Consider this a rallying cry: Hospitals, health systems and networks need to join forces, organize, come together as a community, to proactively fend off hackers, hacktivists, organized criminals and other emerging threats all trying to penetrate healthcare entities to either steal patient data or, worse, destroy it altogether.
It’s not just WannaCry, Petya, NotPetya, ransomware in coffee makers (yes, that appears to have really happened) or the newest malware strain, either. Yes, they all startled the industry, if not the world, for a flash. And they’re legitimate threats.
But the greater danger is that CISOs, CIOs and their shops — regardless of how tech-savviness, how many specialists they boast or even the number of attacks their ace security team has detected, blocked or survived — every single healthcare organization must protect against the next big attack even though there is literally no way to know what it will look like or from where it will come.
To be fair, this is happening. Some hospitals are working together — just not nearly enough. Security frameworks, information sharing centers, industry trade groups already exist.
It’s time to start operating as a healthcare infosec community because security is only going to get harder.
Intelligence and strength in numbers
Tom Ridge, the first U.S. Secretary of Homeland Security and former Pennsylvania Governor, said that a community approach has worked in other industries.
Can it succeed in healthcare?
“Yes, yes,” Ridge said. “Yes and the information sharing and analysis centers proved to be very helpful in financial services and energy-related industries. That is a great platform within which to share best practices, to share threat information.”
Healthcare has an ISAC of its own, too, the NH-ISAC and Denise Anderson is its President.
“Obviously we’d love to see as many people situationally aware as is possible,” Anderson said.
In response to Petya, for instance, Anderson said NH-ISAC had a core team of subject matter experts working to collaboratively determine what the problem was and then craft a mitigation strategy. Members, in turn, can take that strategy and put it, or parts thereof, into action.
That’s just one recent example, of course. And Penn Medicine Associate CIO John Donohue said the opportunities to collaborate with other healthcare organizations to improve Penn’s own security posture are significant.
“As we begin to shift more to a proactive cybersecurity stance, timely and accurate intelligence becomes the name of the game,” Donohue said.
Penn, for its part, taps into what Donohue described as a network of peers for real-time intelligence on zero-day malware and other trending threats.
That practice is going to become increasingly important as hospitals have more and more apps and devices to protect.
Cyberspace is getting bigger
Depending upon which estimate you prefer, somewhere between 5 and 10 million new devices hook up to the internet every day.
Cyber Threat Alliance President Michael Daniel, who served as the White House Cybersecurity Coordinator for President Obama, said that cyberspace is the only environment expanding on a daily basis and that, in turn, makes the security problem both harder and bigger.
As the number of devices grows, so does people’s reliance on them, and the potential damage that can be done when they are attacked expands as well.
“They are much more heterogeneous than we saw in the past,” Daniel added. “It’s not just desktops or laptops, but now it’s mobile devices and Fitbits, refrigerators, and cars, light bulbs and all the so-called internet of things.”
Let’s calculate for a minute. A greater variety and number of apps and devices, more new types of cyberattacks, even more adversaries than ever before, and no suggestion that any of those will let up in the near future.
Here’s one more to add.
“I’m not sure anyone has a true handle on all of the organizations involved in healthcare out there,” said NH-ISAC’s Anderson. “Hospitals are not the only organizations that are vulnerable. Dentists, small physician practices, labs, radiological and therapy providers are all very rich targets because they are small and don’t have many resources.”
The sum of those realities is a pretty grim picture: Healthcare information security is difficult today and it’s only going to get harder from here.
“Not only hospital management but the boards of directors need to embrace the fact that the industry is vulnerable and they really have to prioritize securing IT systems.”
Hospitals are not in the digital war alone
Ridge pointed out that hospital IT and security executives should be aware that the world is in a digital war and it’s not just nation-state against nation-state. Organized cybercriminal groups, hackers and hacktivists, lone wolf attackers are all dangerous.
“Corporate leadership,” Ridge said, “not only hospital management but the boards of directors need to embrace the fact that the industry is vulnerable and they really have to prioritize securing IT systems.”
Ridge said a security framework, such as the one National Institute of Standards and Technology’s offers, is a baseline. NIST is one option, HITRUST is another.
In addition to the frameworks, the Department of Health and Human Services Health Cybersecurity Communications and Integration Center, the InfraGard cyber health working group and industry trade groups including Healthcare IT News owner HIMSS, as well as the Medical Group Management Association and the American Medical Association, all make certain resources available.
Lee Kim, Director of Privacy and Security at HIMSS, said the combination of frameworks, associations, government groups could be the virtual glue binding together the infosec community healthcare needs.
Penn’s Donohue said as threats continue accelerating, he finds himself participating more and more in the intelligence sharing community.
“As a result of this collaboration Penn Medicine has been able better prepare for vulnerability exploits and minimize the impact of malware attacks,” Donohue said.
“Healthcare needs to do with its IT systems what financial services, telecom and energy have already done. Be preemptive, not reactive.”
The necessity of an infosec community
The frameworks and sharing tools exist but, of course, so do challenges.
Picking one among the various resources itself can be confusing, if not inhibitive, HIMSS Kim said. Cost is another issue.
But the biggest obstacle is simply not knowing what information to seek and share or how to make that happen — and the same goes for what not to share.
Ridge, who is now chairman of consultancy Ridge Global, added that healthcare should emulate other industries.
“Healthcare needs to do with its IT systems what financial services, telecom and energy have already done,” Ridge said. “Be preemptive, not reactive.”
Indeed, it has become a necessity for the healthcare industry to overcome those barriers to participation on the way to safeguarding patient information and care delivery for the patients and their families that infosec, IT and medical professionals serve.
“We need to be more coordinated as a sector,” HIMSS Kim said. “Otherwise, we, too, will be pwned!”