The pandemic era sent things into overdrive for healthcare and one resulting problem is staffing shortages. One department that was hit hard by the shortages was cybersecurity. Now facing a dearth of cybersecurity experts, healthcare facilities are scrambling to mount an effective defense against the growing barrage of cyberattacks.
These attacks are creating a slew of problems for the increasingly crippled cybersecurity infrastructures.
“Essentially it is a question of physics in the sense that the velocity of cyberattacks is really increasing,” says Lee Kim senior principal of cybersecurity and privacy at Healthcare Information and Management Systems Society (HIMSS). “While we have technologies such as artificial intelligence that can detect threats more efficiently and respond to them, we are not there yet in terms of having full automation without human intervention. There is still a necessary element of the cybersecurity solution that includes people because we are not yet at the stage where we are fully automated. Without people then, we necessarily have gaps in terms of our readiness and our ability to respond.”
These problems are exacerbated by the staffing shortages plaguing the healthcare field.
“I think that the major causes of the staffing shortage include economic priority and what is important and what is not,” says Kim. “As an example, many healthcare providers spend easily $1,000,000 a month on cloud services. However, cybersecurity as a technology and also cybersecurity staffing is viewed as a cost center. It is not viewed as something that makes money for the organization. I have seen a lot of activity and momentum around, unfortunately, layoffs. That is even if we still need these workforce members, however, the business feels as though it is not adding money to the bottom line.”
To address these shortages, Kim says these facilities need to engage more talent from within their companies. However, another problem Kim says is the pay for cybersecurity in healthcare tends to be lower when compared against other industries.
Additionally, there are a variety of different types of cyberattacks. This, coupled with the staffing shortage and increasing number of attacks, makes cyber defense much more complicated. Often, these attacks come in seemingly mundane or innocuous ways.
“Oftentimes, cyberattacks as we know happen by way of social engineering of one form or another,” says Kim. “It can be by way of a smishing message or it can be in terms of a phishing e-mail leading to a poisoned link. Again, it might seem so basic in terms of how these adversaries are able to get in and steal sensitive information either by way of elicitation or by way of malware. However, the point is ever since we started with the COVID-19 pandemic there have been more meetings and more requests for information. There are more transactions going on and our ability to detect potential threats or things that seem to be anomalous is quite diluted.”
Smishing is akin to phishing, though, it is done through SMS or text messaging instead of email.
Kim also adds that third-party vendors can be targeted in these attacks and compromised as well. That in mind, there are multiple avenues for attackers to launch their offensives, and trying to defend against all these attacks leaves already strained cybersecurity departments spread even thinner.
What can healthcare facilities do to shield themselves in these scenarios?
According to Kim, these are some steps healthcare facilities can consider:
- When retaining workforce members, try to make sure they are a fit for the organization both in terms of trustworthiness and culturally.
- Using up-to-date technical controls, such as multifactor authentication (MFA).
- Policies that do not give more access than what is necessary for an employee’s duties.
- Collaboration within the cybersecurity department and with other stakeholders, such as other departments within the organization.
With healthcare and the world itself becoming very digitized, cybersecurity serves an important role of guarding users against malicious actors. Information and data are highly valued in this digital world, so its protection is critical to the functioning of healthcare facilities and maintaining the public’s trust of said facilities.
Jeff Wardon, Jr. is the assistant editor for the facilities market.