Security threats on the rise, but are orgs equipped for defense?
Panel of CISOs note that calls for hyper-connectivity across the industry comes at a time when new vulnerabilities can expose multiple attack vectors.
Cyber attacks have gained new visibility in healthcare, and chief information security officers are facing new challenges in protecting the data in their organizations’ systems.
Data show that attacks have increased during the pandemic, with a significant rise in ransomware gambits. The risks of ransomware were recently highlighted in an article on cnn.com, which briefly was the lead story on the website on Sunday, January 16. It highlighted how the quick thinking of Jason Hussey, Jackson Hospital’s IT director, contained a ransomware attack at the 100-bed facility.
In that case, quick action partitioned off the hospital’s EHR system and required clinicians to turn to paper records until the integrity of all hospital computers could be verified. Those kinds of cyber challenges are facing CISOs on a daily basis, according to participants in a panel discussion on security hosted last week by the Workgroup for Electronic Data Interchange (WEDI).
Results of a survey by the College of Healthcare Information Management Executives (CHIME) released late last year detail the increased cyber threats for healthcare organizations, said David Finn, vice president of the organization’s affiliated professional groups.
In a survey of its 900-plus members, CHIME found that half were impacted by phishing emails, and 30 percent reported an outage of their electronic health records systems. “Most disturbing is that 15 percent reported a patient safety issue related to a cyber event, and 10 percent said they had to divert patients” because of a cyberattack, Finn said.
“This impacts lives, and it’s not just a technical issue that needs to be repaired,” Finn added. These security challenges “have been getting worse by the end of the 2021.”
Attack vectors have increased because healthcare service delivery had to adapt and become more dispersed during the COVID-19 pandemic, said Dan Bowden, CISO at Sentara Healthcare. “We have to be much more flexible now,” he said of security postures. “When you add functionality, you add exposure.”
Cybercriminals also have become more active because ransomware has proven to be a lucrative form of attack across wide swaths of society, said Rick Doten, CISO for Carolina Complete Health, a care collaboration between the North Carolina Medical Society, the North Carolina Community Health Center Association and Centene Corp. “There’s an increase in adversary activity because they’ve found new ways of making money.”
Healthcare is also susceptible to emerging new attacks, such as the vulnerability reported concerning Log4j, an open source software that serves as a logging library for Java, which is widely used by businesses and web portals. The vulnerability could be exploited by a remote attacker to execute arbitrary code or perform a denial-of-service attack on servers.
These emerging, indirect attacks will continue, said Stephen Dunkle, CISO for Geisinger, a regional healthcare provider in Pennsylvania. Healthcare is caught between calls for easier access to data and rising risks for not sufficiently hardening information systems against attack.
“Our sector is very hyper-connected, and it’s secured from by practices that range from good security to no security,” Finn said. “That raises the issue of the haves and have-nots (with cyber resources). How do you protect the have-nots, to help the small organizations that typically struggle the most (with cyber security)? What can the big systems do to help?”
Data show that 85 percent of hospitals don’t have a qualified security person on staff, Doten noted. Providers have multiple relationships – with clinicians, payers, partners, business associates and patients, and each represents a specific security risk and requires different security education discussions.
Worse, there's persistent reluctance for healthcare organizations to admit to security incidents, and this perceived embarrassment leads to lack of common industry awareness about attackers' gambits. "We seem to be running in opposing directions in some ways relative to disclosure and information sharing on breaches," Dunkle posited. "Any time someone has a ransomware event and suffers a network outage, they don't even share it's a security incident. I want to engage with my peers. We have to get out of silos and work together. We've got to get in a position to comfortably disclose information with each other and not end up hurting our organizations."
Breach notifications serve a useful purpose, added Doten. With notifications, "We would know we dealt with 20 partners that had ransomware attacks. What can larger companies do? We can support by providing guidance; we have more staff and capability. It takes a village, and we can all help each other."
The challenge is accurately assessing where the risk lies with security incidents, Dunkle affirmed. "There is a view that cybersecurity stops everything. The key is partnership in communication. This really involves enterprise risk management, of which cyber is just a part. Cyber threats are not just managed in the middle of the organization, but they need to be managed from the top. As CISOs, we struggle daily with the fact that we're not the ones that tolerate the risk; it's the organization that does."
"Our role is not to protect IT; it's to protect the business," Doten added. "Security is a business decision, and I agree that you need to have risk-based discussions. Too often, our peer group 'loses the audience,' and we have to be able to talk to the board in ways that get their support."
In addition to their organizations gaining wider understanding of cyber threats, Panelists also see a silver lining in the pandemic – adaptation to virtual life has broadened the ability of healthcare organizations to recruit security professionals. Nationally, security professionals are in short supply, and healthcare organizations have been perceived to be at a disadvantage in recruitment efforts. Perhaps that is changing, they say.
"I've found it easier because the talent is no longer location-specific," Geisinger's Dunkle said. "My entire department is a remote workforce; we have talent from all over the country. From an engagement standpoint, it has been great. I don't have to worry about recruiting a security person with a healthcare background. If I can bring in someone from retail or finance, they have 90 percent of the tools already with them."