Information security professionals in the healthcare industry say their top priority is finding ways to deal with novel threats, rather than simply meeting standards set out in law or regulation, according to a new survey.
“The primary operational priority [of respondents] is the need to be able to deal with new threats, rather than compliance,” said Barbara Filkins, an analyst with the SANS Institute, a cybersecurity training and certification provider, who conducted the survey.
“Respondents are looking at their whole [IT] infrastructure, rather than just the database with the patients [electronic health records or] EHR in it,” she said.
“They’re taking a more holistic approach, not just ticking the box on their compliance … That’s the good news.”
Filkins said she believes the shift is due to the increasing tendency towards virtualization and outsourcing of data centers, along with the growth of mobile devices.
“Smartphones, tablets and laptops have become the stock in trade” of health professionals, she said. “Layer on that the increasing use by patients of mobile devices [to access their EHR] and the fitness industry wearables [that are also] hooked into them.”
“These endpoints are not something the security professionals have control over,” especially when they’re patient-owned, she added.
All this has “brought its own set of dark alleys to the healthcare industry,” she concluded.
The respondents, the largest number of whom (about 40 percent) work in hospitals, are overwhelmingly (80 percent) analysts or IT security managers, Filkins told CyberScoop. The remaining 20 percent are compliance specialists or privacy officers. The non-hospital based respondents work for other kinds of healthcare service providers, like urgent care centers, or for health insurers, she said.
The full results of the survey will be published next week in association with a webinar the institute is staging.
The survey reveals a notable disconnect or lag between threat perceptions and threat realities. For example, 38 percent of respondents consider medical devices on their network to be a high risk. Yet when asked about actual breaches, only 6 percent have experienced any that can be attributed to such devices.
Filkins speculated this might be due to awareness of new threats leading their implementation by hackers and cyber criminals. “There is a [time] lag” between the research that’s identified medical devices as a vulnerability on healthcare networks and the implementation of actual attacks, she said.
Real breaches continue to come mainly from traditional attacks, according to the survey, with the leading cause being phishing and spearfishing (56 percent) followed by insiders (39 percent).
“There’s a natural human curiosity that goes with access to medical information,” Filkins noted, adding there will always be the temptation to look up the records of celebrities or neighbors.
In general, “the industry has fairly rigorous controls and strong sanctions against privacy violations,” she said, giving as an example a geolocation function which will flag any queries where an employee is looking up records of someone who lives near them. “Usually there will be some type of alert and a follow up audit or request for justification,” she said.
“The healthcare industry gets beat up a lot for not being as secure as they should be,” Filkins said, adding she might be seen as biased because she works in the sector. “But from another angle, this is the most complex IT and business environment there is … Providing security is really hard … The problem is the complexity is so great and getting greater every time something new gets thrown at us.
“The industry can’t keep up and I don’t see that changing.”