'Why Is the Healthcare Industry Still So Bad at Cybersecurity?' Let's Start with Risk

A new article from Ars Technica asks the question “why is the healthcare industry still so bad at cybersecurity?” and answers with an inventory of institutional and regulatory shortsightedness, resistance to change, lack of budget and simple confusion that calls out for the kind of re-set button that other industries are hitting with a risk-based approach to cybersecurity like FAIR™.  

It’s not like healthcare hasn’t been warned – just see the ravaging of Britain’s national health system by the WannaCry ransomware hitting outdated, unpatched systems in 2017.

Some of the systemic problems that Ars Technica writer Yael Grauer cites:

• Low cybersecurity budgets for “the vast majority of (smaller) hospitals,” according to one expert quoted, as well as low staff counts for cyber.
• Little interest from medical device manufacturers in running coordinated vulnerability disclosure programs (CVDP) for researchers to report bugs. Only 12 of the top 115 manufacturers have such a program, according to one report. Grauer quotes one researcher saying, “manufacturers have an incentive to minimize the impact of the vulnerability.”
• No agreed-upon data on magnitude of impact for cyber events in healthcare. One study found that hospitals that had been breached then added more security controls did worse with sending heart attack patients rapidly to EKG machines in emergency rooms, causing higher mortality vs non-breached hospitals. But skeptics attacked the study for not investigating whether the non-breached hospitals also increased security.
• No regulatory requirements for healthcare organizations to patch and no clear incentives, as the healthcare industry isn’t relating vulnerabilities to patient risk. According to Grauer, CVSS risk scoring for medical devices has been criticized for not accounting for patient safety.  
• Lack understanding of cybersecurity risk, which is quite different from medical risk, for instance rate of side effects for a drug vs. cures.

Try a Risk-Based Approach

Other industries have struggled with seemingly unquantifiable risk, then found that, by going through the FAIR analysis process, that probable risk could be reliably estimated in loss ranges.  The health industry, with defined figures for lifetime value of a patient or lawsuit judgments and settlements may not be so far off.  

In fact, the FAIR movement among healthcare providers is already underway. Highmark Health added FAIR cyber risk quantification to the HITRUST framework, the standard for health industry cybersecurity, using the RiskLens application. FAIR Institute Fellow Jack Freund, PhD, who worked with Highmark on the implementation, wrote that:  

“Using the RiskLens CRQ platform, Highmark ran a top risks analysis based on annual loss exposure, and now tracks those risks on an ongoing basis…

“This level of visibility into risk aligns well with the requirements for HITRUST compliance, including specific stipulations calling for clearly stated levels of acceptable risk and risk tolerance thresholds as well as the incorporation of internal incident histories in the risk analysis process.”  

Read Jack’s blog post and see some sample Highmark risk reports.

Another positive development, the Ars Technica’s article points out: Dr. Suzanne Schwartz, associate director for science and strategic partnerships in the Food and Drug Administration (FDA) Center for Devices and Radiological Health, is winning praise for bringing doctors, patients and healthcare providers together to strategize on cybersecurity. “We’re not able to address the cybersecurity issues within healthcare alone,” she said. She’s working on public/private partnerships through the FDA’s Healthcare Sector Coordinating Council – a good starting point would be tapping into the FAIR community.

Read the Ars Technical article: Why is the healthcare industry still so bad at cybersecurity?