While daily headlines focus on the evolving nature of the health crisis, the cyber attack surface is expanding and threatens the future of patient care across the globe.
Entering 2020, the healthcare industry was marred by several high-profile data breaches that stemmed from phishing attacks, ransomware, insider threats and third-party risk vulnerabilities. Then a health crisis broke out and cybercriminals intensified their efforts by tailoring attacks to exploit the chaos and fear around COVID-19. While some criminal groups pledged to cease attacks against healthcare organizations during the disruption, there is little evidence to suggest that cybercriminals collectively backed this ceasefire.
At some point, medical professionals will have a way to control the current health crisis. What remains to be seen, though, is whether the healthcare industry will be able to manage the escalating threat of cyber attack risks.
To help us better understand the current threat landscape in healthcare, we talked to Taylor Lehmann, Vice President and Chief Information Security Officer at athenahealth.
A Maze of Legacy Tech
Despite the innovative work happening in this industry, it is largely powered by legacy IT systems. According to one survey, more than half of common medical devices are operating on a traditional legacy system. Further, it’s estimated that seven-out-of-ten healthcare devices operates on a Windows system that is no longer supported by Microsoft. This is a dangerous diagnosis, and the reason why Lehmann says he is “worried about the fragility of the [industry’s] infrastructure.”
In his view, the myriad of legacy IT that exists across the healthcare ecosystem is concerning because it makes patient care providers “more vulnerable,” and ultimately becomes “harder to protect” from growing cyber attack risks.
A cyber incident in healthcare doesn’t just disrupt IT or business operations; it also gravely impacts patient care. Lehmann says, “Healthcare is one of the few industries where when technology and data are impacted, human safety is put at risk.” In fact, a recent ransomware attack targeting a Colorado-based hospital left five years of patient records inaccessible.
Further, the value of this data makes it a lucrative target. According to RSA FraudAction intelligence, a batch of highly-detailed healthcare data can sell for nearly 25 times the price of a bank account login on the Dark Web.
Healthcare Transformation Introduces New Risks
Lehmann says the healthcare industry has not accelerated digital transformation at the same velocity as other industries, like financial services or retail, because it was never an urgent priority. In part, this mentality stems from the fact that “all work is done in a certain place,” he says.
Given the disruption caused by the health crisis, many healthcare systems had to shift non-essential employees to remote work settings. In the process, Lehmann says many organizations had to reduce protections to facilitate rapid adoption of new working realities. Often, he says, security plans were “thrown out a window” to enable immediate business continuity. What this does, he believes, is put a target on the business: “Threat actors saw this shift and pivoted to the common things that organizations are lax on.” Lehmann points to the use of legacy VPN systems, failure to push data loss prevention controls, failure to push strong authentication and limit access to systems and data from corporate devices as common areas of security risk in the industry right now. These vulnerabilities haven’t changed, but they became much more of the focus.
Aside from this, there are also the security risks posed by emerging technology. Lehmann says browser-based platforms and cloud applications are becoming commonplace for field care because of their ease-of-use. However, he cautions healthcare organizations to balance tech innovation with security and risk controls. “You’d hope that the speed at which we’re trying to innovate [doesn’t preclude an organization] from making sure [they] aren’t moving so fast that [they’re] ignoring the things that will put [them] out of business,” he says.
The Future of Healthcare InfoSec Professionals
In the coming weeks and months, the healthcare industry (like others) will have to navigate the complexity of reintroducing employees to physical office sites or enabling long-term remote work capabilities.
“Organizations are catching up and getting their minds around what long-term remote work will look like,” Lehmann says. The focus of information security professionals will next be on addressing the gaps that were created as the business quickly migrated to remote work.
In addition, he believes “security professionals will have to pivot to become surveillance and privacy professionals.” In his view, organizations in every industry have will have to deal with what feels like is a new obligation regarding the privacy and security of the unprecedented volume of “health telemetry data.” In a post-pandemic world, this data is going to be used to authenticate people to physical sites, like work, school or day cares. These organizations will have an entirely new obligation to understand and protect data they haven’t had to before. Security and risk management leaders play a vital role in helping businesses understand the importance of this data and how to best secure it.
Collaboration Is Key
Although the industry faces a mounting challenge in containing and addressing the current health crisis, the cybersecurity risks healthcare organizations face are not unsurmountable. In fact, Lehmann believes there is an answer.
He urges security and risk leaders across all industries to step up and help share knowledge and best practices with their peers in the healthcare market. Too often, he says the industry can be myopic, when in reality, “cybersecurity is a ‘team sport.’” In his view, “empathy and cooperation can help solve some of the most significant challenges [healthcare] faces today.”