By David Finn
At the end of the year, we all certainly want to look ahead, hopefully, to what we hope will be a better one. 2019 has certainly been a rough one in terms of cybersecurity in healthcare. In July alone, the federal government reported that more than 22 million people had data exposed in healthcare breaches. At an annualized rate, that would be almost the entire population of the United States. Who could blame anyone for wanting to look ahead to a better year?
Third-party Vendor Risks
Peter Drucker once said, “You can’t manage what you can’t measure,” which will directly apply to security in 2020. Last year, the newest version of the NIST CSF (v 1.1) was released and for the first time it addresses supply chain and third-party risk. Based on assessments done in 2019, that appears to be true. However, even organizations that were fairly mature on the NIST CSF scoring are still lagging in the supply chain area, which is not anything new. This should have gotten everyone’s attention with the 2014 Target breach, but apparently not. At least we are measuring it now, so hopefully we will be able to manage and improve our third party vendor risks.
Looking forward sometimes requires looking back, so how bad was this issue in 2019?
According to a report issued by Ponemon and Censinet this summer, the costs of third-party vendor risk management are about $3.8 million per provider annually, given the sector’s struggles to properly assess and remediate vendor risk. Unfortunately, measuring where it occurs does not always lead to better management of the risk. The report discovered that among organizations doing assessments of vendors, security gaps found were not addressed after the process. When respondents were asked what they would do if their vendor’s actions would put the organization at risk, only one-third of respondents said they would mitigate or remediate the vulnerability, and just 28 percent would terminate their relationship with the vendor.
Medical Devices Vulnerabilities
Another big issue that will continue to be a concern is security around medical devices. Medical device security was thrust into the spotlight in 2018, as the Food and Drug Administration (FDA) continued to enhance and expand its cybersecurity program. Prior to the FDA’s publication of Postmarket Management of Cybersecurity in Medical Devices in December of 2016, advisories were issued at a rate of 0.95 vulnerabilities per month. After the guidance was released, the rate increased by 475 percentto 4.52 vulnerabilities per month!
An additional study sponsored by Synopsis and conducted independently by Ponemon Institute in 2017 indicated that 67 percent of medical device makers believed that their devices were likely to be attacked in the next 12 months, but only 17 percent were taking any significant steps to prevent attacks.
If the increased reporting of vulnerabilities is an indicator that progress is being made, and if telling people about your issues is a positive in security, then you have to put this in perspective for the industry. The overall number of hospital beds in the U.S. in 2017 was about 931,000. There are between 10 to 15 connected devices to each of those 931,000 beds. That is a lot of vulnerabilities. Happy New Year!
The Growing Threat of Ransomware
Ransomware has certainly taken a significant uptick in 2019, particularly in the healthcare industry. In the first 10 months of 2019, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks. In September a California provider was forced to close as they could no longer access medical records, and three hospitals in Alabama had to turn away patients due to ransomware in October – sadly, the industry should not expect any decline in ransomware in 2020.
While healthcare has managed to maintain the status quo in security for several years, IT security budgets have remained level since 2016. As a percentage of IT health systems and hospital organizational budgets, cybersecurity has increased to about 6 percent of the total annual IT spend for calendar year 2020. This remains far below the average for other regulated industries, like finance, which run around 15 percent. Physician organizations and groups, on the other hand, report a decrease in actual cybersecurity expense allocated, with less than one percent of their IT budgets earmarked for cybersecurity in 2020.
We have seen a dramatic rise in successful attacks by a variety of attackers over time – ranging from criminals to hackers backed by nation-states. This is just a further indicator of how attractive and how vulnerable healthcare is as a target. Sadly, the sector remains highly susceptible to continuing breaches. That is not likely to change next year.
Making matters worse, budget constraints will limit staffing and the ability to replace legacy software and devices. This will leave organizations even more susceptible to attacks and it will become more challenging for hospitals and health systems to invest in areas that do not actively produce revenue in the coming year.
2020 still offers the hope and promise of re-doubling our efforts and getting focused on our organizations’ prioritized risks. What if you started doing vendor assessments pre-acquisition instead of just after the product or service was paid for and deployed? What if you did the same with medical devices and built “security terms” into the contract? What if you trained and retrained the workforce on ransom and other current threats? The old saying goes, “time is money”, but what if you had more time than money? Let us make the most of the currency we have and move the dial in the year ahead by better planning, more purposeful contractual arrangements, and comprehensive training. After all, hindsight is 20/20 – especially when it comes to cybersecurity.