Emerging Threats in Healthcare and the Adaptation of Protection Models

March 13, 2018
Security executives will need to rethink their approach to mitigating risk in tomorrow’s threat landscape

The challenges faced by today’s healthcare security executives emerge at a much faster cadence than in years past. This reality has over time has migrated the healthcare security executive’s role from a traditional crime-focused leader of “gates, guards, and guns” to a business leader committed to Prevention, Preparedness and Protection. Success in this transitioned role is defined by outcomes resulting in a reduction of harm to patients and visitors, the organization, and the technology systems that support them.

A strengthened commitment to an organizational health protection model has positioned our industry to meet the challenges of an ever-changing threat landscape, increasing threat velocity and increasing harmful impact caused by existing and emerging threats. A successful security team is no longer simply responding to calls for service but is extending prevention opportunities, reducing vulnerabilities and limiting the impact of critical incidents and disruptions to care in a thoughtful manner with the goal of resiliency and improved organizational health. 

Modern healthcare organizations require regulatory teams, including security, to serve as financially responsible patient care-focused business partners with the ability to contribute value across all service lines. A successful healthcare security executive is now leading within the organization as a communicator, collaborator and practitioner-driven by a unified approach to identifying, prioritizing and managing a complex risk portfolio through shared risk handling responsibility. In meeting this responsibility, healthcare security executives must identify and understand current and emerging threats in order to promote meaningful partnerships on behalf of effective mitigation strategies.

Where Emerging Threats Originate

When planning and considering newly emerging threats it shouldn’t be a surprise to any healthcare security executive that many, if not all, find their roots in technology and/or human behavior. These sources of threats fueled by advancements in technology, the internet, and social media continuously adapt over time to outwit and/or exploit previously successful mitigation strategies at rates once thought unthinkable. Just take a moment to think how many times your team has worked tirelessly to develop a threat mitigation strategy only to learn it requires the recalibration of a process or resources to meet evolving vulnerabilities within the same planning cycle. The emerging threats briefly discussed below, many of which are simply iterations of past threats will require our teams to once again adapt on behalf of prevention, preparedness and protection. 

Top Threats: Cybersecurity

Let’s begin with cybersecurity. Due to the sensitive nature of healthcare information, the cyber threat will always be a prioritized concern for all healthcare security executives. Our security teams have seen the cyber threat landscape progress from simple scripts and viruses, intent on disruption to malware and spyware utilized to commit cybercrime, and finally to the ransomware and bots used to facilitate cyber-espionage and widespread harm.

The malign actors of cyberspace have also evolved, as they moved from script-kiddies to coordinated and sophisticated attacks and finally to nation-states carrying out corporate espionage and/or politically motivated attacks. The increased sophistication and velocity of this continuous evolution where nation-states have moved to the forefront is supported in a recent assessment performed by the National Intelligence Agency noting the number of nations with cyberattack capabilities has more than doubled in the last five years (1). While the participants and competency levels may change, the emerging cyber-related threats themselves don’t really change all that much and typically remain connected to the theft or destruction of healthcare information, creating a disruption to scientific discovery or the continuum of care. 

We are also seeing healthcare organizations become increasingly connected, internally and externally, the attack surface increases providing increased opportunity and reward to criminals. Ransomware attacks and medical identity theft continue to trend upward despite the financial commitments made by healthcare organizations to better protect data and limit data breaches. According to a 2017 Data Breach Investigations Report conducted by Verizon, 72 percent of all healthcare malware attacks in 2016 were caused by ransomware.

In addition to these traditional cyber battlefields, there remains growing concern by healthcare security professionals on how to identify and remediate the security concerns surrounding medical equipment and devices. While we are certainly not experiencing the challenges seen on television (how many times have you heard that in security) where bad actors are controlling devices for ransom, there is a reason to be concerned as more and more devices today rely on software that can be potentially exploited by cybercriminals. The potential damaging effects of these cyber operations when directed at healthcare organizations may produce significant harm and disruption in the patient care continuum during both routine and critical periods of care.

The financial investments made to prevent data loss and the protection of intellectual property seems to only delay future loss, while those who are intent on harm adapt their malicious efforts. If you would like to learn more about this risk exposure I suggest you review the recommendations for the management of this risk throughout the total medical device product lifecycle published by the U.S. Food & Drug Administration (2).

Like most technology, cyber security is outpacing regulation efforts making it difficult to understand law and policy in this often perplexing area of risk. Cyber criminals fully understand the instruments of their crimes remain relatively inexpensive and provide a hard to detect and oftentimes offer denial means for conducting criminal operations. Adding to this challenge, organizations continue to connect devices to healthcare networks with varying degrees of built-in security features and fail to regularly patch software and firmware with the latest protection updates. These factors combined with the continuous new breed of cyberattacks healthcare organizations are faced with force security teams to increasingly rely on a trust in technology rather than a trust in people when developing adaptable and successful mitigation strategies.

Top Threats: Workplace Violence

Another emerging threat to healthcare that seems to reinvent itself annually is the harm resulting from behavior and conflict in the care environment. Hospitals and clinics are oftentimes emotionally charged atmospheres and have certainly been no stranger to violence. In fact, according to a 2002-2013 study conducted by the Occupational Safety and Health Administration (OSHA) serious workplace violence was four times more common in healthcare than in private industry (3). Adding to the concern is the prevalence and pace of social media, which continues to surge, magnifying the role it plays in mental health and violence today. Protecting patients and staff from this fast forming and behavioral driven violence requires intervention to avoid harm to patients and staff. Increasingly, this responsibility for behavioral intervention is being undertaken in partnership with healthcare security and other care teams. Team-led organizational health and individual wellness based mitigation strategies allow healthcare security teams move further upstream of harm to prevention and preparedness. 

Over the last several years, many healthcare security teams have established successful behavioral intervention partnerships, however much work remains. This early success combined with extensive media attention and a public appetite for information around hostile intruder incidents has resulted in increased reporting of behaviors of concern by patients, staff and visitors to healthcare campuses. Healthcare security organizations have also experienced an increase in attendance and requests for training and awareness programs related to recognizing behaviors of concern and surviving a mass casualty event. One large healthcare organization in Texas has experienced a 26.2 percent increase in active shooter training attendance from 2016 to 2017.   The increased caseload generated by increased sensitivity and awareness stretches the capabilities of the highly trained staff working to intervene and lessen the likelihood of a tragedy on a healthcare campus. 

Top Threats: Insider Threats

At the crossroads of cybersecurity and conflict and behavior intervention lies another emerging threat to healthcare organizations; the insider threat and its intentional and unintentional consequences. Yet another example of a threat that seems to transform itself annually introducing new risks and forcing adaptations to mitigation strategies. The insider threat can be especially challenging in healthcare and research environments that value the exchange of ideas and learning on behalf of treatment and science. The harm created by insiders with a knowledge of organizational culture often include the theft of intellectual property, cyber threats, violence and disruption, criminal activity and exploitation of administrative gaps. Therefore, successful mitigation strategies must combine cyber and behavioral prevention and protection elements to identify and address the organizational harm caused by insiders.  

In addressing the insider threat, healthcare security professionals will need to rely on a unified approach that crosses organizational boundaries and has the ability to effect change in policy and procedure. This team of organizational leaders will look to the healthcare security executive for guidance around behavior, investigative methodologies and interpretations of legal considerations in elevating the collective success of the team. This reality moving forward requires security leaders and teams to review their existing skill set inventory to ensure they can adapt to the insider threat challenge in a constantly changing world.     

Meeting Tomorrow’s Risk Challenges 

In understanding the threats healthcare organizations face tomorrow, they are simply mutations of the threats we face today. How will healthcare security executives navigate this complex portfolio of exposures to best protect their organizations? If you have made it this far in the article you most likely can predict the recommendation I have for today’s security executive to address emerging threats. The mitigation strategy for this year’s emerging threats will be the same as next years and the many years to follow. Develop a strategy that promotes the agile adaptation of your team and available resources regardless of emerging threats. In the coming years (if not already) threats will change and present inside typical planning cycles and exploit gaps in those healthcare organizations not prepared to respond. The ability to adapt in an agile manner will promote the success of healthcare security now and in the future. In the end, sustainable success will require healthcare security executives to rely more and more on a unified approach to prevention, preparedness and protection that can quickly adapt to remediate prioritized threats. We must adapt our teams, protocols and protection models in an agile manner to prevent harm as close to potential onset as possible.

If agile adaptation is the answer, what subjects should we all study to prepare? My recommendations would be the visualization of data-driven; value-based outcomes, a process and/or program recalibration methodology and a robust training and development plan. Finally, healthcare security professionals will need to reimagine recruiting and talent development in pursuit of aligning innovative thinking and team skill sets with threat remediation. A commitment to excellence in these areas will help prepare healthcare security teams to adapt and meet the challenges tomorrow in a unified and financially responsible manner.   

About the Author: With 30 years in military, municipal and campus policing, Raymond J. Gerwitz currently serves as the Director, Risk Strategy and Operational Excellence for the University of Texas Police at Houston at The University of Texas MD Anderson Cancer Center and The University of Texas Health Science Center. Director Gerwitz is a graduate of Oklahoma State University and holds a Bachelor of Science in Computer Science, Masters of Science in Telecommunications Management and Masters of Business Administration.  In his current role Director Gerwitz provides executive leadership to the Strategic Planning and Analysis, Operational Excellence, Risk Mitigation, Risk Operations, Professional Recruiting and Development, Community Outreach and Law Enforcement Accreditation teams.  

Attributions:

(1)   pg. 5, Worldwide Threat Assessment of the US Intelligence Community, February 13, 2018.

(2)  https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm425025.htm

(3)  https://www.osha.gov/Publications/OSHA3826.pdf