Why healthcare has an unhealthy detection and protection problem
This past year has been an eventful one for the world of healthcare, and we have made some massive strides in improving the overall security posture. As a result, many of the year-end reports and statistics are showing that healthcare is the fastest improving vertical in terms of information security.
Unfortunately, this is an honor that was bestowed on healthcare because the industry was (and still is) by far the furthest behind in the security and privacy of networks.
The security elements that are most lacking in the healthcare industry are directly related to the detection of threats and protection of information and systems. Criminals worldwide have come to the realization that the American healthcare industry has loads of incredibly valuable information that is not as well protected as the less-valuable information that other industries store and protect. This is a problem that started with the forcing of EHR adoption over a decade ago and has only grown as healthcare has struggled to figure out how to secure their systems with less resources than most other verticals.
Resources are a sorely lacking aspect of security in the healthcare sector. For starters, healthcare IT and Information Security (IS) salaries don’t compete with those offered by other industries, making recruiting virtually impossible. Couple this with the fact that an information security professional in a healthcare setting will almost always have significantly more responsibilities than their better-paid counterparts in other industries. These are just some of the factors that have led to the shortage in qualified security and general IT staff in the industry.
To add to the lack of qualified talent to secure sensitive healthcare networks, the average provider spent less than 6 percent of their already paltry (compared to other enterprises) IT budgets on security. This means that the average healthcare organization has significantly less resources devoted to security than a similar-sized organization in a different vertical. This has led to the large gap in the security-related technologies and abilities of healthcare enterprises as compared to other non-healthcare organizations.
Another aspect that differs significantly from most other industries is the culture of healthcare. As a rule, healthcare professionals are there to help people—literally, to provide care. This is simultaneously the greatest asset and most harmful vulnerability to the industry.
Friendly, helpful staff and well-planned, executed care is what keeps patients coming back and in turn, keeps the doors open so providers can help more people. Caring for patients and trusting those seeking help is an important quality in a healthcare professional, but it is also the cause of many of the breaches we see.
The culture of the average healthcare organization sets up a perfect playground for criminals and scammers everywhere to take advantage. Criminals do not care about people—they care about making money, and they will take advantage of anything and everything they can to get ahead and to steal valuable information so they can make as much money as possible. Because criminals as a whole have shifted their focus from financial services and large enterprises to healthcare, the attacks are growing in frequency and size.
Now we have clearly established what to be concerned about in 2019. However, there are actions organizations can take to keep the momentum going and continue getting better at protecting networks.
One of the most effective things to do is to use the constant attacks and plethora of news stories about major attacks to get executive buy-in. The leadership is the only entity that can fix the resource shortages. Use the statistics, the breaches and the momentum of 2018’s improvements to show leadership where organizations are lacking and presented the data in a way that can be easily understood. The most well-funded organizations have IT/IS leadership that talk to their C-suite in business terms.
After there is buy-in from the top levels, then security awareness can be built into the culture. Awareness cannot be achieved with just an annual slide deck and a test. Awareness is only truly realized when there is a constant stream of information being disseminated to the entire organization. Everyone has to understand that security and privacy cannot be accomplished by a small team, it is everyone’s business and everyone has a role to play.