We are just a few weeks into the New Year, and already we have had a series of breaches reported, a new variant of the Internet of Things (IoT) denial-of-service (DDoS) attack exposed, and confirmation that nation-state cyber events are alive and well with Russia identified as meddling in our political process. I’m not sure that anyone is terribly surprised at any of this, but hopefully they’re not numb to it. Optimistically, 2017 will be the year of rededication to vigilance in healthcare cybersecurity efforts and investment in appropriate protection to the industry’s most critical asset: information. So, what did we learn last year that may bear fruit this year?
1IoT has come of age as an attack vector for organizations and a readily available disruptive conductor for DDoS attacks. Organizations need to reconsider their network policies and controls, architectures for communications (including internet access), and the resiliency of their supply chain partners that are hosting critical systems or data. New solutions are forthcoming from companies like Symantec to deal with IoT threats, and organizations should consider deploying these when they are ready.
2While we are all hoping for a solution to the medical device issue, we saw the FDA come up short once again with its revised guidance. It’s definitely better than the last, but the problem remains in the bold words at the top of each page: Non Binding Guidance. In 2017, consumers should expect to still have to look for those vendors that will voluntarily build more responsible products, because this problem won’t be solved in the near term.
3Many experts are saying that ransomware will plateau in mid to late 2017, but they forgot to say that it’s plateauing at 400 times what it was last year, and extortion is taking on new forms. For example, recent attacks wiped out information after copying it and demanded a ransom to have it restored. Extortion has become a profitable cybercrime, and it’s not likely to go away any time soon. In fact, it’s just a matter of time before mobile devices become targeted more often and the criminals find creative ways to use IoT as an extortion platform.
4Infrastructure is becoming a target, and this is serious business for healthcare. The Mirai and Leep attacks, if characterized properly by researchers as “just tests,” portend a much more sinister and foreboding use of malware and IoT to disrupt businesses. Add the spectra of the millions of insecure wireless medical devices out there that may be susceptible, even if by accident, and you have a recipe for very bad outcomes.
5Expect more attention to be paid to third parties as organizations become more sensitive to the risk posed by their growing supply chains. More and more incidents are being reported that involve a supplier of services or IT resources. Very few healthcare organizations have robust vendor security due diligence processes in place, much less vendor security surveillance programs. More vendors will be asked tougher questions regarding their security practices and controls and will need expert, outsourced support.
6More solutions will emerge that employ artificial intelligence, machine learning, and heuristic capabilities. It’s about time, but don’t expect this to be a panacea for solving all things cyber in 2017. Cyber criminals will look to use these capabilities to develop even more sophisticated attacks that are better at eluding detection. Our security needs to be at least as sophisticated as the threats we face.
7Phishing and social engineering will remain with us, but they will likely continue their trend toward becoming more focused and more sophisticated as well as harder to detect. It will take both user education and the right technology to effectively manage the risk, including web and email gateways, advanced malware detection solutions, next-generation firewalls, multifactor approaches to authentication, and the elimination of higher privileges.
8In 2017 we’ll see more red teaming as organizations seek to put their organizations under the microscope of more realistic testing or training. This is an excellent idea, particularly for those who feel they already have a basic security structure in place. What we learn from red teaming exercises is extremely useful, but generally more valuable when a solid program is in place. Red teaming also can be used to test contingency plans, which is another area that warrants attention in light of recent attacks.
9I think we’ll see greater adoption of the NIST Cybersecurity Framework this year as more organizations recognize that relying on the HIPAA security rule as a measurement for anything other than compliance is not reasonable. Reasonable security says we need a standard that measures every aspect of our cybersecurity readiness at the specificity we need. Hopefully, the Healthcare Cybersecurity Task Force will have some strong recommendations for improving cyber readiness soon.
10 Finally, there is likely to be greater reliance on cyber due diligence in mergers-and-acquisitions (M&A) activity as healthcare organizations attempt to understand the risks they may be inheriting and look for negotiation levers for value. More often than not, when you acquire an organization that is struggling financially, you acquire an organization with less-than-desirable security. Don’t be surprised to include cybersecurity baselines as part of your M&A checklist.
2017 starts off just like every other year—full of opportunity, some pessimism, chances to excel, apprehension of the unknown, but most of all what we make of it. So make the most of it.