The healthcare industry is in the midst of tremendous change. And it comes from the pressure to modernize aging systems, the continued shift to cloud computing, as well as the rapid adoption of telemedicine and electronic medical records. And all during a time of an ongoing pandemic and the continuous targeting of healthcare systems by cybercriminal.
As HIPAA Journal reported, between 2009 and 2020, there were 3,705 healthcare data breaches of 500 or more records reported to the HHS' Office for Civil Rights. "Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records. That equates to more than 81.72% of the population of the United States."
As all healthcare organizations continue to digitally transform how they operate, they must also focus on protecting their systems from attack. As they do so, healthcare security managers have expressed a handful of challenges they face and must solve to succeed. Here's the rundown:
While all industries and companies operate with technical debt, healthcare tends to have a lot. Consider how many healthcare providers have healthcare systems that not only predate cloud but are also two decades old — or older. Whether it's old hardware or custom-built or off-the-shelf software systems, all of this aging or inflexible technology creates a "technical debt" that makes it harder for organizations to move forward.
What is technical debt? Consider technical debt as the tradeoff of taking shortcuts or moving forward with limited solutions now because they are quicker, cheaper, or more convenient in some way. These decisions make it more difficult later on for the technology systems to adapt to changing requirements.
Like financial debt, technical debt can be beneficial when it enables teams to deploy pressing initiatives. And it may be debt well worth taking, but if organizations are going to be able to move forward in the future, it has to be paid down. The problem with technical debt, just like financial debt, is that too much can limit an organization's flexibility. This can take the form of spending too much time managing old software code and struggling to keep aging platforms up to date.
Healthcare organizations need to set time aside to reduce their technical debt in coding, platforms, and legacy technologies. Sometimes systems and applications can be modernized or brought up to speed for current needs over time. Sometimes entire systems, applications, and old workhorses will have to be entirely replaced. This will depend on the situation every organization finds itself in, priorities, and the state of its technology stack. The important thing is to pay it down over time.
Medical IoT devices are transforming healthcare. Consider how telehealth is providing real-time remote insights to physicians. Or how medical teams cut the number of in-person office visits and even time to diagnosis. They can also manage chronic care better, and remote monitoring and mobile systems are reducing readmissions and helping manage chronic diseases more efficiently, such as heart conditions, high blood pressure, and diabetes.
As with most things with the benefits come with risks. And these devices are just like any other connected devices: they can be attacked, manipulated, and be used as conduits to steal data.
Fortunately, we know how to mitigate these risks. Suppose the healthcare industry demands that device makers properly threat model and securely design their devices so that they are secure out of the box and capable of being maintained securely through proper updates and security controls. These devices don't have to introduce new levels of risk.
Additionally, healthcare providers need to treat these devices like any other IT device they manage, including ongoing monitoring, patching security vulnerabilities, and responding to breaches as they occur.
Healthcare data is highly targeted by criminals because it is highly valuable data. Consider that a Social Security number may fetch $1 on the dark web, while a Driver's license may get $20 and medical records will get up to $1,000 depending on how complete the information. That $1,000 figure is only surpassed by a U.S. Passport's current value ranging from $1,000 to $2,000.
Unfortunately, stealing data and selling it on the dark web isn't the only way attackers extract money from healthcare providers; they also are constantly targeting providers with ransomware. In New U.S. Government Website Provides Ransomware Resources for Organizations, colleague Bob Violino provides a list of valuable ransomware response resources.
In addition to taking the steps needed to protect against ransomware, healthcare organizations need to prioritize identifying where their valuable data reside continuously, and systems operate and take all the measures they can to protect these systems and data.
Healthcare enterprise technology has never been more complex. In addition to the popular EHR/EMR systems, medical practice management software, patient data management systems, and others, healthcare organizations (as mentioned above) are grappling with legacy hardware, aging operating systems, and networks. Managing these systems while also integrating them with modern systems has significant security implications.
For instance, in addition to the technical debt challenges mentioned above, this speed and complexity increase security risks. Consider that a survey from the Accenture Digital Health Technology report that found respondents innovating with urgency.
Under the best of conditions, such modernization efforts would create challenges for any organization, including comprehensive planning and leadership across all aspects of the organization's operations. Couple the resource constraints typical in healthcare organizations, let alone targeting cyber criminals for ransomware and data theft.
To keep pace with the technological change in the healthcare industry, healthcare needs security professionals that can keep these systems secure under all of the tremendous technological change.
As we covered in Seven Steps Healthcare Providers Can Take Now to Shrink Their Security Skills Gap, healthcare providers face extraordinary pains to find and keep the right cybersecurity talent. Consider a survey from ISACA and HCL Technologies found 61% of respondents describing their cybersecurity teams as "understaffed" and 55% stating that their organization has cybersecurity positions that are going unfilled.
We detailed earlier many of the things healthcare providers need to do to help close their cybersecurity skills gap. Still, it essentially comes down to a long-term and concerted prioritized effort to find, develop, cultivate, and keep security talent.
Of course, to not only keep pace with technological change but improve the industry's overall security baseline, healthcare organizations are going to need all of the talent they can find, and even with their best efforts, they will usually have a tough time finding the security they need. This is among the top reasons why the cybersecurity services market is anticipated to reach $192.70 billion by 2028, growing just over 10% annually, with healthcare outpacing that overall growth at 11.4% through 2028.
One such area where healthcare is increasingly turning to service providers is managed detection and response. Organizations turn to trusted services providers to monitor endpoints, networks, and cloud environments to prevent, detect, and, when needed, respond to attacks.
With so much change underway, and the challenges that press healthcare organizations every day, healthcare organizations need the best security they can attain everywhere they can find it.
Learn more about how to secure complex infrastructures in healthcare.
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.View all posts
Don’t miss out on exclusive content and exciting announcements!