By John Gomez
John Gomez is CEO of Sensato of Asbury Park, NJ.
Although the observations in this article are based on my direct experiences over the past four years working with healthcare organizations to secure their systems. I am sure that most of what I am going to share is wrong. I also will apologize upfront for presenting a viewpoint that I am sure is one-sided, and although I believe it to be reflective of the reality of cybersecurity in healthcare, it is probably wrong.
I also want to clarify who I hope will read this article, because it is certainly not meant for everyone. If you are of the belief that academic cybersecurity approaches, checkmark mentality, or putting your faith in things like commercial “trusted” security and privacy frameworks or national cybersecurity information sharing groups is a good idea, then this article is not for you. Reading it will be a total waste of your time.
In fact, if you think that what you have been doing in cybersecurity is right and spot on, this article will just annoy you. And yes, you guessed it, it will be a waste of your time.
On the other hand, if you stay up at night freaked out that despite your best efforts you are losing the battle against a well-armed and informed enemy, then brothers and sisters, you probably will find this article of interest. Yet I warn you — this is more about my opinion (as unqualified as that may be) than any academic, certified, highly-trusted approach you may find in the world of healthcare cybersecurity.
For those who are still reading along, let me drop (in the vernacular of our youth) a truth bomb. A truth bomb that I suspect anyone still reading will not find surprising, but is akin to that small child who once said, “But the emperor has no clothes.” The truth I share with you is that we are losing the cybersecurity war and losing badly.
There, I said it. And yes, it is rather cathartic to be able to state that in public. Try it with me — I promise you will feel better and empowered. We are losing the cybersecurity war.
Despite our best efforts, despite the beliefs in fancy risk and security frameworks and the latest hyperbole regarding threat intelligence, advanced defenses, and the latest snake oil being peddled by cybersecurity vendors, we are losing ground by leaps and bounds.
If you ever wanted to know what it felt like to be on the receiving end of General Patton’s surge across Europe, just take a job in the world of healthcare cybersecurity. We have some great, passionate, talented people among our ranks, but regardless of how fast they are pedaling, the attacks are overrunning them and taking ground.
In 2016, per a PWC cybersecurity survey, organizations across industries increased their spending on cybersecurity by 20 percent. Yet despite deploying more frameworks, more technology, employing some cool AI stuff, expanding their staffs, and embracing the best practice of the day, we also learned that there was a 38 percent increase in cybersecurity attacks. The cost to remediate an attack rose by 23 percent over 2015.
Talk about a lousy return on investment. You increase spending by 20 percent, and yet you are finding your efforts to not even be closing the gap. In fact, on a cross-industry basis, we are seeing double-digit negative returns on cybersecurity investments.
Years ago, an experiment was conducted where a monkey threw a dart at a list of stocks. The goal was to see if random selection of stocks ended up worst or better than what was selected by professional and well-trained brokers. If I recall, the monkey’s picks fared better. Sadly, for those of us protecting healthcare organizations from attackers, we are seeing similar results. There is no — not one — strategy or best practice that will definitively prevent attackers from gaining access to your systems.
Speaking of attackers, just how painful has life become for their side of the seesaw? I mean, everyone is spending more money; cybersecurity is now a board-level issue; and per HIPAA, it is required that the CEO be intimate with the protection of patient data as it relates to security and privacy. Certainly all this increase in spending, resources, and attention must be making life so very hard for the cyberattacker.
Well, in 2016, the average cost of a highly-sophisticated exploit kit was $1,367, a 44 percent decrease over 2015. Thanks to easy and cheap access to cloud computing (I am looking at you, Microsoft and Amazon), the cost of an attack has dropped 40 percent over 2015. We now have attacker market that include RAS (ransomware as a service), EAS (espionage as a service), and DDoSasS (Distributed Denial of Service as a service). You can contract for any of these attack services from the comfort of your home recliner. We also have learned that the average length of time to successfully execute a breach is now less than 24 hours, a 72 percent decrease over 2015.
Net-net, attackers are winning and probably chilling out, sharing bottles of wine, nibbling on cheese, and laughing their butts off. Yet for those in the trenches, those who get up day to day fighting the good fight, none of this is new. I suspect that the front-line defenders know all of this, yet don’t have the data or podium to yell out, “The emperor has no clothes.”
Ultimately, I believe we all are united (vendors, defenders, management) in understanding that our current approaches are not working over the long term. I also suspect some will have counterarguments, point out that things aren’t that bad, and claim their solution is fault proof. As someone who works with attackers, I can tell you that you would be foolish to believe that your current approaches can thwart attackers. Especially if your approaches date back to 2010, are based on complicated frameworks and tools, and require you to subscribe to checkmark practices.
Here is a final statistical truth bomb that you may find entertaining. About a decade ago, we could detect an attacker in our networks within hours. Over time time-to-detection has evolved from hours to the current average of 265 days. If the attackers keep evolving, soon it will be over a year on average before we can detect an attacker despite our increased spending and advanced defense capabilities.
We can attribute this to advanced persistent threats (even though most attacks are not all that advanced), higher complexity of networks, and technology we defend as among the reasons attackers succeed. I am sure there is some truth in all those reasons, but you don’t win wars by pointing out what you are doing. You win wars by gearing up, toughening up, and figuring out how to fight better and more effectively than your enemy.
I guess the foundational question this article will pose is, is this a lost cause? Should we just wave the white flag and throw up our arms? That is one approach, but I have greater faith in all of you. You who stay awake at night wondering what else you can do to fight the good fight. You who take on your boards, push back against the egotistical physician, and fight to be heard for funding and attention — all to make it a little bit tougher for the attacker. I have tremendous faith for all of you who insist, “Not on my watch.”
I believe there is a lot we can do to turn the tide on the attackers. Right now, we are in a ground war, one that can benefit from technology, but that also requires us to really reconsider our core tactics and principles. One major piece of advice I would give you comes from Luke Cage of Marvel Comics — “…sometimes you have to throw out the science.”
A key approach that should be considered, debated, and tested is simplification. Rather than embrace the false of sense of security that complexity may bring, we should focus on tactics that rely on low-tech solutions that work consistently. You should be establishing last lines of defense that are based on securing high-value targets. It is critical that you take an attacker-centric viewpoint and truly understand attacker motivations. Much of this advice comes from my personal experiences in cybersecurity and in training special operation teams to take the fight to the enemy.
Simply stated, you need to embrace an assertive posture related to your cybersecurity. This is not 2010. It is 2017, and we are now dealing with attackers employing 2020 approaches. We have just seen the release of MedJack 3.0, which bypasses antivirus. We are seeing malware that is polymorphic. We are seeing attackers embrace analytics and machine learning. The answer is not a framework that recommends changing your password every 90 days? A signature-based system is not going to keep an attacker out of your network.
We need to stop putting our faith in those solutions and approaches that are complex and increase complexity. Regardless of the technical solution or tactic, your goal should be to embrace simplicity, reduce excuses, and eliminate barriers to security.
Want to practically eliminate phishing attacks? Invest in a solution that adds the word “External:” to the subject line of any e-mail that comes from outside your organization. You would be surprised how this little low-tech investment dramatically drops the success of phishing attacks. Want to reduce the length of time an attacker is in your network? Learn what scares them most and target their fears (if you don’t know that answer, e-mail me). Turn the tables, get practical, fight back.
Practical real-world security doesn’t require huge expense or complicated approaches. The most critical first step is to become like a child. Open your eyes and realize that the emperor which is healthcare cybersecurity is in the buff.