Health IT security's rip and replace problem

Knowing how to strategically spend your next security dollar

In the aftermath of the damage and disruption caused by the WannaCry ransomware outbreak, security leaders everywhere are facing increased scrutiny and pressure. Healthcare IT leaders in particular are feeling the heat after seeing the devastating toll the attack took on hospitals across England. Some 47 NHS hospital trusts suffered significant disruption after the ransomware rendered patient data and various systems inaccessible. Operations were canceled. Ambulances were diverted. The public was urged not to come in unless their situations were life-threatening.

It was exactly the kind of extremely serious (not to mention distressingly public) security incident all organizations desperately want to avoid, but if there is any silver lining it’s that for some security leaders the outbreak may provide the leverage they need to finally secure more buy-in and budget. The challenge then becomes determining how best to apply it without succumbing to vendor-induced exhaustion and inertia.

Confusion Promotes the Status Quo
Security is an industry where the majority of marketing dollars are spent highlighting shortcomings and insufficiencies of competing offerings, while offering vague and caveat-filled assurances that a new solution is better. The two prevailing mantras are, “You need more protection,” followed quickly by “But you’ll never be protected 100%.” It’s no wonder buyers often feel confused and misled.

The WannaCry attacks provided us with a perfect example of how clashing claims are driving organizations to throw up their hands and continue investing in the status quo, even after they’ve suffered successful attacks.

Following the WannaCry outbreak, vendors of all stripes rushed to send out marketing materials asserting their products offered protection, even in cases where said protection had only been achieved after WannaCry had been widely publicized and the attack effectively halted.

For those organizations that did suffer damage from WannaCry, learning from their current vendor that they would, in the future be protected, days after the initial attack wrecked their systems, is cold comfort at best. Likewise, seeing new vendors scold them for using “outdated” protection isn’t productive. Not only do these unhelpful responses erode their faith in their current vendor, they erode their trust and patience with the security industry as a whole. The most common result? A sense of resignation. If no solution is a “silver bullet”, why bother looking for anything else, especially when the wholesale replacement security platforms is so daunting and costly?

Closing Gaps While Maintaining Sanity
The breadth of challenges that fall under the heading of “security” make it difficult to advance a comprehensive strategy. The aggressiveness and opaqueness of competitive claims and messaging make it more so. As an example, the past 10 years have seen multiple predictions about the death of various security technologies, including antivirus and intrusion detection. Looking around today, the continuing use and importance of those solutions show that the reports of these deaths have been “greatly exaggerated”.

It is more practical, and illuminating to understand what additional protection new security tools can bring. As organizations wrestle with new threats and increasing risk, most simply want to address gaps that they know exist, whether in monitoring, prevention, or response. Looking at IT security spending for 2016, the Gartner Group reported a 7.9% increase over 2015, to $81.6B. That is good to see, as the ID Theft Resource Center reported a 40% increase in Data Breaches in 2016, and IBM reported a whopping 6,000% increase in ransomware. As companies look to apply those extra dollars, they should take the time to understand where they are most significantly exposed.

When vendors recommend, instead, that the right move is to completely replace existing suites with their new offers, it begs the question of what new holes will be left behind. A swap of one technology for another can bring unexpected exposure, either in protection, staff capability, or user satisfaction. In most cases, improving the existing protection with additional coverage for the weak spots is more effective and less disruptive. IT staff continue to manage a solution they understand, processes can remain largely the same, and adoption of the new solution does not upend already strained IT resources. If the new solution does prove to subsume the value and protection of its predecessor, the organization can then choose to migrate off of the earlier protection with much lower likelihood of disruption and delays.

Most IT and security teams recognize that security strategies and tooling require consistent review and refreshing. It isn’t necessary for the next wave of security companies to drive the old out of the market to survive. They only need to prove their value in closing the gap that new threats are trying to widen.

About Jack Danahy

Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months