Funding, Personnel Issues Hamper Cybersecurity Efforts
By Maura Keller
For The Record
Vol. 29 No. 12 P. 14
Convincing the C-suite to invest in technology and talent can be a challenge.
In an age where technology controls multiple facets of health care, attention to cybersecurity is becoming paramount as hospitals and health care organizations recognize how data breaches can rob them of vital assets and, more importantly, jeopardize the well-being of patients and staff. In an era when finances are tight, it's tough for some health care organizations to fork over the necessary monies to combat cyber threats.
However, health care leaders are slowly beginning to change how they're considering investments in the appropriate resources to handle both patient privacy and cybersecurity concerns.
Ron Temske, vice president of security solutions at Logicalis US, says many health care organizations that have not dedicated the needed funds to develop a strong security posture have taken an "it won't happen to me" approach or mistakenly believe they won't be targets. For others, it is simply a matter of money.
"With a finite amount of funds to be spent, it can be difficult to justify spending on security in lieu of new medical equipment, patient portals, etc," Temske says. "The problem with this approach is that it only addresses the acquisition cost, but not the ramifications of these decisions should a breach occur. The damage to the organization's reputation, the fines resulting from a HIPAA violation, the potential loss of life—these are all real [factors] that have to be taken into consideration."
Unprepared health care organizations are not equipped to detect—let alone efficiently investigate and resolve—a health data breach, should it occur. Robert Lord, cofounder and president of Protenus, says health care organizations commonly use outdated legacy products, spreadsheets, or even paper and highlighters to spot data breaches occurring within the organization. These outdated methods allow breaches to often go undetected for extended periods of time, ultimately creating a costly aftermath for both the organization and its patients, he says.
"The greatest unaddressed cybersecurity threat facing health care today is that of insider threats and HIPAA breaches," Lord says. "Most health care organizations currently have a reactive posture for detecting insider health data breaches despite the fact that they comprise more than 40% of total breaches."
Privacy officers are not using advanced analytics to detect breaches, meaning they're often left resolving cases retroactively, he says. In addition, security teams are drowning in alerts, false positives, and reports that aren't prioritizing and providing context.
"Our hope is that cybersecurity in health care will switch from a reactive posture to one that is proactive, allowing health care organizations to better combat threats to health data security," Lord says. "We'd also like to see the promising trend continue of more health care organizations beginning to recognize the value advanced analytics can have in better detecting, mitigating, and resolving threats to their patients' privacy."
According to Rod Piechowski, senior director of health information systems at HIMSS, cybersecurity is often underfunded because it historically has been assumed to be a responsibility of the IT department—which, ironically, has also been victimized by a lack of financial support.
"Protecting the confidentiality, integrity, and availability of health information is the foundation of building a trusted system," Piechowski says. "If patients don't trust it, they will not participate. If an organization is not trusted, it will have a difficult time surviving."
Underfunding cybersecurity also can be tied to a health care organization's lack of literacy concerning technology, privacy, and security.
"For health care and clinical information systems, most board members are focused on care, waiting lists, and direct care, as they need to be," says Seana-Lee Hamilton, manager of information privacy and privacy officer for Fraser Health. "While those clinical aspects understandably are at the forefront, there's not enough focus on what's taking place in transmissions, e-mails, wireless solutions, and remote access, and their relationship to regulatory compliance with accepted safeguards. Truthfully, most employees in hospitals have no idea of what's actually happening, or not happening, with cybersecurity or best practices in safeguards."
Hamilton believes this lack of understanding comes to the forefront when there is a cyber incident, adding that underfunding exacerbates the problem so that when there is a breach, "people panic, they don't know what to do, and they wonder why we're waiting to solve the problem.
"The reality is that there are too few people with too few processes in an underfunded situation to ensure that the hospital can quickly recover and get back to its normal workflows," she continues. "So for the average hospital that doesn't invest in cybersecurity and the appropriate planning and personnel, they'll pay a steep price in the long run, not only in terms of interrupting their care for patients but also from losing the trust of their patients and staff."
At Its Core
While in some corners, cybersecurity may be viewed as an IT problem, one would expect that smart organizations are developing multidisciplinary cybersecurity management teams. That, however, does not seem to be case, according to Clyde Hewitt, CISSP, CHS, vice president of security strategy at CynergisTek, who says, "Current security management frameworks have assigned over 75% of the required controls to nontechnical vs technical domains."
Many attacks are now being directed at non-IT systems, such as biomedical devices, printers, security cameras, and building control systems, which traditionally have been ignored. Phishing and social engineering are also deployed to look for specific accounts or staff who may be easily spoofed into providing unauthorized access.
Hewitt says the following are three steps hospitals must take to sharpen cybersecurity defenses:
• Tighten access management, especially with privileged accounts. Two-factor authentication is a key control to stop, deter, or delay many hackers.
• Establish a solid incident management process focused on early detection and remediation. This includes training for both the IT staff and executives on how to respond when the unthinkable happens.
• Implement business continuity management, including downtime and disaster recovery procedures capable of delivering patient care while recovering from an attack.
Temske suggests C-suite backing can be gained by adopting a cybersecurity framework, of which the most popular for health care are the National Institute of Standards and Technology and Health Information Trust Alliance models. "By following one of these frameworks, you take the guesswork out of security," he says. "This also establishes a firm plan that can help with financial justification if a breach does occur since you will have been adhering to a long-term security strategy rather than arbitrary and disconnected security spending."
Educate the C-suite and the board of directors about what's at stake—both in terms of security and patient privacy. Hewitt says many organizational leaders—especially those in large health systems—are starting to fully comprehend what's at stake. Getting them to analyze and think critically about the situation is key.
"Hospital boards and executives struggle to identify the right level of cybersecurity investment," Hewitt says. "It is unrealistic to think there is one right number for all organizations."
He recommends organizations start with a risk analysis, then implement plans and programs based on the available resources, environment, existing technology, and leadership's risk appetite. This strategy is not foolproof, Hewitt cautions. Underfunding or overfunding can lead to process failures that prevent leadership from linking the highest cybersecurity risk to the most important remediation activities. To break this cycle, security leaders must frame budget requests in terms of risk reduction activities rather than projects, Hewitt says.
"If not, inertia based on historical budgets rather than the evolving threat landscape will drive funding to support a patchwork legacy solution," he notes. "This situation may also lead to overspending as fear of irrational or unrealistic risks drives investments in solutions that may not be the top priority."
Answering tough cybersecurity questions—or finding that they have no answers—is the best way to highlight areas in need of increased funding.
According to Hamilton, health care leaders can be baffled by basic cybersecurity strategy questions such as, "Are we cyber ready? Are we prepared? Do we have a cybersecurity strategy? How vulnerable are we? Where do we stand in terms of our cybersecurity taskforce? What do we need to go forward?"
"To get adequate funding, hospital leaders need to fully understand the hospital's current situation, the threats, and the potential loss of business, reputation, and trust resulting from a cyber event that could have been stopped with a bit more spending," she says.
The Search for Talent
In most markets, the demand for security talent has far outstripped supply. Health care organizations are competing with other domains such as manufacturing, banking, and energy that have demonstrated they are willing to pay higher wages and offer better career paths.
"Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020, so it will be necessary to identify potential candidates from other sources, even grow some talent internally," Hewitt says.
Hewitt says an internal training strategy works best when it leverages health care member-based organizations, outside contractors featuring experienced talent and a willingness to serve in a partnership role, and frequent high-level training. Organizations that adopt this approach must invest in staff training and encourage professional growth, including adjusting wage scales when appropriate—a failure to do so will create a skills/pay imbalance and lead to attrition, Hewitt says.
As preventing data breaches becomes more of a priority at health care organizations, expect the profiles of cybersecurity professionals to be raised, says Lee Kim, JD, CISSP, CIPP, director of privacy and security at HIMSS North America. "It used to be that this topic was esoteric and cybersecurity professionals were just in the background," she says. "While cyber pros do work in the trenches, we are finding that more organizations are making these folks part of their C-suite to help lead the charge regarding robust cybersecurity."
Cybersecurity professionals must have a broad range of skills beyond IT. An understanding of business processes, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery) are essential, Hewitt says.
As for the composition of a cybersecurity staff, he says the department head, who's responsible for all administrative, physical, and technical security related to the protection of health information, should be a well-rounded security professional with experience in multiple domains, including executive leadership and budgeting, and possess an understanding of compliance, auditing, and technology.
Supporting that position will require as many cybersecurity specialties as there are physician specialties, Hewitt says, noting that just as it's not feasible to hire one physician to treat all patients, health care executives should not expect to hire one cybersecurity specialist to meet all security needs.
"For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs," Hewitt says. "Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, and monitor results. Each of the above professionals requires different training, certifications, skills, and experience."
Hamilton says the cybersecurity/IT department should report directly to the CEO or CIO. "The head of the body, be it public or private, is the face of the organization, so they're directly affected by breaches of security or privacy, certainly by any kind of cyberattack, and they're accountable internally and to the communities they serve," she says. "If you're resourced appropriately to have privacy and security by design, the number of full-time employees [devoted to that function] should reflect the size and complexity of the organization and the types of information they manage."
Hamilton recommends hospitals direct their recruiting efforts at professional organizations such as the International Association of Privacy Professionals. By doing so, organizations will increase their chances of uncovering qualified candidates with the ability and expertise to hit the ground running, she says.
Hewitt says periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and augmenting staff.
"Hospitals must plan to [design] and then implement a solid security management program blending advance technology, trained staff, mature processes, and executive support," Hewitt says. "This takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed."
For those facilities unable to overcome the challenges associated with staffing shortages and acquiring and retaining talent, managed security service providers are becoming a popular option, Temske says. "Going this route has the added benefit of reducing challenges such as vacation coverage, staff turnover, training, and certification," he says. "Clearly, some technology will still be required to protect sensitive data, but there are more flexible options that include managed security services as an integral part of the solution coming to market."
"Health care executives may want to consider outsourcing the security program development, implementation of technology, and processes—even skilled resources—and then use local resources to operate the system," Hewitt says.
— Maura Keller is a Minneapolis-based writer and editor.