Healthcare cybersecurity – holistic medicine for healthcare systems?
• Healthcare cybersecurity is incredibly diverse and complex.
• A holistic approach is required to deliver consistent progress.
• Above all, comprehensive risk assessments are needed to give you your priorities for change.
Healthcare is increasingly suffering from cybersecurity threats, and both the slow pace of technological upgrading in healthcare, legacy systems, and often human reluctance to spend necessary cash on protecting the many systems that fit together to make healthcare work are exacerbating the threats.
In Part 1 of this article, we spoke with Deryck Mitchelson, Field CISO at Check Point Research and former CIO within the UK’s NHS Scotland, about just why it is that organizations frequently describe cybersecurity as a top-tier priority in healthcare, but then when it comes to spending actual investment money, the funding is never found.
Towards the end of Part 1, we touched on a delicate subject – especially in the UK, where over the course of 2023, nurses, paramedics and “junior” doctors (anyone below an attending physician) have all had to go on strike to fight for decent wages after 13 (and counting) cost of living increases in a row.
The subject of funding priorities.
“Fund nurses, not analysts!”
It’s always going to be awkward in a socialized medical setting, isn’t it – fighting for funding of technical or cyber-projects when front line medical staff are chronically underpaid?
Definitely. When you’re trying to get investment cases, it’s always going to be difficult, because I’ve never seen a headline in any national newspaper that says “Such-and-Such A Trust Has Invested More In Its Cyber-Program!” or “Trust Gets Two New SOC Analysts To Spot Security Breaches Shocker!”
We’ve read sexier headlines, it’s true.
Whereas “Another 100 nurses, and another five doctors,” that’s good PR, and good front line investment. People love good affecting headlines and soundbites, and healthcare trusts are no different. Besides, headlines and soundbites drive a lot of the investment that we see in organizations.
That’s why what we said in Part 1 matters. You have to make investment cases for healthcare cybersecurity in business terms, and in clinical terms, because boards understand those.
Ironically enough, “Local Blood Bank Hacked, Supplies Ruined” kind of is a sexy headline, but it’s an obviously negative one.
Yeah. But ideally, you don’t always want to scare boards. You can talk about how healthcare cybersecurity investment can transform your health pathways and get people home faster, how some of the transformational ways we can use protected data and systems can actually allow for earlier diagnosis.
You can dangle things like the potential of AI to do some predictive diagnosis – if it’s protected – and so link clinical outcomes and positive business cases to the need for funding for cybersecurity in your healthcare setting.
You can’t have any of those positive outcomes without cybersecurity relentlessly underpinning your healthcare facility.
Healthcare cybersecurity – the broken record?
Right now in the UK, we tend to keep throwing more and more money into healthcare, and most of that money goes into frontline staffing. That tends to be the metric that we use, because there’s a belief that that really helps to drive down things like waiting lists.
And it does, but I think healthcare needs a bolder reset – from education all the way up, so that we really understand what good physical and mental health looks like.
Then, hopefully, you’d need to invest a lot less in healthcare remediation and treatment paths for people down the road.
The irony of course is that our examples of a sexy negative healthcare headline – where there’s been a massive hack and a hospital is crippled, with all the patient care consequences that entails – would almost inevitably come with a long list of questions about why cybersecurity in the hospital was “allowed” to get so lax.
It’s like a broken record. You get a breach, hospitals are paralyzed, and then the PR people come out and say “It’s fine, we’re on top of this, we take your security really seriously. This is one of our top priorities.”
And then they say “No patient data has been breached.”
And then they say “There might be a small amount of patient data breached.”
And then “There’s actually quite a lot of patient data breached. But it’s data that was in the public domain anyway…”
We rarely learn from that cycle of breaches. We get short term investment after one, and then, five to ten years later, we’re back at the same stage we were at before, because the investment and the energy runs out.
Healthcare cybersecurity – a preventative prescription.
So what can healthcare organizations actually do to protect themselves, and the staff, and the systems, and the patients from the potential of a cybersecurity compromise?
The first thing is to start thinking about things tactically.
That’s a big problem within healthcare, you know? Stop looking at things and saying “If we buy that product, that’s going to solve our problems!”
What you need to do is build a robust cybersecurity program that’s owned by the board, so that you get the strategy right.
The strategy should underpin everything, and focus on actually protecting healthcare outcomes from clinical risk.
Build up a robust strategy, get used to thinking that way, rather than in the short term, “Buy It Now” way that healthcare cybersecurity has traditionally been forced to adopt.
Then, start looking within that strategy with an eye to risk assessments, to understand the areas that look like they’ll actually make the biggest difference in the shortest time.
Clinically advantageous, but also sexy headlines?
You could say that. The thing is, those areas could be small things. It could be to do with the classification or categorization of data. It could be that some small, non-security things are currently not very good – but they’re easy to fix.
It could be things to do with the roles and privileges – identity and access management can be a surprisingly big problem with healthcare if, say, nobody removes someone’s access privileges when they leave. These are basic things – remote access to areas of the facility – when somebody comes into service equipment, where do they go? Do they get access to a segmented area, or do they get access to everything? You’re only going to find out through a risk assessment. That’s what lets you understand where you have the biggest concerns, issues, and weaknesses within your systems.
Healthcare cybersecurity – the state of the system.
A kind of State of the System report, so you can generate a priorities list of things to tackle.
Exactly. You can’t tackle problems without a risk assessment to show you they’re problems – and how big or urgent they are compared to other problems.
The advantage of that type of approach is that it doesn’t just look at your perimeter controls, your network security. It also looks at your endpoints, your mobiles, your scanners, your IoT, your email, your cloud, your development code, your supply chain – it all needs to be looked at holistically.
If you don’t look at it holistically, the nature of healthcare is so complex, with a myriad of legacy systems, brand new systems, the profusion of IoT and medical devices, you’re never going to see the wood for the trees.
Plus, if you look at the system holistically, as part of a program of improvement, you can continually risk assess and see whether or not you’re getting better. You can only judge that kind of result if you have that holistic view and you have a solid risk assessment going into the program, because that’s what gives you your baseline metrics.
Are you able to mature your cybersecurity posture? Can you start to do exercises that actually demonstrate that you’ve got fewer vulnerabilities than you had before? You can only do those things with that holistic approach and a risk assessment.
That’s where they need to start.
In Part 3 of this article, we’ll dive even deeper into the structure of healthcare cybersecurity, and its current vulnerabilities, to try to find additional remedies for the issues that could lead to major healthcare data breaches or ransomware attacks.
Time and healthcare – much, much more complex than people imagine. Which means you need a holistic approach to both if you’re ever going to get anywhere.
28 September 2023
28 September 2023