By Matt Phillion
Protecting information systems and data from cyberattacks is top of mind for health IT and cybersecurity professionals. Not only are we witnessing higher volumes of attacks, but also the bad actors are getting better at their jobs, using new tools to make phishing and other targeted attacks more effective than ever.
Healthcare has always had a target on its back for cyber threats, but hackers have widened the scope of their attacks: not just looking at high-profile, high-yield targets like large hospital systems, but also turning their attention to mid-market and smaller systems and individual hospitals as well.
How can CIOs and other leaders increase awareness of threat activity across their organizations in the coming year, and how can they share relevant information with their colleagues to help create a more educated, better prepared healthcare ecosystem from within?
“The types of threats themselves are not a whole lot different, but what’s changed is healthcare organizations are becoming much more aware that the risk is real,” says Jeff Stravers, Virtual CIO of Anatomy IT. “Even smaller ones acknowledge the threat: the larger facilities have known for a long time, and it’s been a focus of their spend, but it’s really sinking in for those in the regional and critical access space that they are as much a target as anyone else.”
Regardless of size, healthcare organizations face the same risks—and the same monetary benefit when they shore up their security systems.
“The risk is as real as it’s ever been, or even more so. You hear about breaches at larger systems, but they are just as much a reality to smaller organizations. They just don’t get as much press,” he says.
Stravers notes that the U.S. Department of Health & Human Services Office of Civil Rights (OCR) lists breaches, and it’s clear by the mix of large and small organizations that attackers are not biased one way or another: everyone has data they value, and they’ll pursue any target they think they can breach.
“We always feel like the bad guys have a very sophisticated business mode, they have a very extensive budget, and they’re trying of course to get information from as many people as they can,” says Stravers. “I personally don’t think they focus on large versus small. If you gain access to a large facility’s data, the payload might be great, but it takes more time and effort than a handful of smaller ones. I do think those smaller facilities are becoming a bigger target because the tools the threat actors have available to them enable them to reach so many more organizations than they could in the past.”
The old saying about breaches that it’s not “if,” but “when” has always been a truism, but do people act on it?
“It’s been a mantra for years, but I don’t know if we truly believe that. Smaller spaces will sometimes say, ‘I’m in the middle nowhere, nobody’s looking at me,’ so they don’t internalize the ‘when’ component,” says Stravers. “There’s a need for education, a need to get people to believe that the threat is real and that a small facility is as vulnerable as anyone else.”
Granted, there is a monetary aspect to it. Everyone is fighting for the same budget dollars, and for healthcare facilities, capital dollars that could go toward cybersecurity may get gobbled up by the need for equipment that more overtly and directly impacts patient care, like replacing aging diagnostic tools.
“At the end of the day each organization only has X number of capital dollars to spend, and those capital dollars need to have an impact. We have to look at ways to maximize the benefit with minimum spend,” says Stravers.
Incidents as stark reminders
Unfortunately, it’s still the case where the reminder of the need for cybersecurity spend comes from an incident.
“Suddenly it becomes real,” Stravers says. “I hate to say it, but an incident is a way to remind us that it has an impact—not that I want anyone to go through it. It’s no fun and no one wants to deal with the repercussions, but this is why regular discussions about security are important.”
Phishing is still the most common tool used to gain access to healthcare systems (and in other industries as well). This means there is still a powerful need for education and training about how to identify phishing emails and what to do when you encounter something suspicious, because the gap in the organization’s armor can so often be simple human error or lack of awareness.
Phishing simulators and training should be ongoing priorities for organizations: how to spot a phish, and how to respond and involve security when you encounter a suspicious email.
“Communications and education are still the most key elements,” says Stravers. “What to watch for, knowing not to click on anything suspicious, but also if you do, how to take action immediately.”
Because it so intensely relies on human reaction and education, repetition until it sticks really is the most effective strategy, Stravers notes.
“We see failure rates drop when there’s constant simulations and reminders. That’s evidence you can’t be too over communicative,” he says. “You might worry about being the boy who cried wolf and the message will get watered down, but I don’t think you can say it enough.”
Beyond training and education, there are service and software organizations that can—and should—be considered, if they haven’t already. Endpoint detection and response (EDR) or managed detection and response (MDR) can be cost-effective ways to upgrade from the standard antivirus option the organization may be currently running.
“It doesn’t take a lot of effort to do and can be effective at stopping the proliferation of an attack,” says Stravers. “If you’re paying for antivirus today, step it up to the next level.”
The concept of zero trust—a security model that takes the tactic that all users, whether inside or outside the network, need to be authenticated and are not trusted by default–has been around for years, but continues to strengthen as a tactic for organizations.
“It’s one of those things that can have a huge impact, but not everybody is thrilled about implementing it because it takes staff to care and feed it, but the results are pretty significant,” says Stravers. “You’ll get false positives, and there are things it will stop that are authentic, but we’ve seen it catch things, you’re glad it did. The results are pretty significant where it’s in place.”
Healthcare faces a few unique challenges when it comes to cybersecurity: the proliferation of IOT devices that you’re not going to be able to load an EDR or zero trust client onto, like a medication pump means there are internet-connected devices with their own security challenges to consider.
“Otherwise, the reality is we’re all using the same equipment, and the payload is the same,” says Stravers.
AI comes up in conversation often in this space, but Stravers notes that it’s not quite at the point where it can truly replace the human component of security.
“I’m not comfortable saying it’s there yet, that it’s completely effective,” says Stravers. “But threat actors are using it effectively to make their phishing simulations more realistic, but on the security side, it has potential, but it’s going to take time to vet it and get it to where it can have an impact on staffing issues.”
Recruitment of skilled personnel needs to remain top of mind, but much like providers, recruiting IT and security talent in remote areas can be an organizational burden.
“This is where an organization like ours can step in to help. If you’re in a remote area and can’t find IT talent, it’s possible to outsource and have multiple layers of experience and technological skill without hiring someone themselves,” says Stravers.
As we head into the new year, it’s worth reviewing how organizations are addressing existing threats.
“The things that scare me haven’t changed a whole lot other than the frequency,” says Stravers. “It’s continuing to ramp up and hits closer to home all the time. It really just hits home that we’re going to deal with it in 2024, and we can say all day that we’re safe and fine, but until we deal with it, we’re not. What gives me hope is that awareness is growing. People are focusing on key areas like having a disaster recovery plan, having good backups. When I talk to executives, they say that security is their biggest concern, and that tells me they’re awakening to the fact that we’re not safe.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at email@example.com.