Healthcare lags other sectors in cybersecurity

Ransomware groups have launched attacks against all types of critical industries, but cybersecurity analysts say hospitals and the healthcare industry continue to trail other sectors in protecting their systems.

Keith Forrester, practice manager of strategy and risk services at Optiv, says the healthcare sector is behind other industries on cybersecurity.

Keith Forrester, practice manager of strategy and risk services at Optiv, a cybersecurity company, says that he’s sometimes surprised at the vulnerabilities he sees in health organizations.

“It's all too often that we get into an organization and their cybersecurity program is really lacking,” Forrester tells Chief Healthcare Executive®.

Health systems are often stumbling with “all the old challenges,” he says. He points to software vulnerabilities that aren’t patched, and failure of systems to employ “blocking and tackling” to defend against attacks.

In assessing healthcare cybersecurity against other sectors, Forrester says, “They are behind.”

• Read more: Paying the ransom: Hospitals face hard choices

Other cybersecurity professionals have delivered similar assessments.

Blaine Hebert, chief information security officer of Yuma Regional Medical Center, says hospitals are making progress in bolstering their defenses. But in an interview at the HIMSS Global Health Conference & Exhibition in March, Hebert told Chief Healthcare Executive that there’s a gap between hospitals and the financial sector.

“I would make an assumption that we're probably a decade behind the banking industry,” Hebert said.

Kevin Pierce, chief product officer of VikingCloud, a cybersecurity company, notes that the healthcare industry is becoming far more digitally connected, with hospitals, insurers and other vendors and third parties linked to each other. He says that increasing connection is raising the challenge of cybersecurity and exposing hospitals and health organizations to more threats.

“The attack surface is just exploding” in healthcare, Pierce tells Chief Healthcare Executive®. “So is it lagging in capability, or is it lagging in capability and is it facing a larger growth in attack surface versus retailers or some other other spaces? I have a feeling it's probably a bit of both.”

The cost of attacks

Scores of cybersecurity attacks in healthcare have affected tens of millions of Americans. The Ascension health system suffered a ransomware attack this month that has affected patient care. The attack has spurred some hospitals to divert ambulances and forced clinicians to work without electronic health records, and patients have seen longer waits at clinics and urgent care centers.

The ransomware attack of Change Healthcare, a subsidiary of UnitedHealth Group, has disrupted operations and caused financial stress on hospitals and clinics nationwide. Change Healthcare handles business functions for many providers, and the company has said the attack may have exposed private information of a large number of Americans.

Greg Garcia, executive director of cybersecurity for the Health Sector Coordination Council, testified on the Change Healthcare cyberattack at a House subcommittee hearing in April. He noted that the term “healthcare cybersecurity” wasn’t generally known a decade ago.

In recent years, Garcia said, “The epidemic of cyber threats against the health sector has only proliferated, with the Change Healthcare attack the most recent and indeed, the most catastrophic across the sector.”

Healthcare systems are enticing targets to ransomware groups, because private health information and financial information can be sold on the dark web, experts say.

The average healthcare data breach costs nearly $11 million, according to IBM Security. By comparison, the average cost of a data breach across all industries is $4.45 million.

Many health systems are suffering breaches from attacks aimed at their vendors or other third parties, industry leaders say. Hospitals need to be in regular contact with their vendors to assess their security and ensure their defenses are up to date, Forrester says.

“A solid third party risk management program is necessary,” Forrester says. And he adds, “It needs to be an ongoing program.”

Some hospitals and health systems are utilizing vendors for their cybersecurity, but they aren’t evaluating the effectiveness of those defenses. Organizations should be running penetration tests to determine the strength of their defenses, Forrester says.

Too many healthcare organizations “are not going back in and then evaluating the effectiveness of those solutions,” Forrester says.

Financial pressures

Cybersecurity experts acknowledge that the healthcare industry faces challenges in defending their organizations because many organizations are in the red or just barely covering expenses. Many hospitals and health systems are struggling financially, and have had limited resources to invest in cybersecurity.

“They've got a lot of financial pressures,” Forrester said.

Even organizations that are taking some of the right approaches on cybersecurity can be hampered by financial constraints. “They’ve got the tools … but they may not have the teams to support that,” Forrester said.

Healthcare organizations have struggled in recent years to recruit and retain cybersecurity professionals, and analysts say that continues to be a thorny problem for hospitals.

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, says all industries face challenges in filling cybersecurity jobs.

“It's a worldwide issue in cybersecurity in general, and healthcare is no different,” Steinhauer tells Chief Healthcare Executive®. “And they're more vulnerable because of the sensitivity of the data that they have, and the need for availability of their systems to provide patient care.”

Limor Kessem, a senior cybersecurity consultant for IBM Security, told Chief Healthcare Executive in a July interview that the healthcare industry finds it particularly difficult to get skilled cybersecurity professionals.

​​“Security folks are going to work for places where they could get the bigger paycheck, and it's not always going to be a healthcare organization,” Kessem said.

Health systems are starting to invest more in cybersecurity, according to the Healthcare Information Management and Systems Society (HIMSS). In a HIMSS report featuring a survey of 229 healthcare cybersecurity pros, most (55%) said their cybersecurity budgets increased, while about a quarter (23%) said they stated the same.

Healthcare organizations are spending an average of 7% of their information technology budgets on cybersecurity, up from 6%, according to the HIMSS report. But most healthcare cybersecurity pros (74%) lamented the inability to attract and keep talent.

Steinhauer is seeing a greater willingness in healthcare and other sectors to invest in cybersecurity.

“It's become more apparent that the risk is real, and that it is less expensive to invest in cybersecurity, than it is to respond to a cyber incident,” Steinhauer says. “Your business could go out of business, if you don't protect it properly.”

More training is needed

Healthcare organizations need to focus on training staff on cybersecurity, experts say. Staff need to recognize phishing attempts from hackers and avoid clicking on suspicious or unfamiliar links.

Some hospitals and health systems aren’t doing enough training, Forrester says.

“Healthcare in particular is not doing a good enough job on their awareness training,” he says.

Health systems need to look at cybersecurity training as a key component of patient safety, industry experts say. Forrester also suggests training by individual departments would be useful, so employees in finance, for example, are trained to recognize emails that would be particularly suspicious.

Forrester acknowledges why some would resist adding more training in healthcare.

“I think the challenge, especially in healthcare, is that cybersecurity is going to compete with medical staff training,” he adds.

But Forrester says health organizations need to understand that a 15-minute cybersecurity training session once a year isn’t going to cut it. “It needs to be a good sell for the organization to understand the value and the benefit of that training,” Forrester says.

Forrester also says training is important because ransomware groups are employing more polished phishing emails. Hackers are using AI tools to clean up email messages, so phishing attempts don’t have the atrocious spelling and grammar that once made them easy to spot.

“Ransomware can be stopped because we know where it's coming in,” Forrester says. “It's coming in through the phishing, and users clicking on bad links.”