Far fewer cybersecurity alerts are being investigated than healthcare security leaders may believe, according to a recent report from Cisco.
The Cisco 2017 Midyear Cybersecurity report was released last month and spans across a variety of industries. Related to healthcare, the multinational technology conglomerate headquartered in San Jose, Calif. revealed an array of findings. In general, the research found that leaders of healthcare organizations fear that cyber attacks that could take down mission-critical equipment, endangering patients’ lives. And, as healthcare organizations bring more connectivity to their facilities and devices, security leaders are also raising concerns about the safety of converged networks.
In the past, complex medical devices—such as the Picture Archiving Collection System (PACS), infusion pumps and patient monitoring devices—typically arrived with data networks managed by vendors, so the devices were physically isolated from other networks. But today, with ample bandwidth available, healthcare organizations believe it’s practical to simply flow data through one network, and use logical segmentation to separate various network traffic types such as clinical devices and administrative and guest wireless networks. However, if this segmentation is not done properly, the risks of attackers gaining access to critical data or devices increases, according to the report.
Perhaps the report’s most noteworthy healthcare-related finding was that as is true in many industries, there are more threats than there are time and staff to investigate. Over 40 percent of the healthcare organizations said they come across thousands of security alerts daily, and only 50 percent of those are investigated. Of the alerts that healthcare security teams investigate, 31 percent of those investigated are legitimate threats—but only 48 percent of those legitimate incidents are remediated.
According to Cisco security leaders, it is likely that far fewer alerts are being investigated than healthcare security leaders may believe—or it’s likely that by simply blocking threats from entering the network, they believe the threats have been remediated. It’s also not surprising that these organizations can address so few of the alerts that raise red flags, since investigating a high number of alerts would cause security and IT activity to slow to a crawl and impact other business functions, they reported.
What’s more, it’s well-known that ransomware attacks have already done damage to healthcare organizations. They’re an attractive target for online criminals, since criminals know healthcare providers need to protect patient safety at all costs. In the Cisco study, 37 percent of the healthcare organizations said that targeted attacks are high-security risks to their organizations. Targeted cyber attacks have also become more worrisome than breaches involving lost or stolen hardware, demanding a more precise approach to detecting and mitigating threats.
How are Security Pros Responding?
Many healthcare organizations respond to security challenges with a complex mix of solutions. Almost 60 percent said their organizations use solutions from more than six vendors, while 29 percent use solutions from more than 10 vendors. In addition, two-thirds of security professionals said they use six or more security products, while 41 percent said they use more than 10 products.
The apparent profusion of vendors and products used by healthcare security professionals may result from confusion, or a lack of visibility, about exactly what tools are in place, according to Cisco researchers.
Indeed, CISOs and security operations managers often have different perspectives on their security tools. Security executives higher up on the leadership ladder—that is, not on the front lines of day-to-day security management—may not have a deep understanding of all the tools on their networks, the report noted.
Responding to day-to-day threats while managing a complex web of solutions is also more challenging for healthcare organizations because of a lack of trained personnel. About half of the security professionals said they have fewer than 30 employees dedicated to security; 21 percent said they consider the lack of trained personnel to be a major obstacle in adopting advanced security processes and technology.
Unsurprisingly, security teams are uncommon in all but the largest health organizations. According to Cisco healthcare industry leaders, the definition of a security staffer can be fluid from organization to organization, which may affect perceptions about the size of the security team. For example, IT staff may be considered part of security team, or may join it on a temporary basis.
The researchers advised healthcare organizations to isolate and segment traffic between the network and mission-critical devices. Alternately, organizations should improve their security infrastructure and network segmentation to better handle exceptions requiring compensating controls, they said.
Healthcare organizations have an average of 34 significant security administrative exceptions in place; 47 percent of these exceptions also have compensating controls. Ideally, healthcare organizations should strive to have as few exceptions requiring compensating controls as possible, because they can create weaknesses in security defenses, the report stated.
