Guarding Against Negligence: How Healthcare Providers Can Detect and Diagnose Cyber Risks

Healthcare is an intensely data-driven industry, and the volume of patient data — clinical, financial, demographic — has grown exponentially in recent years. The evolution from fee-for-service to value-based care, with its emphasis on the continuum of care and interoperability, bring the need for providers to share and aggregate from multiple stakeholders at multiple access points.

Unfortunately, that expanded access has spawned more opportunities for targeted assaults on data networks. Sometimes, data are compromised or stolen because healthcare entities neglected to take proper care of it or due to significant events such as the COVID-19 pandemic that increased the need to exchange large amounts of patient information.

Smaller healthcare stakeholders have their own particular cybersecurity challenges. Although they may handle less data than their larger brethren, smaller stakeholders often lack the budget and/or in-house or consulting expertise to manage a cybersecurity team that can diagnose data vulnerabilities and implement remedies for them.

Pandemic heightens the security threat

The pandemic-instigated explosion in work-from-home arrangements has greatly increased the need to remotely access data networks. Correspondingly, it also has raised the risk of cyberattacks. Security magazine reports that business organizations will boost their cybersecurity spending by 70%.

Healthcare stakeholders must protect a broad spectrum of sensitive, high-value patient information. Besides a patient’s medical history and protected health information (PHI), this can include healthcare insurance data, Social Security numbers, demographic information, and credit card accounts. Between January and October 2020, healthcare network server breaches increased 23% over the same 10-month span in 2019. The average cost of a healthcare data breach is more than $7 million, the highest industry and nearly double the global average of breaches in other industries.

Just as healthcare providers can deliver preventive medicine to preserve their patients’ long-term health, they can similarly safeguard their data networks and patient data by taking a comprehensive, yet highly focused look at their cybersecurity profiles.

Analyze, visualize, and prioritize

Advanced-technology assessment products can examine a company’s data network to answer a few key questions: Where are my data exposed and vulnerable? How do I prioritize my risks and what’s the first thing I must do to eliminate that exposure? How do I improve data protection across the enterprise?

Technology assessment solutions can answer those questions through three primary tasks:

• An open, agnostic architecture aggregates scan data, ACL (access control list) data and log/big data to yield an exhaustive risk assessment. The entire analysis — the vast majority of it automated — can be conducted remotely, which lowers the product cost.
• Sophisticated tools visualize the data network and convert what is discovered into simple, easily understood illustrations.
• Powerful analytics examine a myriad of potential data threats, rank the severity of threats to the most critical assets — such as payroll systems and intellectual property — and determine if that critical-asset data faces a direct or indirect risk.

The process described above enables healthcare stakeholders to gain a complete picture of vulnerabilities to cyber disruption and a strategic plan to address any deficiencies. The process is scalable to accommodate data network growth.

The goal is to target the most consequential security gaps. For instance, an unknown access point from outside a data network is far more critical than a server that sits by itself and doesn’t interact with other servers. Focusing attention on the most-pressing risks and prioritizing remedies for high-value assets and their related ACLs makes life easier for the IT workers tasked with closing the vulnerabilities.

Establishing liability protection

The potential for liability exposure gives healthcare stakeholders an especially powerful incentive for protecting their data, as some cyber insurers won’t underwrite an insurance policy if organizations haven’t rigorously assessed their cyber vulnerability with, for example, a penetration test that simulates an assault on the network. A new class of litigation dealing with cyber negligence is being directed against company officers and directors for failing to perform assessments like these and devoting the necessary attention to their high-value assets. And if negligence is proven, coverage may be denied for those officers and directors, leaving them personally liable.

Vulnerability assessments that include pen tests are now available that exceed cyber-insurance threshold standards. They go beyond the four standard assessment levels typically used to gauge an organization’s cyber-theft exposure by furnishing a vulnerability dashboard with additional rankings that indicate whether a high-value asset target’s vulnerability can be exploited. Moreover, if an assessment reveals serious potential for imminent data disruption, the assessment service can notify the endangered client immediately, without waiting to deliver a final report.

Timeliness, flexibility needed to uncover the most common data exposures

Organizations should conduct network assessments at least annually, but it’s preferable to conduct quarterly scans because a vulnerability assessment report that detects no serious data exposures may give a company a false sense of security. The average time to identify and contain a healthcare breach is 11 months (329 days) versus an average of 280 days.

Even the successful remediation of an identified issue doesn’t lessen the need for vigilance. Cyber criminals are constantly trying to find a way around remedial defenses that have been installed. Mature organizations and those that work with extremely critical information and must meet HIPAA compliance standards — such as hospital systems — should seriously consider monthly scans.

Assessments also are necessary when healthcare businesses undergo major changes such as a merger or acquisition. A merger or acquisition brings new physical locations and business associates, which means added data and potential liability for the network.

Two areas where these new assessment offerings have shown promise are the use of deep web scans to discover compromised credentials in corporate accounts and the detection of potential EternalBlue and BlueKeep ransomware vulnerabilities. A report from one assessment solution provider noted success rates of 75% and 90-95%, respectively, in performing such web scans and identifying ransomware problems. EternalBlue and BlueKeep are software vulnerabilities in Microsoft Windows operating systems.

Whether the fault lies in human error or with systematic shortcomings, data breaches are preventable. Properly safeguarding the data requires an affordable, yet advanced, solution that accurately assesses how and where vital data is endangered so that healthcare facilities can implement failsafe deterrence against cybercriminals.

Steve Crummey is Chairman, CyVision Technologies, Inc.