Healthcare is struggling with cybersecurity and not facing the biggest emerging risks. Integrity based attacks will greatly impact the healthcare industry, and yet many organizations are not working towards adequately addressing the challenges. In the end, it will add to their patients suffering.
In today’s video: I answer a question about how I think cyberattacks that undermine the integrity of systems and data will play a significant role in the healthcare industry. I offer some advice to organizations looking to bypass painful lessons and address what will be the biggest threat for modern healthcare.
I am gravely concerned that medical care organizations are not well prepared for the biggest risks and are acting in counterproductive ways necessary to establish sustainable security, privacy, and safety in our digital world. I see three major problems facing the healthcare industry, as it pertains to cybersecurity.
Data Breaches, which are confidentiality attacks, were the wake-up call for healthcare and are still widely regarded as the primary issue facing the sector. The exposure of patient data records has tarnished the reputation of providers, but more importantly to executives, it is a regulatory violation requiring immediate attention.
Denial of Service (DOS), which are availability attacks, have begun to impact hospitals and care facilities. Bringing down customer portals and internal systems can cause delays, frustration, and even degrade service to those in need. Although not yet widespread, the European region has felt the brunt of these attacks thus far. There is growing concern by healthcare organizations that DOS attacks may proliferate.
But these confidentiality and availability attacks are only the tip of the iceberg. There are far more impactful threats lurking in the waters ahead. Unlike data breaches which steal or expose sensitive information, or DOS attacks which make services unreachable, integrity attacks alter data within systems to the benefit of attackers. The overall impact can be much greater.
Consider the difference. It might be embarrassing to have your prescription made public. It would be annoying if it were deleted altogether and you had to get a replacement. However, it would be unimaginable for the prescription to be changed to a different, possibly dangerous drug or dosage, or one that was ineffective to provide relief. Integrity attacks are much more difficult to detect and can result in more serious ramifications.
When it comes to cybercrime, integrity attacks far exceed the losses of DOS or data breaches. Some integrity compromises have resulted in millions and hundreds-of-millions of dollars in asset losses.
Organizations which are not savvy in the adversarial complexities of cybersecurity, tend to oversimplify the problem. It is easy to imagine cyber as simply an Information Technology (IT) obstacle, where spending has a direct relationship to ‘solving’ problems. This flawed point-of-view was the case with most healthcare companies, at least initially.
Surprised by the devastating data breaches in 2015, senior leaders chose to throw a lot of money, very quickly at the problem in hopes of permanently fixing the vulnerabilities that caused the data leaks. What they did not understand is that closing vulnerabilities is a continuous endeavor and extends beyond technology to include both behavioral and process issues which change often. Security is never a one-time expenditure. Rather, it must be a sustaining capability that adapts to new threats, varying infrastructures, and shifting expectations.
Lessons from the past. The finance industry followed this same frustrating path, more than 10 years ago. Countless times I was asked for what ‘box’, software, or service they needed to buy to fix their security. They saw protecting digital assets like a utility. A light-switch that simply needed to be turned on. Pay for it once and be done. So many other IT problems were fixed this way. It took a decade of painful lessons for the finance sector to understand the true nature of the problem and the permanence of what it takes to sustain risk mitigation efforts.
The healthcare community must understand that throwing money at this problem, without a long-term plan, causes more challenges in the long run.
“Overinvestment can be just as detrimental as under-investment“
Most organizations suffer from not having enough money for security. But the opposite can be problematic as well. A gluttony of money, without results to justify the expenditure, is cause for a different kind of disruption. Blindly hiring staff, purchasing tools, and signing service contracts looks at first glance like a viable path to remedy security. It does not take long to realize the error when the return on such investments falls far under expectations. Frustration boils over with executives when breaches and other incidents continue to occur even after sizable resources have been spent.
Many times, after a security organization undergoes rapid expansion, it is then followed by contraction through deep budget cuts. Staffing is one of the greatest expenses and the highest qualified personnel tend to leave first, as they have plenty of other opportunities in the market. Projects then become understaffed and cannot meet goals, forcing a re-organization and consolidation that leaves major gaps in mitigation coverage. The remaining human assets are shifted into roles for which are not experienced or trained for. Quality and overall capabilities suffer greatly and confidence from top management continues to whither. The house of cards topples. Such upheaval opens the door to more security incidents that cannot be ignored, that require additional resources to address. The cycle then repeats, usually with different leadership.
The finance industry learned these lessons the hard way. I witnessed some organizations go through this cycle close to a dozen times. CISO roles have notoriously short durations, sometimes lasting just a few months before becoming vacant and a new CISO is brought in. Such short tenures cause chaos in the ranks as each leader will have a different vision and plan, but likely not the time or talent to make it a reality. Hiring experienced staff become ever more challenging as employers earn a dubious reputation as a revolving-door, vacillating between hiring and layoffs.
Successful security that is sustainable, meeting risk, cost, and usability goals, begins at the top. The Board of Directors and C-Suite must understand the risks, define high-level goals, and provide necessary strategic resources to support worthwhile plans. It is not easy, nor intuitive for most boards and executive officers.
Unlike many perceived technology problems, security does not get ‘solved’ with resources alone. Cybersecurity requires a continual effort that must be integrated into the fabric of the organization. Proper leadership is a necessity. In its absence, more security surprises will occur as new threats, methods, and attacks increase the problems, liability, and erode the trust of customers. Failures also draw more unwanted attention from media, government auditors, investigators, and regulatory bodies seeking to institute more governmental oversight and controls.
Healthcare has an opportunity to learn from other industries and avoid their mistakes to leapfrog into a more mature and sustainable state. Support from executive leadership is key. In its absence, managing cyber risks is an uphill battle, slow to adapt to new threats and expensive to the business and the customers. Boards and C-Suites must benefit from peer representation and insights regarding cyber risks.
First, do no Harm ( primum non nocere) – bioethics principle of the Hippocratic oath.
Although the data breaches and denial of service attacks have vexed the industry and shaken executives, they are minor compared to what lays ahead. Integrity attacks could be orders-of-magnitude more devastating! Devices, treatments, and infrastructure are at risk. Such attacks endanger the very health of the customers, who have faith and trust in their service provider to help instead of harm.
Ignoring the risks and doing nothing will expose patients to compounding risks, avoidable in nature, at the hands of their health provider.
Evolving cyber threats, leveraging integrity based attacks, are precipitating change in the health industry. The impacts of these attacks will place people’s lives, welfare, and safety at risk. The healthcare industry will learn that integrity of their digital systems is just as important at the integrity of the caregivers themselves. Until they face these emerging risks, healthcare will continue to struggle in managing cybersecurity and as a result, it may adversely affect the care of their patients.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.