A widespread shortage of cybersecurity staff, along with measures to thwart hackers and protect sensitive provider and patient information, continue to converge and keep healthcare providers highly vulnerable to cyberattacks. But experts say that with total buy-in from all levels of staff, clear processes and asset awareness, victory is within the industry's reach.
A recent report by CSO Online said there are 1 million job openings among the cybersecurity workforce in 2016, and projected that number to climb to 1.5 million by 2019.
"All of a sudden something we've always known is important became very publicly important so now people are scrambling. So absolutely there's a shortage," said Kevin Johnson, cybersecurity expert and CEO of Secure Ideas, a cybersecurity firm.
Bob Chaput, CEO of healthcare cybersecurity firm Clearwater Compliance, agreed that healthcare is playing a serious game of catch-up when it comes to both the adoption and implementation of information technology, as well as information security. He said hospital budgets are often consumed by electronic health record projects, and the role of chief information security officer is non-existent in hospitals, often treated as a "collateral assignment" that falls to the chief information officer.
"While the CIOs intent is to safeguard this information, their resources are being consumed in other areas with other priorities," he said.
Chaput also cited rampant changes in the healthcare landscape overall as a reason why adequate attention has not been paid to cybersecurity.
Everybody's got access
Whatever the reasons behind the shortage, the lack of effective protections, coupled with the rising number of attacks and value of sensitive healthcare information to hackers, makes the healthcare industry uniquely vulnerable.
For years, Johnson said, there was widespread disbelief that no cybercriminals were attacking hospitals. Beyond that, the need was there to recognize that the information healthcare has is sensitive from a cybersecurity perspective and valuable to hackers; they aren't just going after banks and credit cards. The third and most dangerous part is most healthcare organizations don't have a lot of control. Hospitals are perfect example, he said. In his experience, many hospital networks are accessed by vendors and contractors who are not hospital employees, from affiliated doctors right down to catering and cleaning staff who have access to machines that are on the network. He said in some hospitals he's worked with, as many as 75 percent of those accessing the hospitals network aren't employees. The lack of control over who has access and when, creates opportunity for misuse of network assets.
Chaput went so far as to call the healthcare industry the most attacked of all. In addition to the workforce shortage and lack of prioritization of cybersecurity, he highlighted the disparity between the speeding evolution of medical devices and technology versus the security they require so patients are protected. Patient safety isn't just about making sure the devices work. Proper protections need to be built into those devices, including the clinical applications, such that innovation isn't coming at the cost of security and privacy, Chaput said.
Both pointed out the need for healthcare organizations of all kinds to realize the value of medical information to cybercriminals, and how that value only makes the target painted on hospitals and providers that much more vivid.
"There's more healthcare data than there has ever been and it's all over and it's more visible and valuable than ever…all sorts of fraud can be committed with medical information."
Hackers are undeterred
After a year where ransomware and malware proved a constant and effective marauder of protected health information through numerous data breaches, Chaput and Johnson predict that trend will continue because, quite simply, it has proven successful and lucrative for hackers.
Johnson also believes those methods will become pivot points for more sophisticated attacks where hospital or provider breaches are launch points to invade bigger entities. For instance, a hacker might target a hospital who uses a certain EHR company, in order to gain access to that EHR company, to which the hospital in theory has access.
"When you see the spread of malware, you then see spread of it pivoting into other realms," Johnson said.
Both experts said an efficient hospital/provider cybersecurity program starts with staff-wide engagement.
"You must have a program with key elements and capabilities that transcends time, transcends the threats and anticipates that there are new controls that are going to be developed and available to us over time," Chaput said.
For him, an effective cybersecurity program contains five key components. First is governance, and with that the realization that there is value in engaging the board and executives. Next is people, which includes having the right number of people with the right skill sets in the organization to build and operate the program. Third is process, which includes policies, procedures and people taking ownership of them and building practices around good information and risk management. Technology, of course, is important as well, he said. Lastly comes engagement. An overarching commitment to security must become part of the culture of the hospital or provider, as well as having it become second nature such that people are designing security into whatever solutions they are building.
"The organizations that don't do that have a workforce of liabilities. The organizations that do train, actively remind and actively test and monitor, end up turning their workforce into assets. They become sentinels for them," Chaput said.
Johnson said there is flexibility, in that while everyone needs that help, they don't necessarily need the help full-time. Lots of organizations are using third parties for their cybersecurity and that's fine, as long as they educate the staff on their responsibilities.
For him, the most effective programs are hospital-wide. Staff, contractors, everyone must know they have critical role in protecting data. If you're not educating all users, the program is useless, he said.
Visibility and basic IT hygiene/cleanliness are also crucial. This means knowing all the systems that are running on or connected to the network, who is using them, when and why.
"If you can't manage your own servers, if you don't know what assets are on your network, if you don't know what systems are connecting to what systems and assets, I don't care how smart you are or what products you buy, you're failing at security."