks across multiple industry sectors, including healthcare. Late in January, the Cybersecurity & Infrastructure Security Agency (CISA) urged organizations to protect against attacks and watch for malicious cyber activity.
While most threats in healthcare still appear to initially come from phishing or human error, the HIMSS survey indicates, about half of respondents reported that security budgets were even or down in 2021 when compared with 2020, and about 38 percent expected security budgets to remain the same (35 percent) or decline (3 percent).
By contrast, 31 percent of respondents said security budgets increased by 10 percent or more in 2021, and 26 percent of respondents expected similar increases in 2022.
This year, phishing attacks, ransomware and breaches or data leakage are predicted to be the biggest threats for security professionals, respondents to the HIMSS survey predicted. Other rising threats include social engineering attacks, credential harvesting attacks and negligent insider activity, respondents said. “It is likely that many healthcare organizations are not able to have robust plans of action regarding all their concerns,” HIMSS researchers concluded.
Budget (mentioned by 47 percent) and staff compliance with policies and procedures (reported by 43 percent of respondents), were mentioned as the biggest security challenges of respondents, but another 39 percent mentioned legacy technology as a rising vulnerability concern.
That’s causing headaches because operating systems of key devices, applications or network operating systems are so old that they are no longer supported by manufacturers. “Typically, security patches and other upgrades are unavailable,” HIMSS notes, and these updates help plug known security gaps otherwise filled by system updates.
Nearly three out of four respondents (73 percent) said their organizations have operating system platforms that are no longer being updated. These include Windows Server 2008, mentioned by 35 percent; Windows 7 (34 percent); legacy medical device operating systems (25 percent); industrial control operating systems (21 percent); Windows XP (20 percent); and Windows Server 2003 and 2003 R2 (19 percent).
In fact, 11 percent of respondents reported still having Microsoft operating systems from before the turn of the century.
Legacy “footprints” within organizations remain small – 76 percent of respondents say less than 20 percent of devices or systems run on legacy systems. But the risk remains high because, “except in certain special circumstances, there are typically no patches available for legacy systems. In the absence of compensating controls, legacy systems are truly vulnerable targets.”
Constraints on security budgets also may impact how quickly security patches are applied when issued for newer devices and computing systems. Respondents indicate that their organizations triage patches based on the perceived criticality of the threat. For example, 70 percent of respondents said they apply patches within one month for vulnerabilities that are rated low in severity, but 69 percent say they apply patches within 48 hours for critical severity threats.
“The longer it takes to patch, the greater opportunity there is for threat actors to potentially compromise a healthcare organization’s infrastructure and assets,” HIMSS researchers noted. “Absent a robust patch and vulnerability management program, there may be various entry points into a healthcare organization’s systems and networks.”
When active security incidents are reported, timelines for patching for all types of threats are faster, researchers noted.
A final worrisome factor is that while most organizations employ security solutions, they’re not always deployed across the entire organization. Top security controls in healthcare include antivirus/anti-malware solutions; firewalls; and email security gateways.
However, only 78 percent of respondents reported that antivirus/anti-malware solutions were implemented across the entirety of their organizations. In terms of firewalls, only 71 percent of organizations reported full deployment, and only 57 percent of organizations have email security gateways across the entire enterprise.
Without these basic controls used throughout, “healthcare organization are ill equipped in terms of truly basic security defenses,” HIMSS concluded.