In order to explore the likely cybersecurity trends coming our way in 2018, we must first take a quick look back at 2017. Last year was a banner year in about as many ways as one can think of. Unfortunately, most of those “banners” are for disasters of every sort. Today we are looking at the world of healthcare and how cybersecurity fared last year. Unfortunately, the story is not much better, particularly when we focus on healthcare cybersecurity.
There was no shortage of critical and easily exploitable vulnerabilities that came to light last year. Many of these vulnerabilities exist by the thousands inside of most enterprise networks. This makes them ripe for the picking for any attacker who can exploit those vulnerabilities. This year didn’t start any better when it was announced that there is a critical and fundamental security flaw (Spectre and Meltdown) in virtually every single processor in use today. Below you will find a brief treatise on some of the most concerning threats and trends we expect to see in the coming year.
Ransomware was the top cybersecurity trend, affecting 78% of providers according to a HIMSS survey. No one predicted some of the major incidents we saw this last year such as WannaCry, NotPetya, and others. It does not look like there will be any lessening of this threat anytime soon. The “official” numbers for 2017 are not out yet, but in 2016 we saw a 250% growth in ransomware attacks. And just based on headlines, last year was worse than 2016. Unfortunately, this does not bode well for the coming year and will be a top cybersecurity trend for 2018. As an industry, we have to keep working to thwart the ransomware attacks we can and minimize the impact of successful ones.
Breaches Get Worse
2017 was not a “good” year for the healthcare industry in the realm of major breaches. Organizations were reeling from the operational impacts of rising ransomware attacks – which, according to HIMSS guidance, are also often classified as reportable breaches.
To cap this off, criminals of the world have realized what we in healthcare IT have known for some time…we are lagging. The fact that healthcare IT and information security is behind other industries and is struggling to keep up is only going to keep healthcare in the crosshairs for the foreseeable future. Couple this with the fact that healthcare information (ePHI) is far more valuable on the black market than other data – such as credit card and banking data – and there is a perfect storm leading to another banner year for major healthcare breaches.
In the first half of 2017, there were 791 reported breaches that accounted for about 12 million records exposed to criminals across all industries. We don’t yet have the numbers for the last half of 2017, but it is safe to say there is no sign of this pace slowing in 2018.
More Mobile Threats
Mobile devices have been solidified in our lives as a critical lifeline and have become a top healthcare cybersecurity threat. We use them every day to manage our emails, schedules, communications, bank accounts, social media, Candy Crush and thousands of other things. Virtually every employee, contractor, patient, and visitor to a medical facility has a mobile device on them, and many are likely connected to an internal wireless network.
This year will only further solidify these little bricks of silicone and glass into the fabric of our lives. Healthcare organizations are not immune and have the disadvantage of being behind most other verticals insofar as security and maturity of their security programs are concerned. It is critical to address and mitigate the mobile threat or healthcare might see even more incidents than predicted.
Connected Devices (Internet of Things)
Hospitals and healthcare facilities have become hotbeds of connected devices. These devices range in complexity almost as much as they vary in cost. In addition to connected infusion pumps, CT scanners, and patient monitors, you also have to consider the less sophisticated devices like the cameras that watch the perimeter and thermostats and voice assistants in patient rooms right down to the printers that are everywhere. The complexity and range of devices that we see plugged into healthcare organizations’ networks are staggering. Even more staggering is the security on the majority of these devices is at best outdated and, in far too many cases, altogether non-existent. In 2018, healthcare has to resolve to tackle the connected device issue. We need to ensure these devices are updated, secured, and segmented.
Being prepared for an incident and handling issues as they come is by far the most important action that any organization can take. The one common denominator for all organizations regardless of size and maturity is that these incidents will happen, you can’t prevent everything, but you can be prepared for anything. One of the most consistent findings we have in our assessments is a lack of comprehensive incident response planning and a lack of testing and review on the plans that do exist. Being prepared for the inevitable is the only way to protect your organization, patients, others, and yourself from the losses that incidents cause.
This is by no means an all-inclusive list, in fact it is just a few of the most concerning trends we expect to see in 2018. If we, as an industry, work hard we may be able to get healthcare IT to a place that is more secure for all. But, until then we must stay vigilant and do our best to keep our organizations, co-workers, patients, and ourselves safe from these and the myriad of other threats we face every day in the connected world.