CISOs in healthcare organisations are working hard to tighten security controls but pervasive issues with user errors, limited staff and financial resources, and a relentless flood of aggressive attacks by data-hungry cyberattackers, are hindering their progress – and even security executives admit they’re not doing anywhere near as good a job as they should be.
Fully 83 percent of healthcare organisations participating in a recent Carbon Black analysis said they have seen an increase in cyber attacks over the past year, with an average of 8.2 attempted attacks per endpoint every month.
Two-thirds said attacks have become more sophisticated in the past year, with a third noting instances of ‘island hopping’ – in which attackers establish command posts throughout a compromised network – and a similar proportion noting they had run into counter-incident response efforts as cybercriminals fought to work around cybersecurity controls.
Ransomware attacks were noted by two-thirds of organisations, while 45 percent said they had encountered attacks primarily designed to destroy data.
The myriad pressures on cybersecurity organisations had left many security practitioners falling short of their own expectations, with a third of respondents rating themselves with a grade of C, a quarter giving themselves a B, and 16 percent a B-.
Ongoing struggles to improve protection of healthcare data were reflected in stark clarity in the latest quarterly statistics on Australia’s notifiable data breaches (NDB) scheme, in which 58 (27 percent) of the 215 notified data breaches were reported to the Office of the Australian Information Commissioner (OAIC) in the first quarter of 2019 alone.
Facing the insider threat
“With increased adoption of medical and IoT devices, the surface area for healthcare attacks is becoming even larger,” the report noted. “The problem has been further compounded by limited cybersecurity staffing and stagnant cybersecurity budgets in the industry.”
These themes echo a broader reality within midmarket companies, where time and resource-constrained security staff are striking a balance between in-house expertise and tools – addressing security ‘must-dos’ – while strategically partnering for as many of the ‘should-dos’ that their funding allows.
This, according to a recent IDC-SolarWinds analysis of midmarket security strategies that observed a persistent gulf between security intentions and actions.
“They’re spending less on prevention activities and luckily, few have experienced a devastating attack,” the analysis notes. “The more immediate exposure stems from internal user mistakes and technology deployment misconfigurations that effectively leave the front door – or at least a ground-floor window – wide open.”
User mistakes were cited as the cause of cybersecurity incidents by 61.7 percent of respondents, compared with 47 percent who suffered incidents that involved external bad actors infiltrating the target’s network and systems.
Regular employees were named as posing the biggest risk for insider misuse – cited by 50.3 percent of respondents – compared with contractors (40.7 percent), privileged IT administrators (30.7 percent), customers (25.3 percent), executives (22.3 percent), and partners (19.7 percent).
Although the role of user error in security breaches is far from a new insight, many respondents – 46.3 percent of whom had just 1 to 5 full-time security staff – cited an inability to stay ahead of users with appropriate tools, policies, or practices.
Some time-poor security staff blamed the complexity of managing security tools, with the report noting that many widely-understood cyber hygiene tasks are considered “overly time-consuming” and many users conceding that “if proper configurations are too hard to decipher, they’ll probably deploy the default configuration and revisit questionable risk decisions later.”
Such practices reflected the need for security practitioners to not consider security as a set-and-forget proposition. Many businesses continue to kick own goals simply because they can’t implement, or enforce, the right policies to head off user error and other issues.
“For the most part, detection or monitoring tools are in place, yet it’s the protective practices that need some additional focus. Yes, threats exist, but most survey respondents believe the greatest exposure comes from self-inflicted conditions.”
Verizon’s Data Breach Investigations Report (DBIR) has long singled out the healthcare industry for its continuing exposure to breaches associated with internal actors – particularly privilege abuse against databases containing sensitive healthcare information.
“healthcare stands out due to the majority [59 percent] of breaches being associated with internal actors,” this year’s report notes.
“Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actors.”
Security practitioners should know where their major data stores are, limit necessary access, and track all access attempts,” Verizon recommends. “Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups.”