It’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors.
From left: Stephen Boyer, Anahi Santiago, Shirley Golen Chris Logan and Dan Costantino participating in a panel discussion at HIMSS Healthcare Security Forum in Boston.
When it comes to healthcare security, security experts would rank the industry in the middle or toward the lower end of the pack, according to a panel of security leaders at Monday’s Healthcare Security Forum.
That because it’s still taking many healthcare organizations far too long to discover a breach — much longer than in other sectors, according to BitSight Technologies Co-founder And Chief Technical Officer Stephen Boyer.
According to Boyer, healthcare is in the middle and needs to work on remediating systems and improving patching and blocking policies. And its users are only amplifying risks by falling victim to malicious attacks.
Chief Information Security Officer of Christiana Care Health System Anahi Santiago would rank healthcare even lower, as the industry struggles with operational challenges. The need for accessibility in healthcare can prove challenging when it comes to the security team applying updates and patches.
“The threat landscape keeps getting worse and worse, and we can’t work at the rate the bad guys are moving,” said Santiago. “I think the industry is going to go backwards before it moves forward.”
Part of the problem is that healthcare is missing critical components — including IT and security hygiene, said VMware Senior Healthcare Strategist Chris Logan.
“Why are we still, in this day and age, with all of our high-tech information still missing the user?” said Logan. “We need to educate the user: enable them to do the right thing to get back to security hygiene.”
Penn Medicine CISO Dan Costantino finds the issue with healthcare’s security can boil down to culture. Much like Santiago, Costantino said that healthcare security will take a large step backward before it goes forward, as healthcare is a “reactionary culture.”
“The culture and mindset of being proactive is just foreign to so many levels of healthcare,” said Costantino. “So many departments are struggling now: something major is going to have to happen for that culture to shift.”
And the need for the shift will only increase as threats continue to become more sophisticated and prolific.
For Santiago, the greatest threat is the “speed of which we’re adopting tech and the fact that as security professionals, we need to keep up with that pace.”
This includes not only threats on the network, but the devices given to patients to take home, Santiago said. But her biggest fear is the vulnerability of systems and the potential inability to care for patients.
“There are so many different threats that can happen in a health system. And if we can’t take care of patients, we’re not doing what we set forth to do,” said Santiago.
Another less visible issue is asset management. According to Boyer, it’s a big challenge for IoT. There are millions of orphaned devices and millions of vulnerable devices that aren’t managed or tracked.
To get healthcare up to speed on its security needs, Logan said that security teams need to keep having those tough conversations up the chain of the organization.
“The patient is relying on you to have that conversation: Do what you have to do within your organization to make sure the risks are mitigated,” said Logan.
Costantino agreed: It’s all about people. But the issue is the story organizations are telling — aren’t right.
“Some security teams and system admins think end users are stupid. But that’s not the case,” said Costantino. “It’s that people don’t think about security the way you do. If you look at your policies, you can see why people act the way they do.”
“At the end of the day, it’s a business-level effort,” he said.