The role humans play in cybersecurity generally focuses on how people can be the weakest link in an organization’s defense structure. However, when it comes to securing the healthcare industry, people are still paramount, but for quite different reasons.
Karl Sigler, Trustwave Senior Security Research Manager of SpiderLabs Threat Intelligence, and Shawn Kanady, Trustwave Director of SpiderLabs Threat Hunting, discussed this situation in a recent webinar that covered the recently released SpiderLabs report: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape.
In most attack scenarios, humans are generally the reason why an attack is successful. A worker clicks on a phishing email allowing malware to be downloaded, a person falls for a business email compromise scam and pays a fake receipt, or they’re an insider threat and intentionally cause harm to the organization.
In healthcare, the person, or patient, is often the reason why proper security measures cannot be taken. Internet of Things (IoT) medical devices are left unpatched, software is designed without security, and sometimes basic cybersecurity hygiene cannot be maintained – all because patient care is paramount.
In this environment being change averse is a good thing. Making a change, even something as basic as a patch, may cause more issues than they solve. For example, a patch may cause a system outage if not properly tested beforehand. Change may harm their compliance status if they are audited regularly.
Lives are on the line, every day all day and this creates a sticky situation where data must be protected in an environment where this is in fact, a lesser concern. In this scenario the, "If it ain't broke, don't fix it" mentality is hard to overcome.
Let’s set the stage by quickly discussing the threat to healthcare. It's increasingly critical, especially since the pandemic. There was a brief period when the pandemic began when many threat actors gave the healthcare industry a little bit of a break, whether for altruistic or other reasons, but those days are long gone.
The U.S. Department of Health and Human Services reports that attackers breached more than 28.5 million healthcare records in 2022, a significant increase from 21.1 million in 2019. Notable recent headlines include the Australia MediBank data breach that impacted 9.7 million customers and cost the organization $167 million, and a ransomware attack on PharMerica that exposed the medical data of 5.8 million patients.
Healthcare victims also suffer more financial damage than other industries. The average cost of a data breach in healthcare is $10.1 million versus $4.4 million.
There are many unique reasons why this is so. This is due to the sensitivity of the data, the complexity of recovery, and the fines and penalties that come with healthcare. All of these issues are very complex and further complicate an already complicated situation.
Patient records are regularly leaked, and often third-party data breaches play a major role here.
Third-party data breaches are a huge concern for healthcare and to be honest, it’s a problem for every industry. In some cases, the damage is so severe, the organization is destroyed. For example, there was a case where Illinois-based hospital SMP Health, was forced to permanently shut its door due to a ransomware attack. It could not recover and had to lay off all the employees.
This possible scenario is very real, and many organizations are only one or two degrees separated from being hit by such a devastating breach. Especially if you've worked in healthcare.
Custom applications – These are widely used in the healthcare industry. Many healthcare groups have custom applications that were either designed in house or provided to them to fit a unique need. When you have custom applications, attention to details such as security controls often aren't prioritized or even considered. Primarily because the app is specific to one company so it doesn't go through an auditing process like a more widely used app would.
Third parties – The healthcare sector heavily relies on third parties, whether it's labs, or processing organizations for imaging, or external specialists, there are all types of business partnerships. Having so many elements involved complicates the situation even more and this is where risk gets introduced. An attacker is going to find chinks in the armor.
IoT – Internet of Things (IoT) is a huge concern for healthcare, more so than other industries, except possibly for those using operational technology or manufacturing. IoT devices can seemingly be found in every room or in every hall being carried and pushed around by staff. These include extremely important machines like heart monitors and infusion pumps. These may be vulnerable to exploitation, which if attacked, puts lives at risk.
Compliance – Compliance is a good thing. It requires an organization to take the correct steps to keep people and systems secure. However, in the healthcare industry, compliance is not necessarily geared toward system security, but is intended to keep sensitive data safe. The healthcare industry must comply with a myriad of regulations. In the US, it starts with HIPPA and spreads exponentially.
Another healthcare-specific factor is it must deal with governance issues that don’t affect other organizations due to the highly sensitive nature of healthcare data and because human lives are on the line. This means being compliant must be kept in mind for every single decision being made when it comes to security. Specifically, this can impact how security is implemented in these organizations because of compliance or governance laws. Because of auditing that must be done, a security team might opt to pass on a security check one quarter and not patch as frequently.
These decisions are made because healthcare organizations can't take the risk of going out of compliance. An organization will have extra steps in place because of these compliance rules and regulations that are going to complicate its ability to patch those risks to ensure better security.
This situation goes hand in hand with patient care. The unique aspect to the healthcare industry is human lives are on the line. Patient care is specifically unique to this situation because often with security, we are more concerned about protecting the data than what the potential domino effect could be if that data becomes unavailable to authorized users due to a new patch or security control.
This situation often pits security and IT administrators against each other over the availability of services versus locking those services down. IT wants to keep medical staff happy by being able to make important patient information readily available, while security teams are tasked with protecting that data, which means it should not be too easy to obtain.
With patient care, availability is always going to supersede. We cannot take the chance of a Microsoft patch blue screening a system that patients depend on to survive. On the other hand, we cannot risk leaving a vulnerable hole open in our systems. So again, we have specific threats and risks that are unique to healthcare and the obstacles that every organization faces in addressing these risks are complicated by many additional steps specific to the industry.