Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Each of the US. News and World Report top 10 hospitals will fund a CISO position
The majority of U.S. hospitals don’t have a CISO. Right now, security management might fall on those who wear other hats, such as the CIO or risk officer. This shows me that security is not yet a focus. Hospitals need someone dedicated to helping the organization not only boost security efforts, but also to communicate risk and translate how security impacts the business. It is more important than ever for security to keep a direct line of communication with senior management and have a seat on the Board.
HIPAA fines will crest over the $5 million dollar mark AND insurance companies will start to hold hospitals accountable
I believe HIPAA fines will crest over the $5 million mark (being conservative), which will incentivize healthcare organizations to make serious investments in implementing and meeting basic security controls, not just meeting minimal compliance regulations. Organizations will also review and take a hard look at their business associates and the agreements, holding those associated to a higher security standard than ever before. Insurance companies are going to start putting their foot down on paying claims. If an organization cannot show it has basic security controls in place, the insurance companies won’t pay the claims associated with the cost of a HIPAA breach or will significantly increase the premiums in subsequent years. This is a page taken directly out of the auto insurance and life insurance industry’s playbook.
Healthcare organizations should build on their HIPAA compliance programs, drawing on risk assessments and data classification exercises to identify the most at-risk components of their network, such as PHI. From there, facilities can allocate budget to mitigate those risks and, as the security program matures, work to address less critical threats.