While media reports often sensationalize the threats to healthcare and point blame at those providers that fall victim to an attack, the reality is that most sectors are facing some of the same challenges: shortages, an overburdened workforce, and mountains of data.
As a whole, the U.S. is largely struggling with cybersecurity as it’s a relatively new discipline. There are also shortages in cybersecurity staff, and for many, there’s no clear concept of what these individuals are supposed to be doing.
In short, “the current constitution of the threat landscape is less than 10 years old. If you were doing this and quit 10 years ago, you have nothing to say to the rest of us,” said Darren Lacey, chief information security officer of Johns Hopkins University and Johns Hopkins Medicine, in an interview with SC Media for a special Cybersecurity Awareness Month series.
Further, the sophistication of tools, interfaces, and staff, and how it scales with size and complexity is “just not something we’ve worked out yet.”
The problem is that in healthcare, those challenges are amassed at a much larger scale and the stakes are higher, when patients are relying on providers for care regardless of whether the network is down. And it’s not likely a challenge the sector will solve in the near-term.
“We’re the biggest sector of the economy. We have more complicated business processes, in fairly tight places and with fairly low budgets — more so than almost anyone,” said Lacey. “The idea that healthcare is anything other than just the aggregation of workflows and data is a little sensationalist.”
“There’s really nothing special about healthcare in that regard. It’s just that we have more of everything,” he added.
So what’s driving some of the sector’s largest struggles? There’s no one answer but the most common response is its complexity. Lacey explained that with complex environments and complex workflows generating mountains of data, healthcare, and frankly most sectors, are creating new security issues.
For provider organizations, complexity challenges tack on to the diverse nature of the sector. Each entity has its own goals, missions, specialties, resources, and technological needs. And as there is not a single, unitary business process called healthcare, every subdiscipline has its own challenges.”
That’s because essentially all entities are working to get the level of sophistication held by many of the larger organizations. It’s one of the reasons there aren’t many electronic health record companies in the U.S. of any size, because it’s very hard to actually meet all of the workflows of a typical, complex clinical environment, whether it’s outpatient or inpatient, he explained.
Consider the various sizes of organization and each with their own specialty or mission. A large, diverse healthcare delivery organization is going to allocate resources differently than if it was a small shop. Meanwhile, a smaller provider or clinic may find it much more difficult to stop sophisticated attacks, despite its relatively small attack surface.
While a smaller provider may focus on segmentation, another larger entity may focus on endpoint detection and response with multi-factor authentication for remote access. For Lacey, it’s a sensible strategy. But most of the sector is struggling with cybersecurity, and healthcare security leaders must learn to adapt and address the risks to patient safety.
As a sector, “we have to mature, we have to get better, and we will get better,” said Lacey. Whether it’s “at the same speed, or as quickly as the threat does, I don't know. But we do have to get better. We do have to mature as a business, as we're operating in an industry that's going to face severe challenges in the next few years.”
Evolving threats spotlight need for reality check
As a whole, the sector is facing an uphill battle with remarkable shortages in a number of areas: labor, doctors, nurses, and even technology. As the pandemic continues to rage in areas across the country, previous industry challenges have only been exacerbated. And the crisis may cause staffing reverberations in healthcare for the next 20 years, explained Lacey.
There’s also a burnout issue for those staff on the frontlines, and not just providers, but with those tasked with cybersecurity. In short, there’s a major personnel shortage in healthcare and in cybersecurity, said Lacey. “We have to do the best we can, but ultimately we're running up against, essentially, the edges of human capability.”
In just three years, cyberattacks have grown in volume, and there are more ways to exploit an organization. The adversaries have figured out how to scale attacks across multiple organizations, through supply-chain attacks like SolarWinds, which has created new challenges.
“Ultimately, even supply-chain attacks typically involve some kind of [individual] choices, configurations by the organization, so you can’t just say it’s a supply-chain attack. It’s the same way that if they attack a Windows or HP device running on your environment and it has a vulnerability, you can't blame the device manufacturer, he explained.
“What you can say instead is that this is a problem that we need to configure, we need to monitor, we need to use security,” said Lacey. At the core of these plans, must be the recognition that hackers are likely to attack something the entity didn’t build in its IT shop. The typical targets are publicly known vulnerabilities, and the leaders’ “job is to configure and monitor it properly.”
Both small and larger providers need to employ defense-in-depth strategies, with relevant supporting controls. “What you're trying to do is close some of those gaps between the effect of the thing and the thing itself,” said Lacey. But ultimately, security gaps are never completely closed.
Healthcare security leaders understand they can’t know everything, and instead, focus on what they do know and monitor threats, the network, and the industry to learn more. As Lacey put it, there’s an “imperfect marriage between the two.” As one gets better at security, more things are known and workflows make more sense.
Those organizations that suffer damaging cyberattacks typically failed to do a few things right, but it's more likely that “they had some very bad luck.”
“We’re all struggling. We’re all trying to figure out how to deal with this. There’s not a morality play here: whereas, if everybody just got together and was more mindful of cybersecurity, we could solve this problem,” said Lacey. “Or if everybody just spent a little more time looking at attachments, then we would solve this cybersecurity problem. That’s never worked.”
Taking an adversarial approach
At Johns Hopkins, Lacey has taken an adversarial approach to security: modeling tactics to defend against what the attacker is most likely to attempt on the network. The process typically begins with running a range of discovery tools, similar to when a pen tester is brought in to assess the state of an entity's security program. It may sound like an easy process, but “it’s ridiculously complicated.”
Providers may want to be dynamic or profile things, and if every device was made by the same manufacturer it might be easy to accomplish, explained Lacey. But that’s just not the case for healthcare organizations, with medical devices differing from picture archiving and communication systems (PACS), or workstations differing from remote work platforms. And that doesn’t include the vendor tools that almost always have to be augmented with data analysis or written to multiple interfaces.
The number of access points, in tandem with device types makes the discovery and profiling process vastly difficult. So, if the goal of protecting the healthcare space is to apply defense tactics, how then can a provider keep pace? For Lacey, the CISO’s job is to try to make things standardized. However, that’s often in conflict with innovation, which sometimes means functions are unstandardized. It forces providers to simply deal with the risk as it comes along.
Organizations may have a strong discovery program, but with an expansive institution the risk exponentially increases. Lacey’s team spends a lot of time on discovery, both with tools and tactics. But he’s the first to admit he hasn’t figured it out.
Yet, if providers can engrain the need for safety and security into the culture of an organization, and “ultimately everybody understands that trusted systems doing beneficial and predictable work are what makes healthcare successful,” these risks are reduced. That culture is “what makes cybersecurity more successful than would be otherwise.”
Safety orientations have been added to most healthcare processes over the last 20 years, which have supported the shift in entities’ security response. Lacey explained that it’s the “orientation towards safety, continuous monitoring, and being able to pull the cord if there’s an unsafe process.”
As safety becomes the focus across all departments within the organization, there’s less of a need to translate the importance of safety across cultures. And “that culture corresponds to what we’re trying to do in cybersecurity.”
“We know that we all serve a higher purpose, and we’re trying to do something quite difficult, which is to deliver healthcare, appropriately and safely within complex environments,” he said. “People are automatically tuned into the concept of continuous monitoring.”
“People are automatically tuned into the idea of processes, checklists, and those types of things as they go through their work,” he added. “In fact, I think most healthcare organizations are better attuned to that than most IT people. They have more to teach us than we have to teach them. It makes it easier.”
What makes healthcare different, is its adversity. For the last 18 months, COVID-19 has brought healthcare further into the limelight and the importance of strong security protocols. While healthcare's workforce is tired, these teams won't quit but will continue to focus on these core issues. Lacey called on security leaders in other sectors to consider joining the call to ease some of these burdens, as healthcare is a critical sector in need of greater support.
This is part of SC Media's special October coverage, in honor of Cybersecurity Awareness Month, spotlighting “security by design”: How different organizations within various verticals recognize their own security practices not only as a necessity, but also as a differentiator. Click here to access all of our security awareness coverage, which will filter out throughout the month.
