By Mike Weber, Coalfire
Within the realm of cybersecurity, the healthcare vertical often bears the dubious distinction of being considered the most vulnerable sector to cyberattacks, having the weakest overall cyber defenses. Before categorically accepting these assumptions, the first question we should explore is, “Is this true,” followed quickly with, “If so, then why,” and then, “What should be done about it?”
Recently, Coalfire released our inaugural Penetration Risk Report, a data analysis of over 300 penetration tests conducted in client enterprises of all sizes, across all vertical industries. What the study revealed is that all enterprises of all sizes are still leaving many of the same best practice-type cyber vulnerabilities unaddressed that they have year after year; so in this, healthcare is in good company. It also revealed that midsized enterprises are doing better at protecting the enterprise than large or small enterprises, which flips traditional thinking. Within this trend, healthcare also was in line with the overall data set.
When covered entities and healthcare-related third-party providers were matched against other verticals, however, we did see a proportionally higher number of critical vulnerabilities across the external network attack surface, as well as a very dominant issue with insecure protocol usage in their internal network. To net out our findings: they didn’t measure up.
So now that we have determined that, at least within our data set, healthcare appears to be a cyber laggard, let’s look at the theoretical ‘whys.’ The most common reason proposed for the healthcare security gap is the tension between lack of adequate IT budget and the need to prioritize quality patient care—thus, cybersecurity and related highly trained staff get the short end of the stick. Let’s dig a little deeper at what this really means in today’s healthcare environment.
A Patchwork Of Systems
Like every industry, healthcare has seen rapid change in their technological environments. Healthcare has digitally “evolved” to not only advance the state of patient care, but also serve patients remotely, collaborate with other providers, communicate with patients on digital platforms, etc. However, covered entities are ripe with legacy systems, running the gamut from record keeping and scheduling systems to legacy connected patient care devices and non-traditional IT systems. I would argue that healthcare has the most “fractured” operations characteristics than any other major vertical. This patchwork IT environment is not typically secured with an end-to-end security strategy (refer to our point about restrictive budgets and sparse IT staffing), which would be needed for defense in depth.
Second, regulations abound, and they suck up time, money, and energy, which we established is in short supply. There is a plethora of regulations that impact different operational systems. For example, a healthcare organization will have PCI compliance needs as well as the obvious HIPAA regulations and even the FTC’s Red Flag rule. The new General Data Privacy Regulation (GDPR) and State regulations add yet another dimension—all of which drive an organization to spend hard-to-find resources on maintaining compliance with these regulations and standards, often to the detriment of building a truly secure operations model. Regulations don’t just exist in a vacuum, however, they are measured and enforced through audits and assessments, which can result in “audit fatigue.” The primary symptom of this condition is an organization’s desire to do the “bare minimum” to comply under constrained budgets.
Fear Of Discontinuity Of Patient Care
Deploying new architectures, upgrades, strong authentication, patching – all can be considered as being disruptive to the organization’s core mission: continuity of patient care. Modernizing operations, maintaining integrity of information, and supporting the core mission can seemingly be in conflict. Clearly there is a financial burden of system improvements, but there is very little risk tolerance for operational interruption.
But, There Is Hope
With the digitization of records and the vast improvements in modern healthcare technologies across the board, comes hope. New systems are, for the most part, being deployed with security as a high priority. As healthcare companies implement new systems with modern security technologies and controls built in, they can recognize a great improvement in their overall security posture. Yet to avoid the pitfall described earlier of patchwork legacy and advanced technologies, it will be important for healthcare organizations to fully transition to new technologies and sunset legacy systems. Virtually all environments that were encountered in our penetration testing study were the proverbial “mixed bag” of new and old – and many due to the reluctance to retire systems given they’re no longer considered “mission critical.” Accordingly, these present an elevated risk to the organization given that they continue to house data that is valuable to both the organization and an attacker alike.
Know Your Security Priorities, Then Act
It is understandably a challenge to secure a technologically diverse organization that is both advancing rapidly without an equivalently expanding security budget. This is where prioritization becomes key. Security assessments and penetration testing can help these organizations understand their biggest areas of vulnerability, so they can prioritize their security efforts and investments. New “security integrated” technologies will help; but in the meantime, understanding critical gaps and addressing those first would go a long way to securing the healthcare organization, which in turn, helps to ensure continuity of patient care.