There are several recent studies and articles that discuss the world from the viewpoint of the people who have the cybersecurity roles in your IT staff. Their days are packed just trying to keep everything working and secure. As much as we have been after IT folks lately it is important to note that many times they take care of problems that you never even see. Today we are taking the time to remember that cybersecurity roles are tough. Really all IT roles involved in protecting our valuable information resources are tough jobs but especially the ones with the cybersecurity roles. It takes everyone to defend our data so your cybersecurity team needs your support!
The points brought up in the articles and studies we referenced here to provide some specific numbers and reasons we need to find ways to help strengthen our tech teams. Interesting that there are multiple studies discussed and all of them come to similar conclusions – cybersecurity roles are tough.
Security Spills: 9 Problems Causing the Most Stress by Kelly Sheridan at Dark Reading and the recently published 2019 HIMSS Cybersecurity Survey provide some great information about where we are and where we are going when it comes to managing cybersecurity in organizations. It is important to note that the Dark Reading article is one of those gallery things that mentions several different surveys and studies looking at cybersecurity professional as a whole. The HIMSS survey is a healthcare-specific survey including 166 US-based health information security professionals.
We talk about being under attack all of the time but these numbers make it clear it isn’t an overstatement by any means.
The HIMSS report says specifically that:
…22% of respondents reported that they did not experience a significant security incident.
Last year’s survey says 21% did NOT have a significant security incident. Only 4% said they didn’t know. That means 74% of those surveyed for 2019 had at least one significant security incident last year. It doesn’t necessarily mean a breach happened but it does mean there was a lot of stress and panic happening. BTW, last year that number was 76%.
In the survey, they didn’t define what they considered significant. It doesn’t matter what the surveyors think is significant. If you thought it was significant in your organization then it is significant.
Many folks will just say that those numbers are because you’re talking about hospitals. Well, the report addresses that thought clearly. It appears that they expected it, too. When you remove the hospitals you are down to organizations that classify either as Vendors, “Non-acute” providers or Others. Those groups still see an average of 69%. Don’t think your size or type of organization means you are immune. You must stay on top of it or you will be run over by it. Someone needs to have that cybersecurity role in every organization to be prepared for the inevitable security issue.
In fact, in the Executive Summary where they do the net, net, net of the findings they state:
Significant security incidents are a near-universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging email as a means to compromise the integrity of their targets.
One of the headings they use in the report is:
E-mail is the most common initial point of compromise for significant security incidents
What did we just talk about last week – email being the most common way into your organization’s data? I think so! At the time I wrote that one up I hadn’t seen the HIMSS report.
There are a couple of other points in the HIMSS report that don’t fall under our other topics that I want to point out.
Good news is that organizations say they are getting better at doing proper security risk assessments. They are given a list of things that could be included in the report and asked to select the ones in their report. It improves every year. Finally, it seems that OCR saying it over and over is being heard.
Another stat that falls under good news is that most organizations are running phishing tests now. It is one of the best security awareness tools we have in our toolbox. Even better is the majority of them say the click rate is less than 10% which is what many experts recommend your goal to be. Of course, the smaller the organization the lower that number should be though.
There is one important point that seems sort of buried in there but is really important and of great concern to me. Yes, many people are making progress on these things. How long before they say we are good so there is no need to spend X on that anymore? As the report mentions:
Over-confident leaders may be “lulled” into believing there are few challenges they face in managing the confidentiality, integrity, and availability of their organization’s information and technology infrastructure, and may be susceptible to “dropping their guard”.
That over-confidence is something that should be discussed now and often in the future. I hear too many IT leaders with the “we got this” attitude once they start to see a solid program develop. The minute I hear that I am very concerned. In the military, they call it “victory disease”. Think about Xerxes defeat at Salamis, Napoleon’s defeat after invading Russia, Custer’s last stand, Hitler not learning from Napoleon and invading Russia also, the Japanese attacking Pearl Harbor, and many more failures due to overconfidence. As they say, victory disease doesn’t defeat you but it does sometimes arise before your ultimate defeat.
Confidence is one of those things where it is important to have a balance. Not enough and you are afraid to try. Too much and you forget that you got there by being diligent. A healthy amount of fear can be good.
Why are cybersecurity roles tough?
So what is keeping your IT team up at night ensuring that and their cybersecurity roles are tough? Let’s see how the two sets of data compare on these specific topics. As we review the nine from the article we will discuss how is healthcare impacted by it according to the HIMSS report.
Not enough people
Lack of talent and staff is making it harder to fill positions even if you have funding to pay for them. Just because you know how to load windows on a computer or fix email issues, does not mean you know how to secure networks, servers, and other devices.
Too much work for any one person to do
Security isn’t your only job it isn’t even your first job for many IT professionals. Many report being “voluntold” that they would be taking on security roles.
“The InfoSec Institute, which collected comments in its survey, cites examples of overwhelmed employees. One fell into security because “everybody else took a step backwards, leaving me in front as the volunteer.” Another is “the designated HIPAA Security Officer as well as the IT Security Officer.” One IT expert took on security because he was the senior member of a two-person IT department; another “inherited it because nobody else was doing it.”
Everyone does multiple jobs today but imagine if the surgeon is in the middle of a complex operation and has to have everyone put the operation on hold because the marketing team can’t get their email to go out that must go out right now. Analyzing even something that is a minor alert that may mean nothing at all is not something you can do properly while answering an email, talking on the phone and tracking a network cable.
I do love it that HIPAA sneaks in there on the quote. We often say that the qualifications for being the Security Officer often involve not being there for the meeting when they pick someone. It is unfortunate that these people also get no specific training to do the job. Which leads us to the next point the article.
No time to keep learning so you can stay on top of the constantly evolving threats
Everyone expects IT to know if a patch needs to be loaded. They also expect them to fix their printer and keep the email system up and running 24x7x365. If they aren’t getting time to research or go to training courses, they will never know there is something new they could easily prevent if they only knew about it.
In the case of our HIPAA Security Officer who was assigned the job, they have even more to learn and less time to learn it. The best solution to that problem, of course, is for them to come to The HIPAA Boot Camp!
Speaking of that point, another “keep me up” thing listed in the article is that compliance requirements aren’t being met. We always point out compliance doesn’t make you secure. If you aren’t even doing the compliance work you are probably not going to be sure. Maybe you can be secure but you can’t prove it which is what the compliance program is all about. If you can’t prove it then you really aren’t doing it when people start asking around.
The HIMSS report discusses the importance of training the security team in very specific recommendations:
Additionally, those involved in day-to-day information security operations and management should receive additional education and training to understand the latest threats and how to prevent and/or mitigate them. This includes giving healthcare cybersecurity professionals time off to take training classes and education and paying for them as well. Regular education and training is necessary to arm healthcare cybersecurity professionals with the knowledge and know-how to handle a variety of security incidents and know how to prevent, mitigate, and/or remediate them.
Constant incremental growth in threats and vulnerabilities.
Every time you add a new tool or a new device or a new interface or any number of things we think needs to be added, you increment the potential issues. You want to put a cool new medical device on the network and you think it is no big deal. However, you have no idea what operating system the device uses, how it’s connections are secured to the network, how the vendor updates and supports it and even more we must know to secure it properly. It isn’t just a “plug it in and don’t worry about it” situation. Well, if you want it to be secure.
Another point in the article is we should all realize that we could be the target of a nation-state or hacktivist attack at any time. The assumption that you don’t have what they want will make it very painful when you realize you don’t know what they want!
The HIMSS report addresses the growing threat landscape when they made this point:
Securing a modern healthcare organization is a complex endeavor. The pervasiveness of cyberattacks can stretch an organization’s financial and human resources. Healthcare organizations, in general, appear to be responding to this challenge by dedicating more financial resources toward their cybersecurity programs.
In this section of the HIMSS report, they are discussing the portion of the IT budget being dedicated to cybersecurity initiatives. They do note clearly that some groups report there is not special carve out for cybersecurity it all just falls under IT. We know that there is another option that exists out there. Organizations that don’t even have an IT budget in the first place. If your technology spending is not even a specific budget line item, you are not recognizing the importance technology means to your business.
The good news is that within organizations that do budget for IT and carve out specific amounts for cybersecurity that amount is increasing. The question is, though, is that increase mean another IT line item goes down or is that increase being added to the overall IT budget?
It’s the people, people
We can’t force people to follow the rules if those in charge don’t follow the rules. If you set policy but don’t audit and enforce it the policy is useless. It is just a piece of paper. However, when someone gets hacked because there was no MFA on an email account it won’t be the people who insisted it was too inconvenient that will be blamed. Will the blame be on IT for not “making them do it”?
It takes everyone to treat security seriously to have a chance at winning the battle. We can’t come close to talking about winning the cyberwar when we can’t be sure we have people ready to take on a single battle. If IT doesn’t get the support of leadership and management to build the culture of privacy and security you don’t really have a chance.
The HIMSS report says: “However, approximately one-third of incidents were reported to be associated with negligent insiders and others, actors reflecting benign motivations.”
Now, that is a hefty chunk of the problem, isn’t it? As the article called it “nobody gets it”
The thing I noticed here is that they don’t include what they call Online scam artist (e.g., phishing, spear phishing, whaling, business email compromise) in the insiders count. All of those require a person to be part of that problem, too. In the HIMSS report, they count it as “Bad Actors”. So the top Bad Actor problem is due to the people getting scammed. The top “Benign Actor” is listed as Negligent insider (well-meaning but negligent individuals with trusted access who may facilitate or cause a data breach or other cyber incident) so there is a bit of an overlap there.
As we mentioned before, the top point of compromise listed in the HIMSS report was Email. Second place goes to…….. Human error!
You don’t know what you don’t know
There are systems being added to networks and software being used without proper vetting or security in place in almost all organizations. There is a failure to properly define where your valuable information lives and moves around your organization every time we hear there was a lack of a proper risk analysis. You can’t protect what you don’t know needs protecting.
HIMSS noted another issue that happens in healthcare. Legacy systems are plentiful.
… a majority of respondents (69%) indicated that they had at least some legacy systems in place at their healthcare organizations. Moreover, 14% of respondents claimed over 10% of their systems qualify as a legacy operating systems. When asked to identify the legacy system(s) in place at their organization, almost half of the respondents (48%) cited Windows server (Table 18) 15 . Other legacy commonly used include; Windows XP (35% of respondents),16 embedded legacy operating systems in medical devices (33%),17 and embedded legacy operating systems in industrial control systems (e.g., HVAC) (20%)
They make a very clear point that we have trouble getting people to see. You really should not run a bunch of these old systems that aren’t being updated.
As current and patched operating systems are foundational to secure information environments, running a legacy operating system is an ill-advised practice. Operating systems that have been unsupported for five, ten, or more years (decades in some cases)19 greatly increases a healthcare organization’s risk of being compromised.
The bigger issue is that things like medical devices and HVAC may be running with outdated embedded operating systems. The vendors do not have an option to upgrade or patch them. The only option may be to replace a very, very expensive item. Today, you should be doing a risk analysis of this issue before purchasing new things. However, many organizations don’t have the money to replace everything that could be an issue. This is a concern since 33% say they have medical devices with this issue and 20% say they industrial control systems like HVAC with this problem.
All of that being said, though, the scary part is that those systems aren’t the biggest problem. 48% say they have outdated Windows Servers and 35% say they have Windows XP devices out there. What will happen in February 2020? Just another thing those in cybersecurity roles have to worry about.
IoT makes it worse
Security is the last thing on their minds. Add that to the fact that you don’t know they are out there. Once you find them the security on them is a giant question mark.
What keeps many people up at night is the fact that they know they don’t know everything. We need to find ways to support those folks in the cybersecurity roles. They are spread thin, underfunded and need education just to keep up with all the things you are throwing at them