The Cybersecurity Challenges in Healthcare

In our most recent research reports that summarize CISO activity, we found that Healthcare, a sector that operates within a strict regulatory framework, exhibits a poor track record for hiring strong CISOs yet continues to remain among the most targeted industries for cyber-attacks.

 CISO Consumption Trends 2019

While financial institutions must carefully protect customer PII, health organizations have a more complex duty of care with regard to PHI, medical surgical devices and robotics, and much greater liability exposures compared to most other industry sectors.

Nonetheless, we found that in the latter part of 2019, interest among senior security practitioners in Healthcare tracked at less than or equal to half the interaction when contrasted with their counterparts in technology, banking and government. It is almost as if healthcare CISOs were reluctant to participate in forums and discussions related to cyber-threats and counter-measures among their industry peers.

So, in an attempt to find answers, I recently polled a group of my colleagues working as CISOs and senior security practitioners in the Healthcare industry. Here is their consensus and candid view of their cybersecurity challenges:           

Legal, Risk & Compliance; Large and in Charge

As a highly regulated industry, nothing of import can change without the blessing of legal, risk, and compliance. LRC is ignorant of cybersecurity and the need for agility, so decisions for everything related to cyber is a slow crawl through the process.

Big Spend on Technology Actually Increases Risk

Healthcare has no problem spending whatever it takes on the best technology, be it for medical or cybersecurity (Palo Alto, Cisco, Citrix, etc.) Yet, there is a significant skills gap in the utilization of these technologies and a significant overlap in functionality. The overlap blinds internal analysts to threats as one functional area believes that a certain technology installed in another functional area addressed a specific category of threat. The overlap actually reduces the efficacy of the solutions.

Reduced Spend on Skilled Resources

While Healthcare spends profusely on technology, the reverse is not true when it comes to security personnel. The turnover rate among qualified practitioners is extraordinarily high and the poorly structured compensation plans are a large factor. One of the most common rationalizations is “every dollar we spend on security is a dollar we take away from patients.” The other factor that exacerbates the problem is that staffing levels are held below basic needs and the combination spurs the high turnover with long-lead times to replace departing personnel.

Legacy Momentum Impedes Progress

All of my colleagues have worked in other industries and they universally agree that the legacy momentum hold on Healthcare is the most exaggerated they have ever seen. Each colleague reported thousands of Win7 (now at End of Life) devices still deployed, and even an abundance of untouchable XPs and Server 2008s. The resistance to replace these vulnerable devices originates in the policy mandate that even taking these devices off-line for a couple of days will interrupt critical care-giving or testing services.

The irony here of course, is that by failing to upgrade and move off of highly exposed end-of-life devices and failing to patch known and critical vulnerabilities, this stubbornness puts these very systems in the center of the bulls-eye for cyber-attacks that will increase risk and ultimately lead to patient deaths.

Low Expectations; Unrealistic Threat Assessment

The standard of cybersecurity performance is much lower than in adjacent industry sectors. A common response to a breach is that if it was the first one in several years, the organization was assessed to be doing a pretty good job. It is as if there is no recognition that the threat landscape is constantly changing and that lacking any knowledge of a penetration or breach that may or may not have occurred is a satisfactory state. One of my colleague’s management team recently made the decision to outsource all cybersecurity decisions to a large International consulting firm known for business, finance and operational consulting, but not for cybersecurity expertise. I’m not sure how exactly this shift adds value, but it certainly adds cost.

The Qualified Risk Hangover

Every environment polled, suggests that risk management on the whole remains a qualitative effort, and any initiatives toward moving to a quantitative approach for decision-making have met with resistance based on “the way we’ve always done it.” This insistence on perpetuating the detect and respond cycle further increases risk in an environment already straining under resistance to change and adapt from multiple business and patient care units as well as from corporate and board leadership.

Reality Bites

New strains of Ransomware and zero-day threat vectors now emerge daily and Healthcare remains a high priority for bad guys who seek high-value payloads among the least well-defended and unsophisticated targets for attack.

Unless the obstructions to implementing a proper set of cybersecurity controls and process supported by aggressive hiring and retention practices are removed, it is inevitable that the problems will continue and the best security practitioners will move on to more rewarding opportunities, leaving Healthcare as an industry to repeat the behaviors that have put them at the top of the list for popularity among cyber-attackers, criminals and thieves.

On a side note, Healthcare startups (with advanced, baked-in cybersecurity defense programs) closed a record 4,900 rounds of venture financing representing $54 Billion in funding in 2019.

Traditional Healthcare institutions aren’t just facing threats from cyber-attacks in 2020; there are a ton of new players marching up the hill and “the way we’ve always done it” isn’t going to cut it going forward.