The health care sector has a clear target on its back, but after a year of battling the pandemic, constrained resources and reduced staffing numbers are making it difficult for providers to keep pace with the threat landscape.
The health care and utility sectors have been the most targeted by ransomware threat actors since April 2021, with an average of 1,000 entities impacted by these attacks each week, according to recent Check Point data.
The 2017 Department of Health and Human Services Health Care Industry Cybersecurity Task Force report revealed a damning state of affairs: three out of four hospitals don’t have a designated security person and have been forced to get creative with security needs.
The following year, Ponemon research showed the majority of healthcare organizations find it difficult to recruit security staff, with nearly 50% reporting that they don’t have a chief information security officer on staff. A report in 2019 from The Healthcare and Public Health Sector Coordinating Council (HSCC) showed similar statistics.
The resource and staffing issues in health care aren’t a new challenge. But as ransomware is increasingly tied to data exfiltration and extortion, it’s well beyond time for provider organizations to become equally creative in how they tackle these critical security issues.
To Andrew Neville, F-Secure cybersecurity strategist, the threat landscape, albeit creative, hasn’t changed all that much in terms of the attackers and techniques. Instead, the real question is how has the sector improved in terms of defense means and security tech.
“In theory, the market is getting better at presenting tools that are able to block and tackle, adapting to new risk vectors. Security solutions should be getting better, but as entities spend more, the tech is stagnating or even decreasing,” said Neville.
“What’s actually going on? We’re looking at the wrong problems. When you consider vendors from the early years in 1995, there’s a plethora of security vendors lately saying the same things,” he added.
The challenge for health care providers, specifically, is to block out all of the noise and to avoid the “next shiny object.” Firms getting the most attention are spending more on press and marketing, but Neville stressed that the largely promoted tools and companies aren’t necessarily providing the best solutions.
And when a health care entity doesn’t have a security leader to lead the charge and engage with these vendors, it could lead to the purchase of a more expensive product or engaging with too many vendors, he added.
To dampen the noise, health care entities must make focused investments, Neville stressed. Leadership must create a dedicated, strategic investment and prioritize the evaluation of their security tech to find its value.
And that means, entities must steer away from the idea of using technology because it’s well-known and look toward solutions reviewed as effective for a specific problem within the health care environment.
“Saying you need more money for tools to fix the issue is not enough, if you’re not effectively using them."
Andrew Neville, F-Secure cybersecurity strategist
Evaluation recommendations: When to consider a MSSP
Although it’s clear many health care entities lack the spending resources needed for some crucial security decisions, using tools ineffectively or buying the most expensive tech is only furthering the resource constraints within an enterprise.
As such, Neville stressed the need for administrators to evaluate their current state of security and the tools already implemented on the network.
Typically, a health care CISO will leverage a scorecard, or checklist, which ranks the security and defense measures within their network, explained Neville. The next step in the process is to break down these security categories and compare them against a chosen framework, such as NIST.
“The business reality for organizations is that not everyone is going to be able to spend more,” Neville explained. “There’s potential savings in the evaluation exercise, to ensure these tools are being used most effectively.”
“Saying you need more money for tools to fix the issue is not enough if you’re not effectively using them. And the funds aren’t going to go a long way, particularly if an entity is using a long line of vendors,” he added. “If you can’t spend more, it redoubles the need to reevaluate the tools in use. Particularly those that command a premium price, but don’t give much product value.”
For example, an ideal situation would include leveraging fewer vendors to keep the overall costs low. Neville explained there’s a variety of well-established companies that provide solutions across different stacks or piece together a handful of tools, based on evaluated categories.
These tools can be used in multiple areas and communicate with ease. The overall goal should be to reduce the attack surface as much as possible, such as securing devices.
For healthcare entities operating without a security leader, contracting with an MSSP, or managed security service provider, can provide necessary leadership and insights to better support network security.
MSSPs provide outsourced management and monitoring of security devices and systems that can include intrusion detection, virtual private networks (VPNs), managed firewalls, vulnerability scanning, and anti-virus services.
By leveraging high-availability security operation centers, MSSPs can support contracted entities with much needed operation security personnel. For Neville, MSSPs come with a host of benefits, including the ability to leverage insights and security strengths gained from hundreds of thousands of customers.
Many work with healthcare entities to support the overall security needs and fit the enterprise needs through consulting services, Neville said. Entities that can’t afford to spend more on tools and these types of processes should get outside help, including MSSPs and talking to peers within the industry to see what they’re doing to conquer their security challenges.
To Neville, MSSPs can help fill the gaps in staffing, as there needs to be someone at the helm tasked with enterprise security. Virtual CISOs are another option, and their use has been rapidly increasing in the health care space.
“vCISOs see a lot of things that go wrong within the tech sector,” he explained. “When you’re not a cyber person and you’re trying to protect data or select a vendor but unsure of how to get there, you’re more likely to just go with the big name. vCISOs see what works, have time to assess, and direct entities on best practices.”
“It’s really just a conversation around risk,” Neville added. “If I go driving without a seatbelt or my glasses, I’m putting myself at greater risk. These entities are putting themselves into risky situations. Many fall prey to outsiders and aren’t adequately prepared or implementing funds fast enough. But it’s not only about needed funds: it’s spending well and preparing for when something goes wrong.”
To better understand the MSSP process, which HSCC recommends for small- to medium-sized health care providers, covered entities should review previous workforce guidance from HSCC.
As HSCC previously explained, not all health care entities have reached the maturity level to employ a fully functional and staffed organization, while others may be challenged with recruiting or retaining cybersecurity staff.
Those entities should assess the ability of currency cybersecurity staff members and working shifts to determine any weaknesses or other security gaps. HSCC recommended that non-traditional sources could support entities challenged with filling those gaps. The guidance also provides highly detailed methods health care entities can employ to better support its cybersecurity staffing needs.
