Hospitals may be able to give a clean bill of health to their patients, but infections from malware require a diagnosis of a different kind.
Earlier this month, the FBI issued a warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and the possibility of increased attacks is likely.
The threat to the healthcare industry can come in all shapes and sizes. St. Joseph Health System in Texas, for example, acknowledged in February it was hit by an attack in December that exposed information on 405,000 employees and their beneficiaries as well as current and former patients. More recently, there have been reports about attacks on Boston Children's Hospital suspected by some to have been carried out by hacktivists in the Anonymous collective.
According to Verizon's latest data breach report, the firm analyzed 26 breaches of healthcare organizations in 2013. Seven of these incidents were confirmed to have resulted in the loss of data, the report notes. The two main reasons for data breaches in the industry cited in the report were physical loss or theft of a device and miscellaneous errors where unintentional actions directly compromised security.
"The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face," says Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner. "Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security."
Late last year PwC released a survey that provided two key takeaways: Security programs have not been particularly effective at blocking actual incidents and more than two thirds of respondents said current or former employees were likely the source of security incidents that were detected, Coady says.
Then there are issues such as access management, the prevalence of the bring-your-own device trend, and slow patch cycles, adds Coady:
But we also need to recognize that medical devices in the provider environment are also a major issue currently affecting the industry. And an equally big issue is the general lack of awareness of the overall threat landscape at healthcare institutions. In part, that's an issue caused by the lack of maturity in the healthcare industry -- the lack of understanding that today's cyber threat models now include healthcare. Frankly, academic medical institutions are even less prepared than the average. Given that most of the attacks in the US recently, and not just in healthcare, have been launched from academic or academic medical institutions. I'd say a problem is attitudinal -- the "wide openness" ethos of academia.
Part of the problem is simply experience, argues Jeff Harrell, senior director of product marketing at security vendor Norse.
"The finance industry, for example, has had years of using networks to transfer money to ensure those transactions are secure, while many healthcare organizations are just now digitizing all their records," he explains. "Healthcare organizations are simply behind."
That existing compliance regulations have not fully prevented this situation comes as no surprise, he says.
"While healthcare has fallen under HIPAA regulation for over ten years, HIPAA [Health Insurance Portability and Accountability Act] is not very prescriptive and it's easy to be compliant without actually being secure," he says. "HIPAA was one of the first regulations that covered security, and really needs to be updated to include more prescriptive controls."
Still, it is imperative that healthcare organizations conform to the basic three HIPAA HITECH regulations in order to get a measure on their security compliance posture, says Christopher Strand, senior compliance director at Bit9.
"The 'Privacy Rule' will enable them to prove that they have full control over the use and disclosure of PHI," he says. "The 'Security Rule' will guide them to have adequate security controls in place to fully protect their systems, and the 'Breach Notification Rule' will ensure they can provide full burden of proof in the event of an incident."
"Compliance, however, is only the first step," he adds. "It does not equal security."