Let’s face it, being a healthcare CISO isn’t an easy job. The environments are complex, the staff are almost exclusively non-technical, and as of 2015 healthcare is officially the most attacked industry.
But what is it about healthcare that makes it so uniquely difficult to secure? If gambling websites and financial institutions can (for the most part) avoid major breaches, why can’t hospitals and private clinics?
Culture is King
CISOs in every industry have to remember that the majority of staff are non-technical. But, it must be said, there are few industries that have quite so many highly skilled, extremely busy staff with absolutely no interest in computers or security.
One of the most important roles of a healthcare CISO is to establish and maintain a culture of security awareness. Technical controls can only do so much, and unless staff have security in mind as they go about their daily work, even very simple threats can have catastrophic results.
And, naturally, culture must start at the top. If you’re operating in a culture that hasn’t taken security seriously in the past, you’ll likely have to start your campaign in the boardroom. When it comes to cyber security, there’s a widely publicized C-suite knowledge gap, and part of your job is to fill it. But that’s just the start.
Even with full executive buy-in, the task of instilling a security conscious culture is far from easy. As a starting point, we’d highly recommend implementing a powerful, frequent, and consistent cyber security awareness training program. Without it, your staff simply won’t have the tools they need to combat even the most basic threats. As a minimum, you’ll need to clearly state what’s required from staff in order to keep the organization secure, and ensure all leaders and managers are leading by example.
There can be no weak links here. In short, security must become a core value of your organization.
Join our upcoming webinar and learn more about the rise of spear phishing and how to avoid being the next big headline.
From a security standpoint, it would be difficult to name a more complex environment than the average hospital. The staff headcount is very high, and both patients and their families walk freely around the building at all times of day.
The trouble is, most healthcare buildings have been in use for a long time, and very little consideration was given to security when they were first built. Over time, technology has gradually become a more and more important aspect of healthcare, but the environments have barely changed. As a result, there are very few secure areas in most healthcare buildings that can be used to store sensitive equipment.
It should come as no surprise, then, that lost or stolen devices account for a huge proportion of healthcare breaches.
Again, combatting these issues won’t be easy, and as a CISO you’ll again need to fight your corner in the boardroom to bring about the necessary changes. Controlling access to (at least some) areas of all buildings is essential, and even janitorial staff should be vetted before being allowed near critical data or devices. Once again, a proactive security culture will make these changes much easier to make and adapt to, and training will likely be required.
Ransomware poses one the greatest current threats to organizations in the healthcare industry. To find out how you can secure your organization, download our FREE definitive guide.
Insecure and Old Technology
Many industries struggle to remain current with hardware and software systems, but none quite as much as healthcare. For example, and there are many to choose from, 90 percent of UK hospitals are still using Windows XP even though Microsoft ended support for the OS more than two years ago. All over the western world, otherwise modern hospitals are still relying daily on old and highly insecure software systems, databases, and network architecture.
But in many ways, software is the least of the problems.
Perhaps the biggest technological issue facing the healthcare industry is one of legislation. At the present time, medical device manufacturers are not required by law to incorporate any level of security in their design or development. Think about that for a minute. As technology evolves, how many of those devices are network enabled?
Remember the recent Mirai IoT botnet? The code used to enslave all those devices was painfully simple. Until network enabled medical devices are required by law to incorporate sensible security precautions, they’re just as easy to hijack as the hoard of toasters, wireless routers, and central heating systems enslaved by Mirai.
Certainly healthcare organizations will need to start rapidly retiring or upgrading legacy software. They’ll also need to implement robust vulnerability and patch management programs to stay ahead of known threats, and as a healthcare CISO it will be your job to push these initiatives through.
But that’s only half the battle.
For the time being, at least, the solution to the problem of unsecured medical devices is unclear. Legislation is probably not too far away, but firmware updates for existing devices are unlikely to be forthcoming in the imminent future, which poses a significant problem. Replacing every unsecured device is likely not an option, which makes controlling physical access even more important.
The Budget Problem
And here it is, the big one.
Historically, healthcare organizations aren’t interested in security. At least, not enough to invest in it.
Right now, cyber security accounts for just 6 percent of the average healthcare organization’s IT budget. That’s lower than almost any other industry. As a CISO, if you want to change this, you’ll need to fight for it in the boardroom.
And the time to do it is right now.
Regulatory authorities are finally finding their teeth where data breaches are concerned, and over the next few years we’ll really start to see healthcare organizations being hit with more than a slap on the wrist. On the plus side, that means creating a business case for vital initiatives such as cyber security awareness training has never been easier.
After physical loss of devices, the majority of healthcare breaches result from ransomware, malware, and social engineering attacks. And how do these attacks materialize? You guessed it: Phishing.
To help you produce a powerful business case, we’ve developed a tool that will help you demonstrate the annual cost of these attack vectors to your organization. Our cost of phishing susceptibility model takes into account your organization size, susceptibility rate, and 19 other factors to produce a credible, data-driven result that can be used to quantify the financial benefits of investment.
To download the model for FREE, just click here.
From February 19-23, PhishLabs will be at HIMSS 17 booth 6689 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch.