Between Peiter (Mudge) Zatko’s testimony before Congress regarding Twitter’s privacy and security operations earlier this month and Uber’s data breach last week, the last few weeks have been eventful when it comes to #InfoSec headlines.
Each of these events reinforced that cybersecurity – mainly when considered outside of specific industries (think finance and national security operations) remains something of ‘the wild west.’ Data management (and extraction) is a powerful and emergent industry – and like all still new-ish things, limited thought or attention is given upfront to how that data is collected and protected.
One of the challenges in Information Security is quantifying the cost of inadequate security controls. There are a lot of demands on resources, and it takes a conscious and consistent commitment for an organization to allocate resources to operations that do not generate revenues for an organization. That is all the more difficult when the cost of deferred action is ‘indeterminate’ or where there is a question of who bears the actual consequences of a data breach or ransomware attack.
We are getting a little closer to grappling with the actual cost of our (collective and individual) cybersecurity posture, a point reinforced earlier this month when an industry stakeholder released a report analyzing the impact of cybersecurity attacks on patient outcomes.
Let me back up.
A year ago, the federal Cybersecurity and Infrastructure Security Awareness Agency (CISA) released a report noting the onslaught of ransomware against healthcare providers (specifically hospitals). The report stopped short of assigning causation between increased ransomware attacks and patient outcomes, but it only stopped just short of that line. That restraint was (in this author’s opinion) reflective of the political and legal challenges in attributing causality, particularly when recognizing the need for greater information sharing across stakeholders to address this continuing, evolving threat. It also trusted the audience’s ability to draw the implicit inference.
As noted at the time, it was a first step in the critical work of quantifying the true cost of a neglected information security infrastructure and ecosystem.
Earlier this month, the Ponemon Institute (sponsored by Proofpoint, a cybersecurity vendor with a vested interest in raising awareness of cybersecurity threats and their costs) took a step further and published its analysis following a national survey of IT security professionals working within or for healthcare organizations. The questionnaire of about 35 questions asked respondents about their organization’s history of cyberattacks, their impact, and the respondent’s assessment of the organization’s risk posture, profile, and readiness.
The results were not surprising, correlating with other industry data points, but represented one of the first efforts to provide a clear correlation between successful cyberattacks and patient outcomes (including perceived impact on patient mortality).
Now, there are a lot of limitations to this analysis. This includes sampling bias and the assumption that those receiving the study and those responding are representative of the studied population (broadly defined as IT decision-makers and security professionals). The survey was distributed to 16,451 individuals, identified by role, and had a pretty ‘not great’ response rate of under 5%, leading to a final sample size of only 641 respondents. Respondents vary by organizational role, seniority, and various sectors across the industry. Most respondents represent more ‘front line’ roles, with only a quarter identified as having a Senior Executive or Director-level position with the organization. It also relies upon self-reporting, including the respondents’ perceptions of cybersecurity operations at their organizations. But, despite those caveats and limitations, the conclusions drawn in this report merit our attention as we, as an industry and society, inventory our collective (and individual) information security vulnerabilities, interdependences, and the value we assign to a sound and secure infrastructure.
HERE ARE THE BIG TAKE AWAYS:
- Most respondents (89%) experienced cyberattacks in the past year alone, clocking an average of 43 attacks per organization reported during that time.
- 41% have experienced a ransomware attack in the past two years. While in most instances (53%) was restricted to a single incident, a third of those experienced between 2 to 5 ransomware events.
- The average reported cost of a single, successful cyberattack is estimated at $4.4 million. Of which lost productivity is the single most significant financial consequence, accounting for a quarter of the estimated total cost.
- The majority of respondents who experienced either (1) a ransomware incident or (2) a cyberattack through their supply chain (including medical devices) concluded that the attacks disrupted patient care and directly resulted in poorer outcomes (67% and 70%, respectively) with nearly a quarter (24%) concluding that their supply chain disruption increased patient mortality.
While ransomware attacks have the biggest headlines (and the biggest dollar impact) on operations, it isn’t the only thing keeping InfoSec: the vulnerability presented by insecure medical devices, everything from a pacemaker to the MRI.
The Next Question is: What We Do About This?
This isn’t just a question of allocating further resources (although there is that) – but it is also a question of better leveraging existing resources. Two practical steps come immediately to mind:
- Integration of Information Technology and Information Security experts in decision making, planning, and operational evaluation.
- A more holistic evaluation and ownership of an organization’s risk profile and operations because a system is only as strong as its weakest link.
I found it interesting that the most commonly cited barrier respondents had was not “insufficient budget” – but rather lack of available expertise and capacity, with the absence of cross-functional collaboration or integration with other organizational departments as a close second. This is a pain point or complaint I hear often – and it reminds me of the chorus from my attorney colleagues: “If only they had pulled us in sooner. We could have addressed this upfront.”
But let me elaborate a little further on the latter point, as it merits particular emphasis. The information system or network of healthcare organizations (the “Internet of Things” or IoT) is extremely complex. It includes not only the organization’s IT network and EHR, but all the software and devices that sit on or can connect to that system. For an ecosystem like a hospital, that includes everything from pacemakers, to staff mobile devices, to the MRI – millions of points of potential entry. While a hospital must identify, monitor, and protect each of those points of entry and exchange – another reality is that the hospital (or other entity) likely has limited insight into or control over security controls in their supply chain wherever software is a service. Again – that covers everything from traditional, physical, medical devices, and sensors to cloud-based data platforms. That is a lot – and the lines of what entity is on the hook for what is not always evident in the event of a breach or attack (although usually, it is the provider or end-user you can assume to be left ‘holding the bag’). There is little room for negotiation – as well as limited internal capacity to engage in those levels of negotiations.
I will be honest. I don’t necessarily know how to solve this problem. I do know, though, from my own experience, that the first step is to acknowledge that cybersecurity is a shared problem requiring urgent action. The next is to truly account for the actual cost we all pay for its continued neglect and avoidance. Because it isn’t until we know the cost of a thing that we can begin to see the value of that stitch in time.