Why healthcare must overcome 3 challenges to beef up security
Every day brings a new report of a security breach or other security based problem within healthcare. The unceasing cycle of issues gives rise to the question of what is healthcare doing about security and in particular cyber security, and what more can be done.
That is a question that is front and center for many individuals within the industry and examining the industry. It was also the focus of a recent discussion I had with Stephen Cobb, a security industry veteran currently running a research team at ESET.
Cobb focuses his research on emerging security threats. Given his prior experience in the privacy realm, he brings a somewhat different approach to security.
To properly set the stage, cyber security is not a new issue. Cyber crime has been on the rise for at least six years, which means it is becoming more complex and being carried out by more sophisticated actors. It is no longer a matter of the proverbial kid in the basement trying to hack into a system. Now, it could be nation states carrying out the attack.
At the same time, healthcare went through a well-known push to implement electronic solutions. As such, there is a tremendous convergence of criminal activity and a system ripe for the picking.
That is a bit of a simplification, but Cobb broke down the concerns in healthcare into three dimensions. Those dimensions are regulatory, complexity and legacy systems.
From the regulatory perspective, the issues center around complying with HIPAA and becoming complacent as to what that means. HIPAA establishes a baseline for security measures and by no means is sufficient to fully (or adequately) protect against the current cybersecurity threats. From this angle, the regulatory requirements in healthcare set an artificial target for security that, in many cases, is not even met. More must be done.
The complexity problem in healthcare is the reality that information in healthcare is unique from other industries. The financial or telecommunication industries, which went through these types of systems upgrades previously, have different sets of data. However, those data sets are fairly consistent from one organization to the next. In healthcare, rightly or wrongly, each provider seems to maintain their own records. Further, the information that constitutes a medical record spans many different areas of an individual’s life and is in myriad formats. On top of the data format, there is also the need to disseminate that data to many different places. Each of these elements creates a security risk, which, in turn, makes comprehensive security difficult.
Also See: 12 top technology trends from HIMSS17
Lastly, healthcare continues to employ many legacy systems. Cobb remarked that in some instances, systems can be so old that newer information technology or security personnel have never seen the technology and may not know how to use it. As such, Cobb remarked that healthcare may be one of the only industries in which having knowledge of systems that are 20 years old, or older, could be viewed as prerequisite.
After considering the dimensions that make security in healthcare difficult, there is also a talent shortage. Cobb referenced studies that found a shortage of skilled people worldwide who can fight cybercrime. It is not a healthcare problem, but an overall system problem. The rapid pace of cyber crime development means that, right now, the fight is almost all defensive. Hopefully, reinforcements, or just first-line defenders, will arise soon.
Right now there are no ready answers. However, it may be useful to look for solutions and assistance in different areas. For example, Cobb explained that an effective security-focused person may have a different psychological profile than the standard IT person. Traits of a good security person may include imagination, strong nerves and a touch of humility. Finding individuals with these traits could require looking in unexpected places.
The bottom line is that security is a major concern and one that will only continue to grow. As such, the question is, what will organizations do? Will they sit back and wait for a problem, or take the bull by the horns and seek to gain whatever control they can over their risks. It is a soul-searching question, although honestly, there is likely only one answer.