Cybersecurity strategies evolving in face of big risk
By necessity, the healthcare industry has seen big changes in its approaches to cybersecurity since 2008, according to a new HIMSS report, which finds a noticeable shift from a compliance-based approach to one focused on risk management.
The message seems to have sunk in, especially in recent years, that mere HIPAA compliance is not even close to enough, according to the report, which tracks responses to the annual HIMSS Cybersecurity Survey over the years between 2008 and 2015.
"Cybersecurity is now a business priority for healthcare organizations, due to aggressive and targeted cyber-attacks affecting the healthcare industry," researchers write. "Many healthcare organizations now realize that achieving a secure IT environment is not a 'one and done' endeavor, but rather is an ongoing effort."
When HIMSS first released its inaugural security survey in 2008, the focus was understanding how health organizations, traditionally not used to storing large troves of digital data, were managing to protect their patient information. Most providers said they routinely conducted risk assessments -- half of them doing so at least once a year -- and most indicated they were meeting compliance requirements as part of that.
But in recent years the landscape has changed dramatically, with a huge uptick in big and costly breaches.
"Prior to 2013, the largest reported breaches in the healthcare industry were largely the result of lost or stolen devices, such as back-up tapes, servers or laptops," according to the report. "After this time, the largest reported healthcare breaches have been primarily due to cyber-attacks."
Indeed, in 2015 alone, hackers have compromised more than 100 million patient records through advanced persistent threat attacks.
"In view of recent events, the healthcare industry has experienced a paradigm shift from a compliance-focused security mindset to a holistic cyber risk management-focused mindset," according to HIMSS.
This new report draws on past HIMSS cybersecurity survey results to offer a look at how the internal and external threats facing healthcare have evolved – and how the technologies and strategies organizations are using to secure their IT environments are adapting to the change.
Traditionally, respondents "consistently reported being more concerned about insider threats than external threats," according to the report. But concerns about the latter increased as of 2013 – which HIMSS calls a "turning point for the healthcare industry and other industries in terms of experiencing aggressive and targeted cyber-attacks."
With more than 4 million patient records compromised that year, external threats, rightfully, became "a growing concern."
Meanwile, the tools hospitals use to defend themselves have changed, as evinced by a comparison of the 2008 and 2015 surveys:
Those most cited in the first survey are traditional security tools, many of which are still heavily relied upon today, of course. Use of encryption, in transit and at rest, is also on the uptick. But survey respondents still seem to agree that such traditional defensive weapons will "likely will not be successful in helping to defend from the cyber-attacks of tomorrow," according to HIMSS. "Respondents indicated that more sophisticated tools will be needed to aid in successful cyber defense in the future."
HIMSS is seeing a modest increase in the deployment of more advanced technologies and strategies, such as intrusion prevention systems, data loss prevention tools, multi-factor authentication and Dark Web research, but these are "much less widespread."
HIMSS members can access the full report here.