F132 What's The State of Cybersecurity In Healthcare? (Lee Kim)
Phishing, Whaling, and exposure of patient data are a rising occurrence of the increasingly digitalized healthcare systems. 2020 saw more data breaches than previous years. What are the basics about protection to know?
In 2020, US Healthcare saw 616 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third-worst year in terms of the number of breached healthcare records, according to HIPAA Journal.
A new HIMSS survey released shows 73% of IT security decision-makers need increased funding to continue to be secure, effective, and compliant. 55% surveyed report experiencing an increase in ransomware attacks, in large part due to COVID-related security lapses and more targeting of the healthcare industry.
Why should emails be encrypted?
Once medical data gets exposed, you can’t undo the insight the perpetrator gained. Attackers don’t only have the power to blackmail institutions but also individuals whose information they’ve obtained.
Several things need to be taken into account when handling medical data. For one, patients and healthcare providers should use end-to-end encryption when communicating, may it be via email or via text messaging. “Let’s compare and contrast email communications with something traditional, such as the telephone. Typically under most circumstances, tapping telephone communications requires highly specialized equipment and authorization. In contrast, electronic communications always carry a risk of being intercepted and cracked,” says Lee Kim, Director of Privacy and Security at HIMSS. Encryption offers a certain level of protection but there's always the risk of encryption being broken.
The challenge of BYOD - Bring Your Own Device
The 2021 report of the Office of Information Security states that pre-pandemic, 82% of organizations used some form of Bring Your Own Device (BYOD) for employees, partners, or other stakeholders. 72% lacked BYOD malware protection entirely or relied upon endpoint software installations. Pandemic forced more organizations to allow BYOD, which makes awareness about cybersecurity even more important.
Phishing and Whaling, how to train against them
Phishing - emails sent by hackers with the aim to get access to inner systems, is generally one of the most common cybersecurity threats. The challenge is that phishing is hard to recognize, especially if one isn’t vigilant about it. Phishing emails usually seem to be sent from a reliable contact and include a link or an attachment which, when opened, gives attackers an entrance into the system.
A form of phishing is whaling, which refers to phishing emails targeted at C-level executives. According to the results of our 2020 HiMSS cybersecurity survey, at least 53% of our respondents indicated that whaling was responsible for a truly significant security incident, says Lee Kim.
Being aware of the potential danger of phishing emails is the first step to detecting suspicious emails. “Even if in a quick second a person has a little bit of hesitancy about whether or not an email is authentic, even if it's just simply a sixth sense, you should speak to your IT department. Exploring these emails out of curiosity might inadvertently install malware or something else that's unwanted on your computer system or possibly comprise the network,” says Lee Kim, adding that, according to HIMSS healthcare organizations do security awareness training about once a year, some even more often with the rise in phishing attacks.
The basic hallmarks of a phishing email mentioned by Lee are spelling and grammar mistakes, a masked link. The right URL can sometimes be revealed if you hover over the short link. In terms of email attachments, if you aren't expecting one, or if you aren't expecting a certain email, try to verify it, advises Lee Kim.
Cybersecurity in healthcare outlook
The battle against cyberattacks includes raising awareness about information security and new technological solutions. One data protection approach is Zero Trust network access - a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. According to Gartner, 60% of enterprises will be phased out of VPNs in favor of Zero Trust network access by 2023.
The danger here is to make systems even more user-unfriendly as they already are. “Cybersecurity involves ensuring the confidentiality of information, but you need to balance that against the availability of the information. Can I get that information out? So as a result, your security controls may be pretty good in terms of stringency. But it shouldn’t be so tight in terms of the controls that you can't get access to information. Tha would defeat its purpose,” Lee Kim says.
Tune in for the full discussion.
Some questions addressed:
In 2017, the WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 National Health Service hospitals in Britain that were forced to divert patients after malware prevented clinicians from accessing medical records. In one of your interviews, you mentioned that Wannacry wasn’t even a very sophisticated attack which shows what? That the state of cybersecurity is atm so poor that hackers have an easy job?
You’ve been a director for Privacy and Security at HIMSS since 2013. What’s your reflection on the evolution of cybersecurity in the last 8 years?
A 2021 report by HIMSS outlines the most pressing concerns for security leaders. 84 percent of respondents said email introduces security or cybersecurity risk. Let’s explain the basics:
Why is the end to end encryption so important? Why wouldn’t you send your medical questions to the doctor from your Gmail account?
Why are Whatsapp or other communication apps not appropriate for communication? Do they offer end-to-end encryption?
Let’s explain the types of attacks:
Phishing is the primary way that allows unauthorized personnel to enter inner systems. The challenge is that phishing is hard to recognize, especially if you don’t pay attention to it. What would your advice be to organizations in terms of how they should train staff to be phishing resistant?
How big of an issue is whaling in healthcare? Phishing aimed at C-level executives.
How bad is cybersecurity literacy and preparedness in healthcare? How does that compare to other industries?
What practical advice can we give to the listeners? One I thought was interesting is that - some institutions have prudent password management policies. One example of such a policy is to instruct employees to always enter a false password when accessing a link provided by email. A legitimate website won’t accept a false password, but a phishing site will. Any other useful examples?
One approach to security is the “Zero Trust network access - this is a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data.” According to Gartner, 60% of enterprises will be phased out of VPNs in favor of Zero Trust network access by 2023. To which extent will this further deteriorate the user experience with IT?
When talking about cybersecurity in healthcare --- discussions most often resolve around hospitals and access to EHRs. What about cybersecurity at the level of healthcare IT and software providers? What would you emphasize in this field?
What should healthcare institutions be mindful of with Bring Your Own Devices? The 2021 report of the Office of Information Security states that pre-pandemic, 82% of organizations used some form of Bring Your Own Device (BYOD) for employees, partners, or other stakeholders. • 72% lacked BYOD malware protection entirely or relied upon endpoint software installations. • Pandemic forced more organizations to allow BYOD.
What does the need for increased cybersecurity efforts mean in the financial sense for healthcare institutions?
The fear of the upcoming years is that cyberattacks are getting increasingly sophisticated. Cybersecurity defense improvements run in parallel with the rising sophistication of attackers. What are you worried and what are you optimistic about?