Healthcare lags other sectors when it comes to cybersecurity

Ransomware groups have launched attacks on all types of critical industries, but cybersecurity analysts say hospitals and the healthcare industry continue to trail other sectors in protecting their systems.

Keith Forrester, manager of strategy and risk services at Optiv, a cybersecurity company, says he is sometimes surprised by the gaps he sees in healthcare organizations.

“Too often, we come into an organization that really lacks a cybersecurity program,” Forrester tells the Healthcare Executive®.

Health systems often stumble when dealing with “all the old challenges,” he says. It points to vulnerabilities in software that are not patched and that systems do not use “blocking and combating” to defend against attacks.

When assessing healthcare cybersecurity against other sectors, Forrester says: “They are lagging behind.”

Other cybersecurity experts have provided similar assessments.

Blaine Hebert, chief information security officer at Yuma Regional Medical Center, says hospitals are making progress in strengthening their security. But in an interview in March at the HIMSS Global Health Conference and Exhibition, Hebert told the healthcare chief executive that there was a gap between hospitals and the financial sector.

“I would assume we are probably a decade behind the banking industry,” Hebert said.

Kevin Pierce, chief product officer at cybersecurity company VikingCloud, notes that the healthcare industry is becoming much more digitally connected, with hospitals, insurers and other providers and third parties interconnected. He says increasing connections increase the cybersecurity challenge and expose hospitals and healthcare organizations to more threats.

“The attack surface is just going to explode” in healthcare, Pierce tells Healthcare Executive®. “So is it limited in its capabilities, or is it underpowered and at risk of having a larger attack surface increase compared to retail or other spaces? I feel like it’s probably both.”

Cost of attacks

Tens of millions of Americans have been impacted by numerous cyberattacks on health care. Ascension healthcare system suffered a ransomware attack this month that impacted patient care. The attack forced some hospitals to change ambulances and forced doctors to work without electronic health records, while patients had to wait longer in clinics and urgent care centers.

A ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, disrupted operations and caused financial stress at hospitals and clinics across the country. Change Healthcare supports business functions of multiple vendors, and the company says the attack could have exposed the private information of a large number of Americans.

Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, testified about the Change Healthcare cyber attack during a House subcommittee hearing in April. He noted that a decade ago, the term “cybersecurity in healthcare” was not widely known.

In recent years, Garcia said, “The epidemic of cyber threats against the healthcare sector has only spread, and the Change Healthcare attack is the latest and indeed the most disastrous across the sector.”

Experts say health systems are attracting targets to ransomware groups because private health and financial information can be sold on the dark web.

According to IBM Security, the average healthcare data breach costs almost $11 million. For comparison, the average cost of a data breach across all industries is $4.45 million.

Industry leaders say many healthcare systems are experiencing breaches as a result of attacks targeting their providers or other third parties. Hospitals need to engage with their vendors regularly to assess their security and ensure their protections are up to date, Forrester says.

“A robust third-party risk management program is essential,” Forrester says. He adds: “It must be an ongoing program.”

Some hospitals and health systems use cybersecurity service providers but do not evaluate the effectiveness of these defenses. Forrester says organizations should conduct penetration testing to determine the strength of their security.

Too many healthcare organizations “are not going back and assessing the effectiveness of these solutions,” Forrester says.

Financial pressure

Cybersecurity experts acknowledge that the healthcare industry faces challenges in defending its organizations, with many organizations suffering losses or barely covering expenses. Many hospitals and health systems are struggling financially and have limited resources to invest in cybersecurity.

“They have a lot of financial pressure,” Forrester said.

Financial constraints can hamper even organizations that take the right approach to cybersecurity. “They have the tools… but they may not have the teams to support it,” Forrester said.

Healthcare organizations have struggled to recruit and retain cybersecurity specialists in recent years, and analysts say it continues to be a thorny issue for hospitals.

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, says all industries face challenges filling cybersecurity jobs.

“This is a global cybersecurity issue in general, and healthcare is no exception,” Steinhauer tells CIO®. “They are also more vulnerable due to the sensitivity of the data they hold and the need for their systems to be accessible to provide patient care.”

Limor Kessem, a senior cybersecurity consultant at IBM Security, told a health care executive in a July interview that the health care industry is particularly struggling to find qualified cybersecurity professionals.

“Security guards are going to work in places where they could get a higher salary, and it won’t always be in a health care organization,” Kessem said.

According to the Healthcare Information Management and Systems Society (HIMSS), healthcare systems are starting to invest more in cybersecurity. In a HIMSS report surveying 229 healthcare cybersecurity professionals, a majority (55%) said their cybersecurity budgets had increased, and about a quarter (23%) said the same.

The HIMSS report found that healthcare organizations spend an average of 7% of their IT budgets on cybersecurity, up from 6%. However, the majority of healthcare cybersecurity professionals (74%) lament their inability to attract and retain talent.

Steinhauer sees a greater willingness in healthcare and other sectors to invest in cybersecurity.

“It has become more obvious that the risks are real and investing in cybersecurity is cheaper than responding to a cyber incident,” Steinhauer says. “Your company could go bankrupt if you don’t protect it properly.”

More training is needed

Experts say healthcare organizations need to focus on cybersecurity training for staff. Employees must recognize phishing attempts by hackers and avoid clicking on suspicious or unknown links.

Forrester says some hospitals and health systems don’t do enough training.

“Healthcare in particular doesn’t do a good enough job of awareness training,” he says.

Industry experts say health care systems must view cybersecurity training as a key component of patient safety. Forrester also suggests that department-specific training would be useful, so, for example, employees in the finance department were trained to recognize emails that would be particularly suspicious.

Forrester understands why some would oppose adding more healthcare training.

“I think the challenge, especially in health care, is that cybersecurity will compete with the training of medical staff,” he adds.

However, Forrester says healthcare organizations need to understand that a 15-minute cybersecurity training session once a year is not enough. “Understanding the value and benefits of such training has to sell well,” Forrester says.

Forrester also says training is important as ransomware groups use more refined phishing emails. Hackers use artificial intelligence tools to clean emails, so phishing attempts don’t have the terrible spelling and grammar that once made them easier to spot.

“Ransomware can be stopped because we know where it’s coming from,” Forrester says. “It comes through phishing, with users clicking on invalid links.”