A recent survey of healthcare IT security leaders indicates that the healthcare industry’s level of readiness to defend against concerted cyber attacks has improved in the past two years, which shows progress toward strengthening healthcare organizations’ security postures. However, the bad news is, despite the rising threats, the number of healthcare organizations making investments in information security has actually declined since 2015.
KPMG, an audit, tax and advisory services firm, surveyed 100 CIOS, chief technology officers (CTOs), chief security officers (CSOs) and chief information security officers (CISOs) from both healthcare provider organizations and payers with over $500 million in annual revenue. The firm’s 2017 Cyber Healthcare and Life Sciences Survey found a dramatic rise in computer system breaches and data compromises, which include patient records, over the past two years. And, yet, more C-level IT security executives say they are better prepared than two years ago to protect their organizations against cyber attacks.
Almost half (47 percent) of organizations, including both providers and health plans, said their organizations had instances of security-related HIPAA (Health Insurance Portability and Accountability Act) violations or cyber attacks that resulted in data loss or system compromise in the past two years. That compares to 37 percent of respondents in KPMG’s 2015 survey, an increase of 10 percentage points.
When asked about “readiness to defend against a concerted cyber attack,” 35 percent of CIOs, CISOs, CTOs and CSOs at provider and payer organizations said they are “completely ready” versus 16 percent in 2015. In the survey, respondents were asked to rate their “readiness” at a level of 1 (not at all ready) to 5 (completely ready). Thirteen percent of respondents rated their organization at level 3 and 52 percent rated their organization at level 4. None of the organizations rated themselves as level 1 or 2.
Despite the rising threats, KPMG’s survey found that cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior 12 months (66 percent versus 88 percent in the 2015 survey).
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” KPMG’s healthcare advisory leader Dion Sheidy said in a statement. “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”
In an interview about the survey findings, Michael Ebert, leader of KPMG’s cyber security group in healthcare and life sciences, says he is concerned that there is a level of complacency in the healthcare industry regarding cyber risks. “I think the industry has become a bit numb to the fact, that, well, we’re going to have cyber instances and we see it in the news all the time when there is another breach. And, you always see that company in business the next day, so there is complacency building. It’s fallen off the board agenda a little, which is a shame, because we continue to see high rates of infection. There are organizations in the healthcare industry taking this issue very seriously, but to have that broad response reflected in the survey, it’s concerning.”
Regarding recent ransomware and malware cyber attacks, such as WannaCry and Petya, he adds, ‘The last major attack, the hackers did certain modifications and, more importantly, they made it so that it would spready much more rapidly. They are testing our cyber defense capabilities. And, we’ve seen it rip right through institutions. Once it gets in, it just rapidly goes through, and to slow that down or stop it, you’ve got to pull plugs. We’re at war, it’s just a different type of war that’s going to cost the capital economy billions of dollars a year.”
According to the survey, data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63 percent of respondents mentioning it, topping Internet-enabled devices not fully controlled by IT and the lack of resources/budget. Yet sharing data is an important element of coordinating care and succeeding in a healthcare reimbursement environment that is moving away from paying for activity (fee-for-service) and toward outcomes.
Drilling down into the survey findings regarding information security investments, for those organizations that have made investments in the past 12 months, the majority of respondents (76 percent) reported making greater investments in technology, such as software, firewalls and encryption, and 83 percent have invested in stronger policy and controls around data access and processes. Only 41 percent have made investments in staff, such as hiring and training, and 44 percent have invested in governance.
Looking ahead, when asked where their organizations plan to make investments in IT security, the survey findings indicate both payers and providers plan to focus on investing in technology rather than process and staffing. Seventy-nine percent cited security technology will continue to get the bulk of financial investments, and 82 percent cited stronger policy and controls around data access and processes as an area of investment. Staff (hiring, training) ranked last at 24 percent in areas where organizations planned to make investments, trailing planned investments in consulting (41 percent), managed services (47 percent) and hardware (28 percent).
Only 15 percent of respondents said that increased or higher quality staffing are needed to make their organizations more effective in cyber security, while an “overarching strategy” was seen as the biggest need by 24 percent. “Stronger processes” at 21 percent, and “increased funding” and “better technology” at 20 percent were also cited as big needs.
“A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” Ebert says. “Software can only protect you so far and staff is important when it comes time to respond to a data breach. The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board.”
Ebert continues, “If you don’t put the proper people and processes in place, then you can implement any technology and it’s not going to appropriately address the risk. Healthcare organizations are not looking at the threat vectors that are impacting them, they are not looking at the risks behind those threat vectors, and then they are not addressing how the technology they are buying integrates. Healthcare organizations are buying technology tools, but they are not fully implementing or fully integrating it, or understanding the full benefits that they can gain from that technology. They are not applying resources to accomplish those tasks and they are underinvesting in this area.”
Cyber Threats and Vulnerabilities
The KPMG survey also examined the attack vectors healthcare organizations are most commonly facing. The respondents were asked, of the known cyber attacks their organizations have faced in the past year, which attack vectors compromised their environments. Sixty-nine percent of respondents cited an external hacking of a vulnerability, 60 percent cited a single system-based malware introduced through human error, such as from a USB drive, and 39 percent cited a phishing email that resulted in a compromise. What’s more, 37 percent cited a third-party device, product or service and 19 percent cited an internal bad actor.
Of the respondents who reported that their organizations had been the victims of cyber attacks in the past year, 32 percent said their organizations were infected with ransomware. Sixty-six percent reported they had not been hit with ransomware and 2 percent said “I don’t know/not sure.”
Also, C-suite level IT security executives were asked how their organizations initially responded to the ransomware infection, and 41 percent reported that they paid the ransom. Only 25 percent reported using a forensic cyber team to fix the problem, 16 percent said they worked around the problem with redundant systems and 19 percent said they worked with authorities to pursue criminal action.
Despite cautions from the FBI and cybersecurity consulting firms that organizations should not pay the ransom, the survey findings indicate that many are choosing to pay to get their data and systems back up. “It’s because they don’t’ have proper back up procedures, or their back ups got corrupted because of way they linked their systems together,” Ebert says. “We’ve gone to real-time recovery capabilities and what happens is the primary system gets infected and so does the back up at the same time. Many organizations haven’t thought about how they interconnect and link those together, so the only way they can operate is to pay.”
What’s more, Ebert says some healthcare organization executive leaders have said they want to pre-buy bitcoins, as a reserve, in case they get hit with ransomware. “That’s not where you want to make your investment; you need to make your investment in protecting your assets, as opposed to making an investment in buying your way out.”
Identify Priorities and Reduce Risks
On a positive note, based on the survey findings and his own experience with the healthcare industry, Ebert says the industry has improved. “We’re not where we need to be, but we’ve done things to improve. We’re doing things that are reducing risk, maybe not increasing our maturity on cybersecurity, but certainly reducing risk. We’re looking at cybersecurity from a much more holistic standpoint; we’re training a lot more of our employees on a continuous basis and increasing awareness.” He notes that 90 percent of breaches occur because of a single human error, such as an employee clicking on a phishing email. He adds, “We still commonly see with internal phishing training that we still get 22 percent click rates. That’s way too high.”
And, he notes there are lessons to be learned from the financial world. “In the financial industry, they have been dealing with security since the beginning of the concepts of banks and currency, so security is in their DNA. They wake up every day and think about it—What am I doing and how is it going to affect my environment? What new products am I offering and how am I interacting with the consumer, and is it a secure way to do it? The healthcare industry has never woke up and thought about it every day, but it’s getting there and becoming a part of their DNA; it takes time to change that.”
For CIOs and CISOs, the biggest takeaway from the survey findings, Ebert says, is that healthcare organizations are operating in a new threat environment, and risks need to be prioritized and effectively managed.
“The first thing to look at is the critical patient safety issues that occur when these systems go down. You have to think about your resource allocation and your priorities differently,” he says, adding there are obvious financial implications as well. “We’ve seen several organizations out of service for a month or longer, and if you lose one-twelfth of your revenue, you’re going to have critical financial issues. In the healthcare delivery industry, margins are usually three to four percent, if you take away a month of revenue, a lot of healthcare institutions will struggle to be alive the next day.”
Healthcare IT security leaders need to focus on better management and control of privileged access to systems and networks. “The better you control your administrator level access, the better you are going to reduce the risk to your environment. You’re not going to increase the cybersecurity maturity greatly, but you’re going to reduce the risk of something spreading. Having a mature incident response plan can enable you to handle the risk effectively.”