Securing healthcare IT and IoT systems entails balancing legacy technology, regulation, and organizational challenges, and two recent reports show that the industry is falling short in its security efforts.
These issues include the architecture of hospital networks and their use: namely, a lack of segmentation is part of the legacy IT infrastructure that is the source of many vulnerabilities within healthcare.
"Data is moving in and out of hospitals very freely and they're very unsegmeneted," says Chris Morales, head of security analytics at Vectra and principal author of the 2019 Spotlight Report on Healthcare. "We have customers who are still using Windows 95. That's insane ... And we've been told that, since they're saving lives 24/7, they never patch. They're afraid of rebooting the system or messing it up."
Beyond the legacy systems healthcare organizations are unwilling to patch, there are many medical IoT edge devices, from diagnostic tools to systems that administer medicines, that IT staff are forbidden by regulation to patch, update, or modify -- even with tasks considered essential such as installing a security or monitoring agent on the device.
"The first thing is that they [IT security] can't do endpoint security," explains Morales. "The regulations are such that they can't modify a device by installing an agent."
Endpoint agents, meanwhile, can help with basic tasks for security, says Morales. "You need visibility inside the network to see, not what attackers are doing, but just what's happening."
And the unsegmented nature of many healthcare networks means that those unprotected devices are on the same networks as medical records and sensitive patient information.
CynergisTek's recently released 2019 Annual Report, meanwhile, studied progress made by organizations regulated by NIST CSF (The NIST Cybersecurity Framework) and HIPAA rules. The study found that, while progress has been made year-over-year, the average healthcare organization has met less than half of the compliance requirements of NIST CSF.
Given that healthcare saw roughly 14 million patient records exposed in attacks last year, "It remains clear that as an industry we continue to lag in our ability to address cyber threats or incidents when they occur," the report said.
Healthcare organizations specifically are only 47% compliant with the NIST CSF, out of 100% possible compliance, the report found. The report found that there are differences in the degree of average compliance based on the size of the organization, with larger organizations (measured by number of beds, revenue, or staff size) complying more completely than smaller organizations.
For example, organizations with less than $50 million annual revenue complied with only 27% of NIST CSF in 2018, while organizations with more than $2 billion in annual revenue complied with 76% of the framework.
Even in those organizations with stronger compliance, that doesn't mean they are necessarily secure, either, CynergisTek CEO and president Mac McMillan wrote in the report.
In particular, detection capabilities lag behind other core functional areas of NIST CSF. It's possible that's because many detection systems look in the wrong direction, focusing on finding external attackers when the greatest threats to healthcare systems come from the institutions own employees, contractors, and suppliers. "Insiders continue to be at the center of many of the breaches we see in healthcare, from curious workers to malicious criminals," McMillan wrote.
Vectra's Morales says that's one of healthcare's unique set of challenges. "Healthcare is the one industry that doesn't have to worry about the attacker on the outside as much as the attacker on the inside," he says. "They have a much bigger problem with human error than with outside attacker."
The combination of challenges faced by healthcare, and the difficulties in remediating them, means that healthcare organizations are spending significant money on efforts to become more secure. According to a report by Allied Market Research, the global healthcare cyber security market generated $5.21 billion in 2017, and is expected to reach $12.46 billion by 2023, growing at a CAGR of 15.6% from 2017 to 2023.
Fortunately for healthcare organizations, dramatic attacks such as ransomware have decreased in frequency in the last 18 months, according to Morales. That's largely because hospitals and healthcare organizations refused to pay ransom.
He says he's more worried about privacy, however, than disruption in healthcare. "Hospitals are really good at saving lives. The question is, if I go to the hospital, will everyone know about it?" he asks.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.