By Brian Wells, chief technology officer, Merlin International.
I hope healthcare organizations delivered lots of TUMS and Advil to their beleaguered cybersecurity teams as a holiday bonus in 2018 – and maybe even a masseuse! With an overload of alerts, attacks and system compromises, it’s safe to say that working in a security operations center (SOC) can take both a mental and physical toll:
From 2010 to 2017, nearly 2,150 breaches involving more than 176 million patient records were reported to the Office of Civil Rights at the U.S. Department of Health and Human Services, according to a study published by the Journal of the American Medical Association (JAMA). During this period, the total number of breaches increased every year (except for 2015), with 199 reported in 2010 and 344 reported in 2017.
Three-quarters of healthcare providers, vendors and consultants indicated that their organization experienced a “significant” security incident within the past year, according to the 2018 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey. Online scam artists posed the biggest threat, as cited by about 38 percent of survey participants, followed by negligent insiders (21percent) and hackers (20 percent). Less than one-half of survey respondents said their security team was able to discover a “significant” incident within a day.
While 91 percent of hospital administrators consider the security of data as a top focus, 62 percent feel inadequately trained and/or unprepared to mitigate cyber risks that may impact their hospital, according to research from Abbott.
Frankly, the industry is likely to face a rougher road in 2019. Current insurance dynamics are making it more difficult than ever to collect reimbursements. If our elected leaders and/or the courts dismantle the Affordable Care Act (ACA), then the situation will grow only more onerous with a sharp decline in patients who are covered.
All of which means there will be less revenue coming in to fund tools to protect our networks, systems and devices, as well as the talent needed to deploy these solutions. Speaking to the latter, there will be 3.5 million unfilled cybersecurity positions by 2021, according to an often-quoted projection from Cybersecurity Ventures. Is it any wonder that chief information security officers (CISOs) leave their jobs after just two and a half years?
Unfortunately, I don’t foresee a “game changer” technology breakthrough that is going to instantly make threats go away. Attacks are here to stay; if anything, they’ll grow more voluminous and formidable to counter. So, in lieu of a “magic bullet” in 2019, I anticipate that healthcare organizations will attempt to reduce their cyber risk/exposure this year through the following steps – three of which I encourage, with a fourth that is worth considering in the future:
To be clear, I’m not necessarily referring to the wholesale offloading of SOCs. Some hospitals may “dip their toes” into the water here by hiring a managed security service provider (MSSP) to take over on nights, weekends, holidays and additional shifts that are tough to staff. Others, however, may conclude that it simply makes sense to entirely turn this over to proven provider with a strong track record in sorting through massive amounts of alerts to distinguish legitimate level-one threats from false positives. I believe this is an option worth considering, as it enables healthcare organizations to focus on their core competencies while handing off 24/7/365 incident monitoring, prevention, identification and mitigation to the experts.
Prioritizing identity and access management (IAM)
As indicated, scam artists, insiders and hackers combine to create perennial, pounding headaches for CISOs and their teams. That’s why it’s essential to figure out who’s who on the network – and what they’re accessing. Through IAM, IT departments centralize, standardize and automate users’ allowable entry to networks, systems, files, data and apps. With more hospitals and doctor’s offices launching patient portals, I expect that many will turn to IAM to ensure that both external parties (patients, partners, vendors, etc.) and internal ones (employees) are authenticated and otherwise cleared to go where they need to go – while keeping the bad guys out.
Upgrading SIEM with SOAPA
Like my first two predictions, I view this as positive progression as well. When it first surfaced in the mid-1990s, security information and event management (SIEM) products gathered event data from a comprehensive pool of sources – applications, network infrastructure and logs, in addition to IT components such as gateways, servers and firewalls. But SIEM teams have encountered lingering issues: They must assess a vast amount of incident data without enough contextual insight to help them determine what’s on their network, what it’s doing there and how to respond.
An emerging innovation known as the Security Operations and Analytics Platform Architecture (SOAPA) improves upon SIEM by consolidating its multiple technologies into one location. SOAPA brings together data from multiple sources, so teams acquire “single pane of glass” visibility of the entire enterprise cyber ecosystem, while deploying automated, advanced analytics to evaluate, manage and report on actionable items more rapidly and accurately than ever. This data consolidation and normalization also builds a foundation for effective use of machine learning.
… And what about blockchain?
Yes, blockchain is gaining traction as a technology flavor of
the day. As in other industries, healthcare leaders feel blockchain could dramatically improve information management and security by storing a vast array of data – like patient records, billing accounts, clinical trial results, insurance updates, etc. – on linked, encrypted blocks that aren’t “owned” by any particular institution or person. Users such as doctors, nurses and administrators access the blocks via authorization processes based upon the relevancy of the data to their job roles.
As opposed to the first three steps previously outlined, I’m advising healthcare organizations to pump the brakes a bit on blockchain instead of diving in head-first. There are plenty of inherent issues yet to work out. Blockchains aren’t designed to store radiology images, genetic testing results and additional large files of data – and we need this capability. There are patient privacy considerations as well, as blockchains are, by definition, transparent and reveal every transaction on the chain. Given that hackers have successfully targeted blockchains for cryptocurrencies, it’s a safe bet they’ll do the same for medical blockchains, thus placing patient privacy at risk. So I say let’s iron out the kinks before committing to this approach.
As we dive into 2019, I can’t promise that we’ll go from popping Advil and TUMS to popping champagne corks. But by outsourcing some (or all) of the burden while finding better ways to do what we do now – especially SIEM and IAM – we can certainly “ease the pain” of CISOs and SOC employees. If that doesn’t make for a happier New Year, it will at least ensure a healthier one – for the industry’s organizations and their cybersecurity teams.