Healthcare's Investment In Information Security: A Necessary Risk?

Healthcare institutions are prime targets for cybercriminals due to the vast amount of sensitive patient data they hold. The healthcare industry has lagged behind other industries in protecting its main stakeholders, and now hospitals must invest considerable capital and effort in protecting their systems. The health care industry has become the prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations.

The healthcare industry has been facing an increasing number of cyberattacks, with data breaches costing an average of $10.93 million per breach, almost double that of the financial industry. Cyberattacks on healthcare organizations can put patients' lives and entire organizations at risk.

The healthcare sector has been rapidly adopting digital technologies such as electronic health records, telemedicine, and Internet of Things (IoT) devices. While these technologies bring numerous benefits, they also expand the attack surface, providing more entry points for cybercriminals.

The most prominent and significant methods of cyberattacks that occurred during the COVID-19 pandemic were related to phishing, ransomware, distributed denial-of-service attacks, and malware.

The main challenges faced by health care organizations are inadequate endpoint device management, lack of security awareness, an insecure remote work environment, inadequate business continuity plans, lack of coordinated incident response, and difficulty in trading off security investment and service delivery quality.

To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing endpoint complexity and improving internal stakeholder alignment.

Remote working security assurance

Remote working has become an integral part of healthcare services, but it also comes with certain risks that cybercriminals can exploit. Here are some measures to ensure remote working security assurance in the healthcare sector:

• Secure Remote Access: It is crucial to ensure that remote workers access internal networks securely. This can be achieved by using virtual private networks (VPNs) and implementing additional protections such as firewalls, whitelists, and multi-factor authentication.
• Endpoint Protection: Endpoint devices, such as patient-monitoring equipment, often lack proper security measures. It is essential to apply endpoint device management tools and keep these devices updated with the latest security patches.
• Security Awareness Training: The healthcare sector should invest in comprehensive security awareness training programs to educate staff about potential threats, such as phishing and ransomware attacks. Training should also cover secure practices when working remotely and using personal devices.
• Strong Password Policies: Encourage the use of complex and unique passwords for all accounts. Password managers can help generate and store strong passwords. Additionally, periodic password changes and the use of multi-factor authentication add extra layers of protection.
• Data Backup and Recovery: Implement robust data backup and recovery solutions to ensure business continuity in the event of a cyberattack. This includes regular data backups, intrusion detection systems, and prevention mechanisms.
• Incident Response Planning: Develop a comprehensive incident response plan to effectively handle security breaches. This includes defining containment measures, establishing communication channels, and conducting regular simulations to test and improve the plan.
• Network Segmentation: Isolate network traffic by segmenting the network. This helps limit the impact of a security breach and prevents unauthorized access to sensitive data.
• Blockchain Technology: Explore the use of blockchain technology to enhance data security and interoperability in the healthcare sector. Blockchain provides immutability, transparency, and decentralization, making it ideal for secure data sharing.

Endpoint device management

The growing number of endpoint devices in healthcare, such as blood pressure monitors, electrocardiogram and MRI machines, IV pumps, and implanted defibrillators, presents a significant challenge for IT professionals. These devices, often with outdated operating systems, expand the attack surface for potential cyberattacks and make the network more vulnerable. Effective endpoint device management is, therefore, critical to safeguarding sensitive patient data and ensuring the security of the entire network.

A robust endpoint device management strategy involves keeping an up-to-date inventory of all devices, implementing security measures such as two-factor authentication and encryption, and regularly patching and updating devices to address vulnerabilities. Additionally, user training and clear policies for personal device usage are essential components of a comprehensive endpoint device management strategy.

Some healthcare organizations also employ technologies such as virtual desktop infrastructure and unified endpoint management solutions to simplify endpoint management and enhance security. By investing in advanced endpoint management tools and practices, healthcare providers can protect patient data, foster compliance with regulations, and build trust with patients and stakeholders.

Examples of Endpoint Device Management in Healthcare

Boston Medical Center

Boston Medical Center, a 514-bed teaching hospital, employs a multilayered approach to endpoint management. They use a combination of security tools, including a McAfee Endpoint Security agent, Cloud-based secure gateway, and unified endpoint management for mobile devices. They also prioritize password protection and regularly update all devices to maintain security.

Beebe Healthcare

Beebe Healthcare, a 210-bed system, focuses on timely software security patching and network monitoring. They utilize anti-virus and anti-malware software and implement a mobile endpoint management platform to secure their network. Additionally, they isolate traffic from approved medical devices on a separate network segment to minimize risks.

Challenges and Strategies

The complexity of healthcare organizations, with numerous interconnected devices and a variety of users, makes endpoint device management a challenging task. Here are some key challenges and strategies to overcome them:

Challenge: High Endpoint Complexity

Hospitals deal with a vast array of endpoint devices, including medical equipment, personal devices, and IoT gadgets. This complexity provides multiple entry points for potential cyberattacks.

Strategy:

• Maintain a comprehensive inventory of all endpoint devices.
• Regularly update and patch devices to address vulnerabilities.
• Implement security measures such as firewalls, anti-virus software, and encryption.

Challenge: Human Error

Users are often the weakest link in any security strategy. In healthcare, accidental clicks on phishing emails or downloading malware can compromise sensitive data.

Strategy:

• Implement application allowlisting to allow only approved software.
• Use content filtering to block access to harmful websites.
• Provide user training and awareness programs to educate users about potential threats.

Challenge: Resource Constraints

Healthcare organizations often face limited resources, including budget constraints and a shortage of experienced cybersecurity experts.

Strategy:

• Prioritize cybersecurity as a strategic investment and allocate adequate resources.
• Adopt scalable and integrated endpoint management solutions to optimize resource utilization.
• Outsource cybersecurity expertise if necessary.

By addressing these challenges and implementing robust endpoint device management strategies, healthcare organizations can enhance their security posture, protect sensitive data, and ensure the continuity of critical healthcare services.

Human factors in cybersecurity

Human Error and the Need for Training

The majority of information security incidents are related to human error. With sudden changes in working practices, being under stress for an extended period of time makes employees vulnerable to falling into malicious trickery and making mistakes. There is a statistically significant positive correlation between workload and the probability of a healthcare staff member opening a phishing email.

There is a need for root cause analysis to prevent human error-related security incidents, especially those through unintentional human error. Although some effort has been made in applying the human reliability analysis technique in the context of information security (e.g., Information Security Core Human Error Causes [IS-CHEC]), such approaches have not been widely adopted.

Lack of Security Awareness

There is a lack of awareness in the health sector of cyber risks. The most common action taken in response to breaches or attacks is additional staff training or communication. Health staff have poor awareness of the consequences of certain behaviours, and there is a lack of policies and reinforcement of secure behaviour. There is a lack of pandemic-specific cybersecurity training campaigns, documented procedures, and guidance on revised procedures and technologies.

Inadequate Senior-Level Security Risk Assessment

There is a lack of understanding of security risks and their impact on organisation-wide risk management. There is a lack of appreciation among healthcare executive management of the business risk impact associated with cyber breaches. There is a need for a matrix that can translate the strategic requirements of a healthcare system into prioritised cyber improvement needs.

Inadequate Business Continuity Plans

The health sector does not have enough data protection mechanisms and lags behind other industries in terms of cybersecurity. Security is not built into its supply chain and third-party vendors. The key security risks challenging business continuity are vendor dependence, inappropriate encryption configurations, and the inability to handle health information sharing and exchange with third-party and cross-border partners. Risks will continue to grow if cybersecurity is not designed into the product from the beginning of the product or project life cycle.

Lack of Coordinated Incident Response

The health sector tends to have a time lag between an attack occurring and detection of the breach. Current healthcare cyber defence is often reactive and undertaken after malicious attacks. There is a lack of a coordinated incident response capacity to actively counteract constantly emerging and evolving malware threats. Cybersecurity should be a team effort, from board members to front-line employees, with all being held accountable for cybersecurity.

Limited Budget and the Need to Deliver Healthcare Services Without Disruption

There is a lack of experienced cybersecurity experts in the healthcare industry. There is a lack of a value-based system to weigh and balance benefits and risks in aspects of security, privacy, and adoption of technology.

Lack of security awareness

The healthcare industry has become a prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations. The sector has been rapidly adopting digital technologies such as electronic health records (EHRs), telemedicine, and the Internet of Things (IoT) devices. While these technologies bring numerous benefits, they also expand the attack surface, providing more entry points for cybercriminals.

A recent study by the Ponemon Institute revealed that healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture. The study showed that more than half of the respondents (52%) said the lack of security awareness was affecting their organization's security posture.

Phishing is a major security threat, and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations' security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and deliver their emails. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Research conducted by Cofense (formerly PhishMe) suggests that as many as 91% of cyberattacks start with a phishing email. Security solutions can be implemented to block the majority of phishing emails from being delivered to end users' inboxes, but it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

In addition to HIPAA training, healthcare employees should be trained on how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

A survey conducted by KnowBe4 revealed that less than half of the respondents believed that clicking a link in an email or opening an attachment could result in their mobile device being infected with malware. The survey also showed that 24% of healthcare respondents said their employer had not provided any security awareness training.

Healthcare employees were the least aware of social engineering threats such as phishing and business email compromise (BEC), with only 16% of healthcare employees saying they understood those threats very well.

The healthcare industry ranked second highest behind the government for continuous security awareness training in 2020. 59% of healthcare respondents said their employer continued to provide security awareness training throughout 2020.

A study by Fernández-Alemán et al. investigated the security behavior of health care professionals in a public hospital setting. The study used a survey to explore staff cybersecurity behaviors and emphasized the significance of introducing cybersecurity measures in orientation and training events for new employees to develop their self-awareness in cybersecurity topics.

A study by Kessler et al. on the organizational information security climate found that training employees plays an important role in improving cybersecurity. The results revealed that older employees were more careful when dealing with sensitive and confidential information than younger employees.

A study by Argaw et al. explored what healthcare facilities need to implement effective security awareness programs. They concluded that healthcare facilities need to recognize their employees' actions and assess their security knowledge and behavior.

A cross-sectional study by Alhuwail et al. investigated the information security behaviors of professionals working in the public health sector. The study sought to answer questions such as whether certain professional demographics are more vulnerable to cybersecurity threats and whether professionals in different institution types exhibit different cybersecurity behaviors. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrated higher cybersecurity aptitude relative to physicians.

The healthcare industry is heavily targeted by cybercriminals due to the sensitive nature of the data it holds. The rapid adoption of digital technologies in the sector has expanded the attack surface, increasing the risk of cyberattacks.

Studies have shown that work experience and job role can influence cybersecurity awareness, with more experienced professionals and nurses demonstrating higher cybersecurity aptitude. Continuous security awareness training is important, with the healthcare industry ranking second highest behind the government in 2020.

Inadequate senior-level security risk assessment

Senior-level security risk assessment is essential to ensure that healthcare organisations are aware of the potential risks and vulnerabilities associated with their operations and are taking the necessary steps to mitigate those risks. However, inadequate senior-level security risk assessment can leave organisations vulnerable to cyber-attacks and other security breaches. Here are some key aspects to consider:

• Understanding the impact of cyber threats: Senior executives, including the CEO, CIO, and CISO, need to recognise the potential impact of cyber threats on their organisation. This includes not only the financial costs of a data breach but also the potential disruption to operations and the risk to patient safety.
• Addressing human factors: Human error is a significant contributor to information security incidents. Senior management should ensure that staff are adequately trained and aware of the potential risks. Implementing measures such as regular security awareness campaigns and establishing a non-blaming culture for reporting incidents can help reduce the likelihood of human error.
• Managing remote work security: With the increase in remote work, senior management should ensure that proper security measures are in place, such as multi-factor authentication and virtual private networks (VPNs). Additionally, restricting the use of personal devices and ensuring compliance with security regulations are crucial steps to mitigate risks.
• Enhancing data protection: Senior executives should prioritise data protection by investing in sophisticated data security tools and implementing encryption, authentication, and authorisation protocols. Regular security risk assessments should be conducted to identify vulnerabilities and ensure that data is protected at all times.
• Fostering a culture of cyber vigilance: Senior management should promote a strong culture of cyber vigilance within the organisation. This includes providing clear guidance, establishing policies and procedures, and ensuring that staff are held accountable for cybersecurity. By prioritising cybersecurity at the senior level, organisations can improve their overall resilience to cyber threats.
• Coordinating incident response: There is often a time lag between a cyberattack occurring and its detection, which gives attackers more time to inflict damage. Senior management should work closely with IT and security teams to develop a coordinated incident response plan. This includes investing in threat detection technologies and establishing procedures for containing and mitigating breaches.
• Allocating resources effectively: Senior management should ensure that sufficient resources, including experienced cybersecurity experts, are allocated to address cybersecurity risks. This may involve reevaluating budgets and reprioritising investments to strengthen the organisation's security posture.

Frequently asked questions