Fortified Health Security, a provider of healthcare-focused information security, compliance and managed services recently released its annualHorizon Healthcare Cybersecurity Report. The Horizon Report reviews Fortified’s predictions for 2017 and how they fared against reality, while providing a summary of lessons learned during the past year.
In 2017, Fortified conducted a security risk analysis, OCR mock audits, HITRUST certifications and strategic security planning for the majority of its clients. Although varied in size, revenue, network complexities and geography, three common trends were identified were:
1. Policies and procedures are weak or don’t align with the actual implementation of safeguards
2. Organizations lack concise asset inventories
3. There is a lack of well-structured vulnerability management programs.
“It’s evident from this analysis that although healthcare organizations are busy with EHR transitions and upgrades, movements to the cloud and other IT and security projects, it is imperative that a priority be set on getting back to the fundamentals of risk management and good cybersecurity hygiene,” said Dan L. Dodson, president of Fortified Health Security in a statement. “We must commit ourselves if we want and expect to improve.”
The report also takes a look at what healthcare organizations can expect to experience regarding healthcare cybersecurity in 2018:
1. Double-digit increase in breaches
Healthcare will experience a 10-20 percent increase in the number of entities breached, with providers the most targeted and exploited segment.
2. More variants of Wannacry ransomware
In May 2017, many companies around the world fell victim to the WannaCry ransomware attack. Other variants of WannaCry (like NotPetya) soon followed. With unpatched systems still prevalent and vulnerable to WannaCry, it is safe to assume hackers will release additional, more intelligent variants of WannaCry in 2018.
3. Breaches due to business associate neglect on the rise
In 2017, OCR has identified at least 18 breaches due to Business Associate neglect and, more importantly, failure by the covered entity to manage that risk. Healthcare covered entities will continue to experience risk and possible breaches in 2018 unless effective Business Associate risk management programs are established.
4. Increased threat to IoT devices
Medical devices constitute a large number of IoT (Internet of Things) devices currently attached to healthcare networks around the world. In October 2017, newer, more powerful versions of IoT malware (“Reaper” and “IoTroop”) were discovered in the wild. The malware spreads very easily through IoT devices with little to no security. We should expect this malware to be seen in more healthcare IoT devices in 2018 — if they’re not there already.
“2017 showed us that we can no longer treat security as an IT problem: instead we must recognize it as a business issue and deal with it accordingly,” Dodson added. “Patch management programs are imperative and should be implemented alongside corrective action plans. And, moving forward, healthcare organizations must show progress against compliance standards.”
Written by Fred Pennic