By Elizabeth Snell

October 22, 2015 - October is National Cybersecurity Awareness Month, but healthcare cybersecurity should be a top priority for covered entities year-round. However, the evolution of healthcare cybersecurity has been interesting, and data security experts state that the industry has come a long way. Even so, healthcare still has a long way to go when it comes to data privacy and security issues.

The Institute for Critical Infrastructure Technology (ICIT) Co-founder and Senior Fellow Parham Eftekhari talked to HealthITSecurity.com about Cybersecurity Awareness Month, and what essential areas organizations across all sectors should understand in terms of data security.

It’s currently imperative for organizations to understand that they’ll never be able to prevent breaches from happening, according to Eftekhari.

“The best way to protect their organization is to focus on detect and response strategies, and create as many roadblocks and obstacles as possible so network administrators can quickly identify unauthorized access or suspicious activity on the network,” he explained. “[It will] slow down the attacker’s ability to successfully exfiltrate data and really give the network administrator time to stop the attack.”

Behavior analytics, dual-factor authentication, and encryption are critical pieces when it comes to creating “a virtual tar pit” environment within the network to slow down the attacker, Eftekhari added. Administrators need time to stop the attack or unauthorized access from becoming a full-fledged breach.

The other key takeaway for Cybersecurity Awareness Month is the human factor, he explained.

“[ICIT] acts as an educator for the legislative community, federal agencies and critical infrastructure sector stakeholders because they need access to cutting edge research and knowledge of cyber trends.” Eftekhari said. “In that same context, we also need to guide our children and our families, and of course consumers and employees, in cybersecurity best practices without being Orwellian about it. That’s how we’re going to become a more cyber conscious nation and ultimately improve security.”

It is also important that everybody in an organization understand their role in increasing the resiliency of that organization, explained Montana Williams, Senior Manager, Cybersecurity Practices, ISACA. From the board room to the break room, all staff need to be aware of the pitfalls and the risks that are related to cybersecurity, he said. This is “of critical importance in order for any organization to survive in this interconnected future.”

“Cybersecurity has evolved slowly because technology has outpaced the security aspect of cybersecurity,” Williams stated. “So it has struggled to keep up with the newest technical advances. The security aspect has struggled to keep up with the threat vectors, and then also it has struggled from an awareness perspective because I believe people are still very naive about the threat of cybersecurity.”

Williams added it has also been difficult to maintain and keep the cybersecurity workforce trained well enough to address the rapidly evolving threat.

Employee training as a whole is the most critical thing for organizations, according to Williams.

“The technologies exist out there that can do a great job against a threat, but that training component doesn’t exist because the professionals who are managing those technologies don’t know how to integrate them the most effective way on their enterprises against that threat that’s out there,” Williams said.

Specifically, there is an awareness gap issue that also exists as high up as the C-suite, he explained. Organizations potentially lack a solid response plan in a cybersecurity situation crisis. Or, one may exist, but the organization doesn’t exercise it enough or practice it.

“When something really bad happens, they fumble along and they make poor decisions along the way,” Williams said, adding that this could happen in corporate America or even within the federal government.

Common mistakes, oversights in data security

When organizations – healthcare and other sectors – do not prioritize cybersecurity, that can be a huge oversight, according to Eftekhari.

It is also essential to invest the proper amount of resources in training employees within organizations to not fall for spear phishing attacks, he added.

“We need to have money put into training our employees on a regular basis,” Eftekhari said. “Once a year is not enough. Organizations should train every quarter or at least twice per year. And then you need to test your employees to see if they retained any of that knowledge, and if they’re implementing best practices and changing their behaviors to actually improve the security of the organization.”

Dan Waddell, Managing Director, North America Region, (ISC)2 explained that in order to make a true impact organizations need to think strategically. Some of the common mistakes that he sees are classifying the data and knowing what it is that the organization is trying to protect. It is also important to understand that not everything can be protected.

“If I’m in the financial or healthcare sector, and I’m dealing with Social Security numbers, financial information or patient healthcare information, then that’s a different story,” Waddell said. “We need to protect those and spend more time, money and resources into protecting those and putting the controls around them. The conversation needs to start with, what is it that I’m trying to protect? And then prioritize from there.”

Waddell added that it’s important to reinforce the idea that security concepts need to be built in at every step and every milestone in the system. Organizations need to make sure there’s proper testing before systems go online and understand that it’s not just an IT project.

“It’s about making sure we’ve got an executive steering committee, we’ve got people from the financial side, legal side, and HR side all weighing in on what happens if this system is online and it’s breached?” Waddell stated. “You have to think and assume that you are going to get hacked, you are going to get breached, and then what’s going to be your response? Those things need to be planned out before the system goes live.”

According to Williams, the largest mistakes that organizations make when it comes to their data security programs is that they try to protect their organization unilaterally.

“They spread their cybersecurity an inch deep across the entire organization, hoping to try to protect everything. What they fail to understand is what their crown jewels are,” he said.

Facilities need to understand what data is most critical, or what information they might hold that third-parties could try and gain access to. Whether it’s a competitor, a hacker, or a nation state, organizations across all industries cannot spread their resources too thing.

“What they need to do is, put three feet of security over the most important things and one inch of security over the things that are less important,” Williams said, adding that it’s typically not done because the proper resources are not in place to accomplish it.

The evolution of cybersecurity

According to Eftekhari, there are several key takeaways in how cybersecurity has evolved over the last few years. First, cybersecurity is now a very familiar concept to the masses, he explained.

“At this point, everyone in the country conceptually understands what cybersecurity is, and what the risks are, at least at a high level,” Eftekhari said. “That’s really critical in elevating cybersecurity from simply an IT issue into a larger societal and business imperative.”

This has largely been due to extensive media coverage, especially as either monthly or weekly there seems to be a major news story about an incident, he stated.

“If there is any sort of silver lining from all of these breaches that we’re having, it is that it has raised the national dialogue on this issue and we’re tuned into it,” Eftekhari explained. “This is positive from the perspective of demanding and seeing change because cyber is now not just for tech geeks but is something that the entire country is really focused on.”

Another important change is that the threat landscape has been significantly altered. There are more diversified and better organized threat actors, Eftekhari said.

“They have easier access to custom exploit kits,” he stated. “You hear about malware-as-a-service and actors sharing malware on black markets on the deep web; this is one of the main reasons we’re seeing such a large increase in attacks.”

Finally, there is also a larger attack surface due to an increase in mobile devices, mobility in the workforce, and the Internet of Things (IoT) including the Internet-connected equipment that organizations are beginning to use, he added.

How healthcare cybersecurity should be approached

The healthcare industry is in a very critical and vulnerable position right now, according to Williams. For example, as medical records are transferred to an electronic format, it is becoming increasingly difficult to protect that data.

Moreover, healthcare data security could be compromised as more organizations are connected together.

“Everybody has these disparate informatics systems and they’re trying to hook them and interconnect them together,” he explained. “You’re trying to put them together for functionality purposes and not taking the time to look at the security aspects of it, so there’s going to be lots of holes in everything.”

The Target data breach, for example, was a result of the HVAC system being on the same server as the POS devices, Williams said. It was done for convenience and nobody considered that someone may try to hack the air conditioning system.

It will be necessary for organizations to take the time to invest in proper training and certification programs for employees at all levels. This also includes individuals in the C-suite, such as CEOs and CISOs, he said.

Williams also recommended that healthcare organizations join a healthcare Information Sharing and Analysis Centers (ISAC). Regardless of an organization’s size, it will be beneficial to have an outlet to share information and then create an appropriate response plan.

“I see healthcare breaches skyrocketing over the next few years and there’s going to be a lot of people who are going to be very upset,” he stated. “There are just so many holes, and they’re trying to do this so fast that they’re not thinking through the security aspect of when they’re hooking things together, merging medical records, and when they’re using these new systems. I see a rocky road for healthcare when it comes to cybersecurity in the near future.”

According to Waddell, healthcare is a bit of a unique animal, in that it’s a bit early in the maturity cycle as far as cybersecurity and IT projects go.

“We still have a lot of mom and pop doctors and care providers that are still using the manila folder [for storage] and asking you to fill out your Social Security number each time you go to the office,” Waddell said. “We’ve made a lot of progress there but the challenge, particularly for the healthcare folks, is that cybersecurity is kind of a new game to them.”

Securing sensitive data in a highly regulated industry (one that also requires information sharing), is a burden that the healthcare sector is facing along with the government and financial sectors, Eftekhari said. However, healthcare faces additional challenges due to the highly sensitive and valuable nature of the data it manages. Moreover, the diversity and sheer number of healthcare organizations who share data can be a challenge when it comes to connecting in a secure way.

From a security perspective, healthcare has numerous needs. For example, an EHR system that houses data must be secure. At the same time, Internet-connected medical and clinical devices need proper privacy and security measures, Eftekhari explained.

“The network administrator needs to be conscious of this and put together a complex and multi-layered security strategy to address the diverse IT ecosystem he or she is managing,” he said. “On top of this, you need to account for all of these business associates who are interacting with the patient data and technically integrating with the hospital or payer network.”

Overall, Eftekhari underlined the importance of the legislative community, government agencies, and sectors that ICIT advises needing to change their mindset on data breaches. No organization will be able to prevent breaches from happening, which is why detecting breaches and then reacting to them appropriately is so necessary.

“You are slowing them down, that’s where the ‘tar-pit’ concept comes in,” Eftekhari explained. “It gives you time as a network administrator to stop the attack before it does become a full-fledged breach. That’s the way to go. Because the breach… despite your best efforts, the breach is going to happen. So the question becomes how can you prevent it from being successful?”