Budget, lack of talent, and difficulties in managing and maintaining effective control over the security and access protocols within a system are some of the biggest challenges healthcare organizations are facing when it comes to cybersecurity, chief information security officers told Becker's.
"The biggest challenge in healthcare and public health continues to be budget, resources and cybersecurity prioritization," Jeffrey Vinson, vice president and chief information security officer of Bellaire, Texas-based Harris Health System, told Becker's.
Mr. Vinson said since the Anthem breach in 2015, healthcare has been under attack and the industry has yet to find its footing.
"Many healthcare organizations don't have the budget to properly fund their cyber teams, and if they do find the budget, they have resource constraints to deploy, manage and monitor the security tools," he said. "Beyond budget and resource constraints is the hard sell to prioritize the cybersecurity efforts in a balanced approach with patient care and patient safety."
A study from cybersecurity company Kaspersky found that in the past two years, inadequate investment in cybersecurity has led to cyber incidents for 15% of companies worldwide.
The 'experience gap'
Glynn Stanton, chief information security officer and chief technology officer of New Haven, Conn.-based Yale New Haven Health, told Becker's that the next biggest challenge is what he calls the "experience gap."
"Information security is based on risk management," he said. "In order to be able to balance risk versus usability versus cost requires experience which comes from time and on-the-job learning."
Mr. Stanton said after years of a shortage in cyber skills, healthcare is now starting to see the next generation come in from colleges, and although that is exciting, these individuals can sometimes lack the experience needed to be able to judge the appropriate level of controls for the appropriate level of risk and usability.
"Pairing up [new staff] with senior staff and mentoring around security aware, risk based, cost conscious decision making is the next step," he said.
Inability to control access hygiene
"I feel that the biggest challenges are our inability to properly control our access hygiene and the continued focus by threat actors on our industry," Steven Ramirez, chief information security and technology officer of Reno, Nev.-based Renown Health, told Becker's. "Threat actors view healthcare as soft targets because they have been successful and know securing our attack surfaces is always a challenge."
According to HHS, the frequency of cyber incidents in the healthcare sector has surged, showing a 93% rise in significant breaches reported to the Office for Civil Rights from 2018 to 2022. Most large breaches have been related to ransomware and have witnessed a staggering 278% increase during this period. These cyber incidents have resulted in prolonged disruptions to healthcare services, forcing patient diversions to alternative facilities and causing delays in medical procedures, ultimately jeopardizing patient safety.
Mr. Ramirez emphasized that ransomware and other cyberattacks happen because someone's login information is stolen, and attackers can take advantage of high-level access. This is why healthcare organizations can't solely rely on multifactor authentication and privileged access management.
"Making a focus on multifactor authentication and privileged access management are just scratching the surface," he said. "We need to harden our active directory and swim lanes (lateral movement capability) to better combat these challenges."
Biomedical device attacks
"An additional unique, healthcare-specific challenge that we've seen is attacks on biomedical devices," Benjamin Koshy, chief information security officer of Rockville, Md.-based Indian Health Service told Becker's. "Various regulatory efforts have been made to strengthen the security of those devices, including assurances that vendor-applied security updates would not invalidate existing certifications. However, medical devices are expensive, and replacement/upgrades are not always possible."
These legacy devices, which oftentimes are no longer supported by vendors as far as security updates, present a tempting target to malicious actors, according to Mr. Koshy.
"These devices are used to monitor and treat patients, and they are often connected to hospital networks and the internet, making them susceptible to hacking and other cyber threats," he said. "Additionally, many of these older devices are not designed with security in mind, making them easy targets for cyber criminals. A successful cyberattack on a biomedical device could compromise patient safety and privacy."