Industry Observations

Houston, We Have a (Cyber) Problem

Recent high-profile attacks on healthcare organizations have highlighted the need for data security that goes far beyond simply being compliant. Protected Health Information (PHI) has a much higher value on the black market than credit cards, and cybercriminals are now in constant attack mode.  Alas, cyber attacks on healthcare will continue to escalate as long as hackers see healthcare institutions as soft targets.  

So how, exactly, has healthcare achieved this “sitting duck” status? Why is it a soft target?

One possible explanation can be seen with the release of the HIMSS 2016 Cybersecurity Survey, and it makes for pretty ugly reading for hospital boards and health IT executives alike.  Survey results show that healthcare has simply failed to deploy key technology critical to protecting patient data, the type of technology that is commonly used in other industries. Healthcare as an industry has always been highly-regulated with a lot of compliance requirements. But many of those compliance issues have little to do with data and application security.

Of those surveyed, only 84.9% use anti-virus or anti-malware software.  Let that sink in for a second – more than 15% of the nation’s hospitals haven’t even deployed the most basic form of network security protection

Is that what we call a soft target?  You bet.

Unfortunately, the survey results only get worse from there.  Only 78% of acute care hospitals use firewalls. Additionally, only 68% of organizations handling PHI encrypt data in transit, and 61% encrypt data at rest.

Wait, you might protest.  Doesn’t HIPAA mandate encryption? Yes, in some instances, but how and when is complicated and too long for a mere blog. 

The diagnosis only gets more bleak – only 57% use intrusion detection, 56% use mobile device management, 49% employ intrusion protection, and 41% use some form of multi-factor authentication.  Across the board, security technology now considered commonplace elsewhere is simply is not being used in hospitals.

Of particular concern is the lack of website protection; a mere 43% of responders have deployed a web security gateway or web application firewall.   Healthcare, particularly as the industry continues to transform itself, is increasingly reliant on the plethora of web applications to deliver patient care – applications equally used by patients and providers.  Due to a lack of training on how to build using secure coding practices, these applications can be easy target for hackers, who can exploit them and gain access to EMRs and other clinical systems.  Understanding web vulnerability is imperative to building a robust security posture.  Sadly, web security education is yet another area of significant under-investment for healthcare institutions, so the vulnerability is real and the focus should be top of mind.

Is protecting patient data all about investing in more security technology? Of course not.  Training is still a huge requirement, as user error plays a major role in many breach incidents.  Updating existing security architectures, no matter how rudimentary they appear to be, is also crucial – malware still breaks through a network environment because mitigating patch updates were never deployed. 

Let’s not move away from the elephant stalking the room too quickly, however.  Healthcare’s failure to utilize core, readily-available technology is a major problem, and cybercriminals will continue to target healthcare while the defenses remain porous.  Hackers look for the path of least resistance, and healthcare has been signposting that for far too long.

Tags: application security, Compliance, Healthcare, Vulnerabilities, web application security, web application vulnerabilities, web security