Privacy & Security

10 biggest weaknesses and lessons learned from cybersecurity in 2016

Four experts discuss the lessons the healthcare industry learned the hard way this past year – and the need for much stronger security measures in 2017.
By Jessica Davis
January 09, 2017
11:45 AM

It became painfully clear in 2016 that hackers had found their prime target in the healthcare industry. They hit hard in the early months of the year with massive ransomware attacks that disabled entire health systems, and then just kept punching.

But it didn't stop with ransomware: Hacking, theft, attacks on third-party business associates – the list goes on and on. By the end of the year, it was apparent the healthcare industry has a long way to go when it comes to cybersecurity.

[See them all: 10 stubborn cybersecurity myths, busted]

We spoke recently with four security experts: Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney; ESET Security Researcher Lysa Myers; CynergisTek co-founder and CEO Mac McMillan, and ICIT Senior Fellow James Scott. Here's what they said were the biggest weaknesses, threats and lessons learned from 2016.

  1. Human error. "People have become a huge attack surface," McMillan said. Attackers find careless or unsuspecting users and prey on those weaknesses to infiltrate systems with ransomware and other hacking attempts.
  2. IoT and outdated technology. The massive DDoS attack on DYN that shut down some major websites, stemmed from unprotected digital cameras. In doing so, it shed like on IoT weaknesses due to what Scott called a "Frankenstein method of security" that could affect patient safety. Further, computers "moldering in the backroom somewhere using outdated software or insufficient protection against attack" have become a big issue in healthcare, said Myers. Criminals find these neglected machines with automated tools and pivot to more crucial machines within a network.
  3. Vendors and third-party business associates. Many of last year's breaches stemmed from vendors - such as a covered entity's business associates. According to Hepp: "These breaches illustrate the importance of thoroughly evaluating vendors and having strong business agreements in place."
  4. Ransomware. This virus is more than a nuisance: It's disruptive to operations and can take down entire servers. "Ransomware isn't going anywhere because it's easy to do, including 'ransomware as a service,' Scott said. "It's a start for actors to send in another, more specific attack able to start mapping the system."
  5. Hacking attempts on the rise. The reason? "Medical information is valuable, both in the hands of hackers for their own use, as well as to the healthcare organizations that depend on such information to operate," Hepp explained.
  6. Backups, backups, backups. "Easily accessible backups are the single most important thing that we need to have in case of a wide variety of emergencies," Myers said. Not just to avoid paying a ransom, but also to reduce system downtimes and outages.
  7. Cyber-hygiene. "Awareness training needs to be more relevant, provided more often and include experiential opportunities," McMillan said. Architecture, segmentation of networks, hardening and patching of systems and other areas also need to be tightened up. But Scott felt he hasn't seen much progress in the industry in best practices that would "thwart 99 percent of those social engineering attacks."
  8. Cybercrime as an industry. Cybercrime is profitable and healthcare is a lucrative target, McMillan said. The industry relies heavily on its systems, making it a prime target for extortion.
  9. Contingency planning and risk management. "Contingency and disaster recovery plans are of vital importance, if a system outage occurs or to mitigate the effects of a breach," Hepp said. McMillian added: The industry needs "real plans with actionable steps that address worst case scenarios. We need to treat the enterprise and data as critical components of the mission."
  10. The need for partnerships. "Most healthcare organizations don't have the resources or expertise to execute their cybersecurity strategy successfully alone," McMillan said. "Partnering smartly can help fill those gaps and provide added benefits in greater knowledge and due diligence." From a political standpoint, Scott said these silos have been protected for far too long. However, after all of the year's attacks, federal groups such as HHS and the Department of Homeland Security were exhausted. So much so, they all started to throw the cards down and share information. This needs to continue with the new administration.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Cloud Computing, Compliance & Legal, Data Warehousing, Network Infrastructure, Privacy & Security

More regional news

HIMSSCast podcast

HIMSSCast: New analytics strategies for patient-centric pop health

By
Mike Miliard
April 19, 2024
Penn Medicine's Perelman Center for Advanced Medicine

Conversational AI improves 'fourth trimester' maternal care at Penn Medicine

By
Bill Siwicki
April 19, 2024
Close-up of doctor lookin at data on a tablet

Doctors are getting on board with genAI, survey shows

By
Andrea Fox
April 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Penn Medicine's Perelman Center for Advanced Medicine
Success Stories & ROI
Conversational AI improves 'fourth trimester' maternal care at Penn Medicine

Most Read

Why New Zealand is easing ICT System expansion
Ukrainian man pleads guilty to 2020 UVM cyberattack
DOJ, international partners seize LockBit servers, provide decryptors
St Vincent's Health signs in MEDITECH for private hospitals EMR
Change Healthcare experiencing a cyberattack
25m Health taps Clearwater for scalable cyber compliance program

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

Video

Dr. Donald Warne at the Center for Indigenous Health at Johns Hopkins_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Indigenous communities need to be engaged with healthcare choices
Naomi Escoffery at the Defense Health Agency_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
DoD health systems take a proactive approach to digitization
Dr. Emily C. Webber at Indiana University Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How text messaging can help improve health equity
Tony Black at Kyndryl_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Hospitals must start business continuity planning

More Stories

Wagner Amaral, growth markets health industry lead at Avanade
Enhance collaboration and productivity while securing digital assets
Marina El Khawand at Medonations_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
From scout service to crowdsourcing relief
motherboard with lock in blue light representing cybersecurity
Healthcare still underprepared for scope of cyber threats, says Kroll report
Andy Chu of Providence on tech spinoff
Tech spinoff enables Providence to go from building three new app features a year to 40
Close-up on handshake of two people in suits.
Salesforce may be in talks to buy Informatica
Fragmented data is a barrier to improved cancer treatment goals
Consolidated radiology and pathology data brings precision to cancer care
Patricia MacTaggart at George Washington University_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
AI policy can benefit from past technology rollout lessons
Two information workers with abstract of data
10 tips to avoid planting AI time bombs in your organization