Four Reasons Healthcare Remains a Huge Target
The pervasiveness of phishing attacks is among the insights from the 2018 HIMSS Cybersecurity Survey
By Lee Kim, JD, CISSP, CIPP/US, FHIMSS
Online scammers are increasingly targeting the healthcare industry, as revealed in the 2018 HIMSS Cybersecurity Survey. Phishing in particular is a predominant concern for healthcare stakeholders, as it can be a very effective means for eliciting information and/or delivering a malicious payload.
The trends revealed in the survey are both significant and alarming. Among respondents’ organizations that experienced a significant security incident in the past 12 months, 37.6 percent characterized the threat actor as an online scam artist engaged in phishing, spear phishing, etc. Threats posed by negligent insiders and hackers were nearly even (20.8 percent and 20.1 percent, respectively). Moreover, the majority of respondents (61.9 percent) indicated that the initial point of compromise was via email (e.g., phishing email).
The survey “provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyberattacks and compromises impacting the healthcare and public health (HPH) sector.” HPH is one of 16 critical infrastructure sectors designated by the U.S. Department of Homeland Security.
While there are plenty of news reports about breaches, ransomware attacks and other adverse events affecting the HPH sector, the aim of the 2018 HIMSS Cybersecurity Survey was to provide an objective analysis of where healthcare stakeholders are doing well, what they need to improve and what the future may hold for healthcare cybersecurity.
This year’s annual survey drew 239 qualified respondents. Each had at least some degree of responsibility in terms of day-to-day operations or oversight of the cybersecurity programs at their respective organizations. The work sites of these respondents were across the spectrum, including vendors, consultants, hospitals and independent ambulatory clinics.
Tackling the phishing problem can be complex, but it is not an impossible problem to solve. A combination of robust technical controls to either block (or quarantine) suspected or known phishing emails, sinkholing suspected or known malicious links in phishing emails and blocking attachments that may contain a malware payload (e.g., ZIP files) can go a long way in terms of anti-phishing measures. Furthermore, human controls (such as security awareness training) can also improve phishing prevention measures.
According to the HIMSS Cybersecurity Survey, the majority of respondents (85.5 percent) are conducting security awareness training at least once a year. A review of the security awareness and training program is also a component of most security risk assessments at healthcare organizations (73.5 percent). However, for those healthcare organizations that conduct penetration testing, only 32.9 percent of respondents are conducting phishing awareness of workforce members.
More frequent security awareness training for workforce members likely will lower the risk profile associated with end-user activity at healthcare organizations. It is likely that many IT security staff at healthcare organizations know this. Yet, getting healthcare organizations to not be five to 10 years behind other critical infrastructure sectors in their cybersecurity programs can be challenging, due to several factors.
Cybersecurity is still perceived as a barrier
Healthcare organizations are used to conducting administrative, clinical and technical operations a certain way. Getting leaders at healthcare organizations to understand that cybersecurity can be an enabler, and that good cybersecurity practices are necessary, can be a somewhat difficult endeavor. Thus, if leadership is not on board, the cybersecurity program may not be taken as seriously as it should, and the money allocated to such a program may be insufficient. (The 2018 HIMSS Cybersecurity Survey results showed that most healthcare organizations are spending 6 percent or less of their IT budget on cybersecurity.)
Cybersecurity is siloed
Five years ago, information sharing about cybersecurity techniques, events and incidents was fairly rare among HPH stakeholders. But, once cyber threat actors started to target the HPH sector, this dynamic changed. Even now, healthcare organizations are sometimes reluctant to share information with others and various information sharing siloes remain. However, there is less of a barrier in terms of healthcare providers sharing information with other providers and vendors sharing information with other vendors. Ideally, we will reach a point where information sharing is more common across the HPH sector, and we will have a more uniform approach to preparedness and response.
Cyber risk is not yet fully understood
Cyber risk is not yet fully understood by people who should be in the know. Many principals at small and medium healthcare organizations simply do not fully understand the impact of a significant cybersecurity incident until they experience it. (Some may say that this holds true at large healthcare organizations, too.) Furthermore, with the growing sophistication of cyber threats (including destructive malware), we will need to continue to understand and anticipate what the future impact may be.
Healthcare cybersecurity is multi-dimensional—not one-dimensional
In the survey, we asked respondents about what they are most concerned about in terms of failure or disruption of other critical infrastructure sectors (i.e., outside of HPH). The primary concern expressed was around the failure or disruption of the information and communication technology (ICT) sector. If the internet connection is disrupted or if it goes down, healthcare organizations will suffer on the administrative, clinical and technical fronts. While this is a widespread concern, we need to be more involved in cross-sector information sharing, planning (i.e., preparedness) and response from a multi-sector perspective.
Despite the unique and numerous challenges to advancing the state of healthcare cybersecurity, we must move ahead as a sector. We can best do this through collaboration and coordination across our HPH sector and with other sectors. Siloes help no one—especially not in healthcare, where we have so many interconnected systems across a variety of organizations. We need to start working on solutions together. We cannot afford to wait for “someone else” to do it.
For the complete study results, go to http://www.himss.org/2018-himss-cybersecurity-survey.
Lee Kim, JD, CISSP, CIPP/US, FHIMSS, is director of privacy and security for HIMSS North America.
LEAD IN … WITH KATSUHIKO NAKANISHI
This Q&A first appeared in the May/June issue of InfoSecurity Professional.
Katsuhiko Nakanishi, CISSP, works for NEC Corp. in Japan and currently is the manager in the Public Safety Business Promotion Office for the 2020 Tokyo Olympics and Paralympics Promotion Division. Last year, he was awarded an Asia-Pacific Information Security Leadership Achievement (ISLA™) for his contributions to cybersecurity human resource development for the 2020 summer games, including building a CSIRT, examining cyber exercises and collaborating with government organizations.
Nakanishi has experience in web application development and data center infrastructure building, involvement in development and support of WAF, security diagnosis work, as well as incident response inside and outside the company. He has more than 10 years of experience in information security consulting services and incident response for various customers at an information technology services company, NEC Corporation in Japan.
At the Information Security Operation Providers Group JAPAN (ISOG-J) steering committee, he contributes to improving the status of security engineers and raising awareness of security operations services. Since 2012, he has engaged in building a cyber range for a “Hardening Project.” In addition, he was responsible for scenario creation and lectures of cyber exercises for ministries and important infrastructure.
How did you come to be part of the Tokyo Olympics?
Our company has been a gold sponsor of Tokyo Olympic and Paralympic Games since February 2015. Two months later, I began to work for the Tokyo Organizing Committee of the 2020 Olympic and Paralympic Games as a cybersecurity expert.
What are some unique cybersecurity issues in protecting the Olympics?
The Olympics are watched by more than 3.6 billion people (based on the 2016 Rio games). Cyberattacks by hacktivists and criminal elements are a concern. In the event technological infrastructures like the energy grid, telecom and broadcast networks become a target, we will have to work in cooperation with government and private infrastructure providers.
Tell us what it was like to receive an (ISC)2 leadership award.
I’m very grateful to receive such an honorable award. This is not a personal award. I’m very grateful to project members and to my family, and will keep doing my best to uphold the honor that comes from receiving this award.
What is the best part of being a cybersecurity leader?
Operating under unambiguous policies with clear criteria that were formally approved by the organization enhances our ability to lead. An example of one such policy is the (ISC)2 Code of Ethics.
What is the most challenging part of being a cybersecurity leader?
Selecting what is a priority among a vast array of information to protect the organization from new threats. It’s also important to explain the importance of measures to stakeholders, such as executives and users, and encourage them to act to protect themselves and the organization.
What advice do you have for others who want to become leaders in their respective fields?
Actively participating in community activities is important. Our community can provide us opportunities to communicate with other organizational leaders. Information about cybersecurity should be shared with other organizations, even if they are competitors. Leaders from other organizations also provide us with a lot of insights.