Cyber security is a relatively new concern to the healthcare sector. Most organizations began looking into it in just the past five years. Given this still-nascent focus, there have been some real lows for healthcare and highs for cyber attackers.
Good News to Start
There's some good news to share with respect to healthcare providers (acute and non-acute) and their efforts to strengthen digital security. The HIMSS Security 2017 survey revealed the following on healthcare providers:
- Up to 10% of IT budgets are used for cyber security – This is good, but there are other industries that are spending more.
- 80% have cyber security staff – This is good, but there's a question of the level of the staff's expertise. Are these IT folks “transformed” to embrace IT security?
- 60% have a security leader
- 75% have an insider threat program (formal or informal) – This is nice given the sensitivity and criticality of the data and devices.
- 85% conduct risk assessments – This is very good. The important action is what you do with the risk assessment to mitigate risk.
- 87% offer security awareness and training programs – This is absolutely critical given the unique culture in healthcare provider organizations, where it is open and sharing. Recent attacks have come from email phishing.
- 75% conduct penetration testing – As with the risk assessment, it's only helpful if action is taken on the results.
- 86% use industry security frameworks, with the most popular being NIST with 62% – This is excellent because it offers direction and accountability.
The top three concerns regarding medical devices are patient safety, data breaches and malware proliferation. Let’s consider the medical device security state of affairs.
Scary News on Medical Devices
A recent survey by the Ponemon Institute found that 67 percent of medical device manufacturers and 56% percent of Healthcare Delivery Organizations (HDOs) believe an attack on a medical device built or in use by their organizations is likely to occur over the next 12 months. Only up to 17 percent are taking steps to prevent the attacks. Yikes. Most believe medical device security is challenging, citing a lack of knowledge and training in building secure code, accidental coding errors and pressure to meet production deadlines. At the end of the day, it is all about money—get the device to market. A lack of security testing is attributed to the issue, with half who do NOT conduct security testing on their medical devices. In addition, a lack of accountability and simple guidance from FDA (no mandates) is damaging and does not drive organizations to secure the devices. Only half adhere to the guidance offered. An argument says that device manufacturers must adhere to FDA’s quality system regulations (QSRs) to address all risk that includes cyber risk. Just last month USA legislation was introduced to the senate to bolster cyber security in medical devices. A step in the right direction. This device risk shifts the cyber attack landscape from monetary considerations to life and death. Imagine if your pacemaker was tampered with or if your insulin pump or drug drip was compromised. It seems there are two actions that must be done. One, legacy devices need to be monitored for odd behavior or unauthorized changes. Two, new devices need to have security measures already embedded into their architecture. If these actions are not taken, the industry will continue to be exposed, and patient safety will be placed at significant risk. Tripwire can help by offering critical security controls to assure your healthcare environment has high integrity and to prevent cyber attacks.