The truth is no one really knows what tomorrow or the next year will bring, and anyone who tells you otherwise is making it up.
The only thing that is certain for the future of cyber is that it's sure to be interesting. In 2016 security vendors were overwhelmed by malware that had climbed to over 400 million new variants a year.
This year began with an onslaught of ransomware attacks that haven't abated yet, in fact they have escalated and evolved constantly over the past months to become the number one concern of most CIO's according to a recent CHIME survey. Rightfully so, as ransomware as a weapon seems made for healthcare, as its primary mission is rendering systems or data unavailable – every CIO's worst nightmare. Victims of these attacks learned first hand that their networks were not architected to defend adequately, that their contingency planning was ineffective and the workforce really wasn't ready for long outages nor to perform without the assistance of computer aids. In response, bipartisan scrutiny by Congress eventually led to new guidance from OCR on handling ransomware incidents in healthcare.
2016 bore a constant reminder that medical devices are insecure and could be compromised to affect both the networks they communicate with and the patients they are connected to. We witnessed the FDA call out the Hospira insulin pump (Symbiq) because it could be hacked over the wireless network, followed by the questionable hacking of devices from St. Jude Medical Inc. that drew more attention to the issue. More recently, a researcher for Rapid7, and diabetic himself, hacked his own insulin pump and reported how he did it to Johnson & Johnson, who promptly issued a warning while claiming the OneTouch Ping system was safe and reliable. Despite repeated warnings, despite clear evidence that these devices pose a threat, despite the FDA's attempts and appeals to Congress, the problem has not been solved.
This year, hospitals were attacked through their security systems, through their environmental systems, demonstrating that everything connected to the network is at risk. Just in time for Halloween, hackers once again showed us they have more tricks up their sleeves with the Mirai malware botnet attack that took over thousands of devices in one of the largest DDoS attacks ever seen, demonstrating just how vulnerable the Internet of Things (IoT) is. Web-based services were disrupted for many businesses to include healthcare that experienced the loss of web-based EHRs and other hosted critical services. The victims of this attack were not just the ones targeted, but all of those who were included in the wake of its collateral damage. The hackers used CCTVs, smart coffee makers and many other devices connected to the internet proving how anything can be weaponized.
We saw more hacktivism in 2016 from the victims of the Hurley water situation, to more recently, the leaks around political campaigns designed to influence elections. Hacking for ideals or causes is alive and well. The number of hacks rose at the sharpest rate yet in 2016 demonstrating that the threat is serious and the consequences are just as serious. These events directed a bright spotlight on some of the continued inadequacies in healthcare security that will likely continue into 2017.
So what will tomorrow bring? More. 2016 has shown us that the battle with criminals will be fought in the new cyber reality of constantly evolving threats, that cybercriminal activity is carried out by an army of attackers who respect no boundaries, are indifferent to the affect they have, are organized, are creative, are ubiquitous, are faceless and engage in a relentless asymmetric assault. The old axiom that the attacker only has to get it right once and the defender has to every time has never been truer. Cyber is the new medium for theft and those with information or technology of value are its targets.
So how so we prepare for these imminent threats in the coming year?
Good Hygiene Counts
At the end of 2015, researchers said that more than 90% of the attacks that had occurred took advantage of a known vulnerability. That did not change in 2016 and is likely to remain an issue in 2017. This means that the majority of attacks started by compromising some weakness that we could have done something about. We could have applied a patch, closed a port, eliminated a factory setting or password, disabled a dangerous service, restricted access better, upgraded or replaced an obsolete system or software. How we manage the enterprise is important. This isn't like that Toyota that you are so proud of because you're still driving it after 300,000 miles. The things that attacked your Toyota the day you bought it are the same things that threaten it at 300,000 miles. Your IT enterprise is very different. An old or antiquated computer system or software is way more at risk than ones that are up to date. The threats against computer systems and software are constantly evolving and the older they get the more at risk they become. Where that Toyota is similar, however, is in the care and maintenance that someone obviously gave it to allow it to go that far. Similarly, your network also needs constant care and maintenance, tune-ups and checks. Committing to better maintenance will have a positive effect on decreasing the number of incidents experienced.
New Thinking Required
The security approaches of the past are not going to hold up to the technological cyber battlefield of the future. When you read the predictions of the future of technology all you see are faster processing speeds, the introduction of artificial intelligence, machine learning and intelligent applications. In healthcare these will be used in areas like medical diagnostics, systems that integrate with the human body and home monitoring capabilities. Information will become even more important and its accuracy and reliability even more critical. At the same time virtually every platform and software developed/deployed comes under attack almost immediately. Cybersecurity systems and approaches, as well as leaderships' mindsets are going to have to also evolve to keep pace. Just as the healthcare community is doing amazing things with technology, we need to recognize we need to invest in equally sophisticated cybersecurity technology to protect those capabilities. This means investing in Next Generation Firewalls, gateways for mail and web traffic, heuristic and behavioral analytics-based detection and enforcement systems, encryption, advanced authentication, multilayered security and real time monitoring. It also means adopting an industry-recognized framework for developing, building, deploying and managing cyber networks and systems. Healthcare is one of the last industries to do this, hopefully 2017 will be year we adopt the NIST Cybersecurity Framework.
The Internet of Everything
It's amazing how many people are surprised by the threat that the internet represents, which means we have forgotten that the internet was never created with security in mind. Today the IoT and medical device threat are a very prominent part of the risk ecosystem that healthcare must contend with. We've long since known that medical devices posed a risk, but the recent attacks using IoT should have heightened everyone's sensitivities. Sophisticated attacks using these devices as surrogates raised another concern for healthcare entities around the resilience of their enterprises. Healthcare systems lost access to critical assets like EHRs and had internet outages affecting their own web-based applications, email, etc. This raised questions of whether the health system was relying on only one power grid and whether they have redundant Internet Service Providers. Healthcare entities also need to worry about critical services or assets hosted by third parties who may be susceptible to weaknesses in these areas as well. Network access control solutions are making a comeback as entities seek to be able to control what connects to the network, stronger authentication on remote access, and solutions that isolate infected mobile devices.
Cyber Espionage
We are amassing huge amounts of information about people, diseases, procedures, cures and more, all of which have tremendous value to other nation states and unscrupulous corporations and individuals. The breaches in the past 24 months have been a wake up call that automating and digitizing healthcare information has made it another strategic cyber target. The attacks on OPM, Blue Cross, UCLA and Community Health all provided massive amounts of information that, in the wrong hands, can be turned into intelligence. Intelligence that can inform what others know about us from a health perspective, information about key personnel or personnel in sensitive positions, particular diseases or conditions affecting certain groups or parts of America, intellectual knowhow with respect to treatments and responses and performance of drugs or procedures. Hackers also target specific healthcare systems, offering what they learned about those systems or software on the black market to be acquired by would-be attackers or someone looking to clone that system for profit. Espionage is not limited to the government, or the hitech industry or the financial sector any longer.
We Need Better Intelligence
If nothing else, the cyberattacks in 2016 have shown everyone in healthcare that we need better and more cybersecurity intelligence. In December 2015 Congress passed the Cybersecurity Information Sharing Act and created the Cybersecurity Task Force which is due to deliver its recommendations on how to share cyber threat information in healthcare. HHS released two grants to the NH-ISAC: the first to provide cybersecurity information and education on cyber threats to healthcare sector stakeholders, and the second to help build the infrastructure necessary to disseminate cyber threat information securely to healthcare partners. Hopefully, these two efforts will form the collaboration between the government and private sector to begin delivering actionable intelligence and threat information to health care entities in 2017. More importantly, we need to share know-how as it relates to responding to threats and particular incidents to enable other healthcare entities to avoid incidents and to provide much needed support to help less sophisticated healthcare entities. Threat information without knowledge of how to respond effectively will not get the industry where it needs to go. Let's hope that 2017 is not only a year of better awareness, but also of better preparedness.
Where Are All The Cyber Pros?
In 2017 we will have a severe shortage of cybersecurity professionals and will be competing with everyone else for the talent available. That means that this talent will be hard to find, costly and still difficult to retain. It is not unusual for a credentialed cyber professional to receive multiple recruiter calls per month. This is a serious problem at a time when healthcare needs the talent necessary to build the cyber defenses that will protect patient information and assure its reliance on systems and data to support hospital operations and care delivery. We need creative approaches to solving this shortage such as incentives for IT professionals to go back and get these skills or more young people to enter this field. For example, scholarship programs with job incentives and service commitments could help attract IT professionals. With a shortage of more than a million personnel for the positions published, it will take incentives to close this gap. In the meantime we will still need, and continue to see, an increasing number of managed services, virtual CISOs and partner relationships to fill the gaps of qualified professionals.
2017 will be an interesting year if nothing else, but hopefully we will make more progress towards eliminating some of these challenges. With a new administration comes a new set of leaders and policy makers. Gen. Mike Flynn, the newly named National Security Advisor, has already signaled that he is concerned about cybersecurity and stemming the tide of attackers coming at the US government and American business interests. He'll also be concerned about our critical infrastructures and their viability, and healthcare is one of those critical infrastructures. Like any new year, it presents an opportunity to recommit to doing our best to ensuring the networks, systems and information that healthcare relies on are reliable and protected.
Mac McMillan, FHIMSS, CISM
Chief Executive Officer; CynergisTek, Inc.
Mac McMillan is co-founder and CEO of CynergisTek, Inc., a top-ranked information security and privacy consulting firm focused on the healthcare IT industry. He is a member of CHIME's AEHIS Advisory Board, recognized as a HIMSS Fellow and former Chair of the HIMSS Privacy & Security Policy Task Force. McMillan brings nearly 40 years of combined intelligence, security countermeasures and consulting experience from positions within the government and private sector and has worked in the healthcare industry since his retirement from the federal government in 2000.
McMillan is a thought leader in compliance, security and privacy issues in healthcare, contributing to several industry trade publications and blogs. He was recognized in Becker's Hospital Review's lists of influential healthcare IT leaders by both its writers and readers in 2015, and was named one of the top 10 health information security influencers of 2013 by HealthInfoSecurity. He currently sits on several other advisory boards, including HIT Exchange HealthTech Industry, HCPro Editorial Advisory Board HealthInfoSecurity Editorial Advisory Board and HealthCare's Most Wired™ Survey Advisory Board. McMillan also presents regularly at industry association events, such as CHIME, HCCA, HIMSS and AHIMA, and was a contributing author to the HIMSS book, "Information Security in Healthcare: Managing Risk."
McMillan served as Director of Security for two separate Defense Agencies, and sat on numerous interagency intelligence and security countermeasures committees while serving in the U.S. government. He holds a Master of Arts degree in National Security and Strategic Studies from the U.S. Naval War College and a Bachelor of Science degree in Education from Texas A&M University. He is a graduate of the Senior Officials in National Security program at the JF Kennedy School of Government at Harvard University and a 1993/4 Excellence in Government Fellow.