Organizations must recognize that cybersecurity is more a journey than a destination.
The continued onslaught of cyberattacks and ransomware attacks against U.S. companies in all industries can cause leaders to become numb to the latest headlines. But a devil-may-care attitude won’t stop bad actors from targeting companies, especially those in healthcare, where information is the most valuable, hospital IT systems are in use 24/7/365, and IT networks are increasingly complex.
During the first half of 2021, 343 data breaches were reported to the HHS Office for Civil Rights (OCR). That represents a 27% increase from the first six months of 2020. What’s more, the incidence of breaches increased 145% between 2015 and 2020.
Healthcare providers accounted for 73% of all breaches in the first half of 2020, followed by health plans (16%) and business associates (11%).
The cost for mitigating breaches is highest among healthcare organizations, topping $9 million per incident. And healthcare ranks last among industries in the length of time is takes to discover and contain a breach — 329 days or almost 11 months. Financial services companies, an industry also tightly regulated by the federal government due to the sensitive nature of data it deals with, can detect and contain a breach three months faster.
“The best defense is a good offense” often describes sports tactics, but the phrase originated in military conflicts, an apt comparison to today’s cybersecurity environment where increasingly sophisticated attacks against hospitals and health systems occur almost daily. It is not enough to wait passively for an attack to occur. Healthcare cybersecurity professionals must be ever vigilant to protect against internal and external threats, and organizational leaders must prioritize information security resources and projects against many other competing priorities.
Consider these seven steps to strengthen the information security at your organization:
1. Understand your IT environment
Few hospitals fully grasp the sheer number of IT connections they have across the healthcare landscape or the depth of those connections. Electronic health records (EHRs), picture archiving and communications laboratory systems, pharmacy systems and more obvious systems that maintain potential external connections; each system and each device that connects to any of these core systems must also be monitored and protected. The proliferation of internet-enabled medical devices has exponentially increased the number of connections to EHRs. Federal efforts to increase connectivity among providers are also bringing new challenges, especially around security standards. A robust security solution can automate the identification, assessment, and protection of connected devices.
2. Conduct risk assessments
No one becomes proficient during an emergency, so understanding your organization’s vulnerabilities and testing for the most likely scenarios will help staff respond more quickly and efficiently to an actual event. The first step is to create proactive policies and plans to govern the IT network and employees. Leveraging a third party that performs security assessments and can help an organization develop an incident response plan may allow your organization to achieve its objectives quicker than by using in-house resources. As a bonus, an independent perspective can help identify areas for security improvement.
3. Create an incident response plan and test your plan
Creating an incident response plan is critical to respond effectively to an attack, as proper preparation will facilitate a faster response when an incident is discovered. Think of it this way: if you need emergency surgery, do you want a surgeon who always operates on a set schedule or one who constantly deals with emergent cases? Likewise, putting a plan into action should be second nature to cybersecurity veterans who have planned for this eventuality. Do you have sufficiently experienced in-house personnel to handle potential emergencies? The time to determine this isn’t when a ransomware attack occurs.
4. Train employees early and often
People are often the weak link in the cybersecurity chain, falling victim to phishing, pharming or email account compromise attacks. Every employee who has access to IT systems and sensitive data should, at the bare minimum, receive training annually to reinforce policies and refresh memories about information security issues. Frequent security reminders in employee communications also can help. Some organizations test the effectiveness of their employee security and aware training program by performing internal phishing campaigns and monitoring the response, retraining and educating those individuals who fail the test. This type of training is especially important for job titles that are often specifically targeted, including executives, IT administrators, network teams, and accounting and finance teams.
5. Restrict user access when possible
Access to IT systems should be restricted to only those who explicitly require it. For example, medical and billing staff obviously need to interact with the EHR, but the human resources department may not. Does every employee really need an email account, and if so, are they required to access it outside the organization? Restricting access, requiring multi-factor authentication or single sign-on, and providing regular education can help protect systems. By limiting user access to the minimal amount required, cybersecurity teams reduce the potential attack surface, which reduces risk.
6. Do not rely on cyber insurance
Cyber insurance rates rose as much as one-third in 2021 because of the considerable increase in ransomware attacks. In response to increasing payouts, insurance companies are hiking deductibles, limiting their exposure, and demanding security certifications as a condition of coverage. The average ransomware payout quadrupled during 2020, significantly increasing the exposure of insurance companies. Do not mistake cyber insurance as a security control. Rather, is a transfer of risk above a threshold determined by an organization. To minimize the likelihood of an incident (and a payout), organizations must be proactive in maintaining its security program and the associated controls.
7. Consider IT outsourcing
Cybersecurity functions are critical to the practice of healthcare, but the considerable demand for cybersecurity personnel may leave hospitals and health systems lacking. The U.S. Commerce Department in May estimated about 465,000 nationwide cybersecurity openings. Healthcare IT staff members are usually spread thin and generalists in technology matters, rather than the cybersecurity experts tasked to proactively safeguard a hospital’s vital information and systems. While IT staff may be needed to maintain computers and servers, most IT functions can be outsourced to a third party with specialized skills and guaranteed service levels. In particular, cybersecurity is best left in the hands of those with the right training and particular healthcare knowledge and expertise.
Start the Cybersecurity Journey
Until the healthcare industry starts to show resilience in repelling unrelenting waves of malware and ransomware attacks, they certainly will continue. Protecting critical infrastructure and data is not for the faint-hearted, as attacks become bolder and connections among healthcare technologies grow in number and sophistication. These attacks hit not just the bottom line but can severely hamper patient care and tarnish brand reputation. Lawsuits are being filed with increasing regularity by patients who were prevented from receiving care during a cyberattack.
Organizations must recognize that cybersecurity is more a journey than a destination. Threats are a constant, and your security program, which includes monitoring and remediation efforts, should never be one-and-done. Consider what can be in-house to improve security or look to a third party with expertise in the unique demands of healthcare cybersecurity.
Dan L. Dodson is CEO of Fortified Health Security, a recognized leader in cybersecurity that is 100% focused on the healthcare market. He is the author of the “2021 Horizon Mid-Year Report” on the state of cybersecurity in healthcare. Through Dan’s leadership, Fortified Health Security partners with healthcare organizations to effectively develop the best path forward for their security program based on their unique needs and challenges.
Cybersecurity panel: Hospitals threatened by attacks aimed at vendors
November 4th 2024Chief Healthcare Executive presents another installment from our conversation on cybersecurity, with experts from the American Hospital Association, HIMSS and Providence. They talk about breaches tied to business partners.