In healthcare, like many industries, cybersecurity continues to be a massive pain point.
A task force established by Congress calls the state of digital security in healthcare critical in a report released in June. Organizations still lack the infrastructure to pinpoint, track and analyze threats, say the authors, many of whom serve as IT executives for health systems.
What’s more, fewer than half of healthcare IT professionals surveyed recently by HIMSS Analytics on behalf of Commvault are confident in their organization’s overall level of cybersecurity, and with good reason: Among respondents with the ability to track malware and ransomware attacks, 100 percent say they’ve been attacked in the past year.
The question for providers now is not if an attack will occur, but how prepared they’ll be when one hits.
Adopt a Multifaceted Approach to Security
Organizations would be wise to take a multi-layered approach to addressing threats.
Conducting regular backups is key, especially in combatting ransomware, says Craig Williams, a senior manager of security outreach and director of Talos Outreach at Cisco Systems. But end-user education is just as important as implementation of an intrusion prevention system, says Sadik Al-Abdulla, director of security solutions at CDW. Without strong staff training to recognize threats, hackers will always have an easy in, he says.
Many organizations, such as Cook Children’s Health Care System, also put heavy stock in password and access management. Theresa Meadows, senior vice president and CIO at the Fort Worth, Texas, organization, says that email is where most breaches begin.
Prioritize the Most Pressing Health Breach Concerns
At the same time, device security cannot be ignored. A Ponemon Institute survey finds that while 67 percent of medical device manufacturers and 56 percent of healthcare organizations believe an attack on a medical device built or in use by their organizations is inevitable, 51 percent of device makers and 44 percent of providers follow current Food and Drug Administration guidelines to mitigate or reduce inherent security risks in such tools.
In the U.K., lackluster device patching was a primary reason the WannaCry cyberattack was so devastating to National Health Service providers, a National Audit Office report finds.
Financial loss, legal issues and reputational damage represent the top concerns for entities that have experienced a breach or near breach of data, according to CDW's Cybersecurity Insight Report. In addition to patient safety issues, many affected healthcare organizations must worry about navigating costly class-action lawsuits and preserving consumer confidence.
To that end, the proportion of IT budget allocated to security and risk mitigation is on the rise for 43 percent of survey respondents.
Constant Vigilance Can Battle Increasing Complexity
Such spending over the next two years increasingly will go to employee training, with network segmentation also a priority, according to HIMSS Analytics; next-generation firewall protection is projected to be the most employed new technology over that same period.
The cybersecurity landscape, however, will only increase in complexity, especially as the Internet of Things grows. Hackers will continue to find new ways to exploit organizations.
While security leaders must maintain vigilance against growing threats, cyberhygiene in healthcare should be everyone’s responsibility.