Even though it the start of February, our cyber security columnist, Davey Winder, is thinking about resolutions and whether 2020 will still have “the same old security issues”.
It’s a new year and I really don’t feel much like celebrating, truth be told. File me under ‘cyber-pessimist’ if you like, but I can’t help feeling that the same old security issues are going to be front and centre as far as healthcare is concerned across 2020.
Two recently published reports have done nothing to cheer me up. The 2020 cyber security industry report, put together by Bulletproof, came with an alarming message that cyber-criminals can discover and attack new online services within a 32 millisecond window of going live.
I’ll just let that sink in for a whole second before moving on to the statistic that I found most concerning; the budget allocated to cyber security in healthcare is less than 2% on average, compared to other sectors that average 4-10%. This despite warning after warning that healthcare is fast becoming the most targeted of all industries.
When security vendor Malwarebytes looked at the telemetry in November 2019, it reported that ” the healthcare industry has been overwhelmingly targeted by Trojan malware during the last year, which increased by 82% in Q3 2019 over the previous quarter.”
Do you need another second for that one? OK, time’s up as I need to move on to the report that really grabbed my attention and should yours as well.
Data security provider Clearswift found that 67% of healthcare organisations had suffered a cyber security incident during 2019. And that’s not even the bad bit. Some 48% of those incidents were as a result of malware introduced by third party devices.
The insider threat
Which ties in nicely with what I, and a number of security professionals I class as both industry experts and friends, consider the most pressing of the healthcare ‘at the coal face’ security issues: the insider threat.
The Clearswift research, surveying UK-based healthcare organisation decision makers, found 39% of the security incidents happened as a result of staff sharing data with unauthorized recipients, 37% from staff not following the established cyber protocols and 28% by people following malicious links in emails or on social media.
It should come as no surprise to discover that this also loops back to the Bulletproof findings, in that 74% of the people Clearswift spoke to thought that more allocated cyber defence budget was needed.
Here’s the thing: insider threats are going to be as big a problem in 2020 as they were in 2019, and 2018, and, well, you get the idea.
Addressing the problem
Alyn Hockey, VP of Product Management with Clearswift, says that “understanding what is threatening the safety of the critical data you hold is the first step in mitigating the risk.”
He’s not wrong, so why don’t more healthcare providers understand that often it is this insider threat that has to be better addressed?
Which isn’t, I hasten to add, an excuse to bash hard-pressed staff with the blame stick. Far from it.
The weak link
Insiders may be seen as a weak link in the security chain as far as cyber is concerned, but that’s a cop out, frankly. They are, potentially, the strongest link you have.
The problem is that they are not allowed to be part of the cyber-defence system because they are not being properly enabled by cyber-awareness programs.
Importance of basic training
Knowledge is power may well be a cliched phrase, but it holds true in cyber. Yet, as the 2019 Data Breach Investigations Report from Verizon revealed, healthcare sucks in this regard.
Healthcare was the only industry sector, according to that report, where there were more insider (60%) than external (42%) cyber-attacks.
That’s pretty disheartening reading for anyone involved with healthcare security. Only through better awareness training, and that means injecting more money into finding the time to effectively execute such programs, will these statistics improve.
“Human firewall”
The insider threat is rarely a case of a disgruntled employee acting maliciously, and almost always a lack of proper awareness training leading to mistakes being made that open the door to a threat actor.
I’ve said it before, and by the goddess I’m going to keep on saying it, only by implementing a ‘human firewall’ concept will we start to make healthcare a more secure sector. Without proven security awareness training methodologies sitting firmly alongside clearly defined security parameters and responsibilities, we will never reduce the level of cyber-incidents.
The NHS knows this, and is working towards better cyber-awareness training, I understand that. But the proof of the pudding has to be in the eating, and until I see those statistics starting to swing into positive security territory it’s not going to be a happy new year for me…
14 February 2020 @ 19:49
Davey and anyone else – Here we have another example of ‘action’ paralleling Mark Twain’s quotation; ‘Everybody is talking about the weather, nobody is doing anything about it’. In similar vein; interoperability (undefined), cyberesecurity plus over 50 (yes 50) papers outlining the future of IT in the NHS, none of which has any follow-up that I can find anywhere on the ‘net; Wachter, Topol, ‘Fit for 2020’ – the list goes on. Each has a list of actions, ‘we wills…’ and the rest. An example; Jeremy Hunt in 2014 ‘The NHS will be paperless by 2018’. Tommy Cooper couldn’t top that one.
Does anyone know how to specify a project, define it, resource it then monitor it with milestones, reviews, change management and other project paraphernalia (all published) then implement via a pilot then management operations as usual? I suspect not given the carnage in mist Government IT projects, capped by NPfIT, the daddy of all cock-ups.