The Doyle Report: The One Truth Cybersecurity and Healthcare Have in Common

Imagine you had the power to make one global change in the way medicine is practiced to improve patient outcomes and cut healthcare costs. What would you do?

Some of the very best minds in medicine believe the one thing that would make the biggest difference in healthcare is to reduce the gaps in care coordination and practice variance. If we simply applied what we already know evenly and consistently, in other words, we could transform healthcare.

This flies in the face of conventional wisdom that says the answer to our problems is more spending on research and development. But the facts are what they are. Consider, for a moment, the following conclusion that appeared on the Web site of the US National Library of Medicine at the National Institutes of Health. In a paper on healthcare best practices, researchers noted that, “More than half of the cancer occurring today is preventable by applying knowledge that we already have.”

The same could be just as easily said about many conditions and maladies. And it could also be said about cybersecurity.

“We know the tactics and know what is successful [when it comes to cybercrime],” says Marc Spitler, a researcher and co-author of Verizon’s Data Breach Investigations Report, which was published in the spring of 2017. While new and improved security technology is always welcomed, what really matters when it comes to staying ahead of cybercriminals is the tough, mundane stuff that people tend to forget or disregard over time. This includes things like picking better passwords, demonstrating discipline when managing email and limiting those with administrative rights to important systems.

Alas, we are all human (most of us anyway), and we get lazy, bored or, worse, curious from time to time. Thus we click on things we shouldn’t, download things we didn’t search for and gradually ignore organizational procedures over time.

Though it’s now a few months old, the findings from Verizon’s report are worth repeating—if not to your customers then to yourself. Among other things, the report concludes that:

• Cybercrime can come in any shape or size, and not always in the form you’d expect
• Each industry faces a distinctive pattern of threats\
• Yet again, the overwhelming majority of incidents fall into one of nine [known] attack patterns

Given the interest in security, I asked Spitler (pictured left) for insights as to what he has learned since releasing the report. After some talking, we wandered onto the subject of healthcare, which he agreed had at least one thing in common with cybersecurity: what we already know is just as if not more important than what we don’t. As Spitler puts it, the industry already knows where attacks are likely to come from (rogue email and browser vulnerabilities), what bad guys are after (network credentials and employee/customer data) and what stops most attacks in their tracks (updated software and educated workers).

If we were to collectively apply what we already know consistently and thoroughly, we could blunt a great deal of cybercrime, Spitler insists.

So what’s holding us back? In addition to complacency, the industry is wrestling with complexity. Customers aren’t buying too few products and services; they are buying, in some instances, too many, which is giving them a false sense of—dare I say—security. Instead of layering technology on thick, they should invest in instead in a proper mix of technology, personnel training and organizational best practices.

The idea is backed up by no less than VMware CEO Pat Gelsinger, who told Fortune ahead of its annual VMworld 2017 underway this week in Las Vegas that, “The tech industry has failed our customers in security.”

“They are buying more security stuff than ever and breaches are occurring faster and are more serious than ever. That means businesses are falling further behind despite spending more,” Gelsinger said to tech editor Barb Darrow.

At some point, this reality is going to come back to haunt those who overemphasize technology wizardry. If you step away from cutting-edge innovation and sensational headlines, you realize that most new attacks including the WannaCry virus are devised using widely know vulnerabilities and do not represent a significant jump in terms of technological sophistication. Instead, they demonstrate a triumph over a persistent sense of invulnerability.

While you’re pondering this, consider some additional data points from the Verizon study:

• 75 percent of attacks originate outside a targeted organization
• More than half of breaches involves malware
• 80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords
• 61 percent of victims are organizations with fewer than 1,000 employees

While it’s sad to think that many small businesses live by the adage that “what we don’t know can’t hurt us,” it’s even more unsettling to think that what they do know could save them—if only they put that knowledge to work.