Cybersecurity issues in health systems have gotten a lot of attention in recent months. The latest data breaches are making headlines, like this recent cyberattack against Universal Health Services (UHS) that affected over 250 hospitals.
Data breaches in healthcare systems aren’t new. And they’ve been steadily rising due to the high value of healthcare data. Cybercriminals recognize they can make a wealth of money by stealing or compromising this information. According to HIPAA Journal data, between 2018 and 2019, the number of records exposed more than tripled.
Recognizing this trend, we can’t say the COVID-19 pandemic has been the reason for consistent and increasing breaches these past six months. But the pandemic has certainly introduced new and different risk factors into the landscape. The most substantial change has been that more employees are working remotely. This enlarges and scatters the technology network and demands new security protocols and training. Malicious actors are exploiting these expanded networks, as well as other risks related to COVID-19.
With cybersecurity incidents on the rise in healthcare systems, it’s not a matter of if, but when one will occur at your organization. Learn how to weather the storm and be prepared for anything.
If you’re a leader in the healthcare industry, to ensure your cybersecurity plans are sufficient for today’s challenges, you must understand what’s at stake, what your actual risks are and where you might find security gaps—especially if your IT environment has changed. Here’s what you need to know about cybersecurity in healthcare today:
Once a cybercriminal gets into an environment, it can take a while to recognize they are there. And in healthcare environments, it often takes more time to identify and respond to a breach than in other environments. One reason for this is that cybercriminals can be more certain of the value of healthcare data. So, they invest more time and stay “quiet” within the system to get farther and collect more information to sell.
Another reason is insufficient threat monitoring, such as using legacy detection tools like a traditional signature-based anti-virus. When organizations try to monitor for threats on their own, their efforts are often inadequate. Knowing which indicators could lead to a breach is challenging, and it’s hard to know if you’re monitoring the right things. If threat monitoring is proving too difficult internally, health systems have the option of outsourcing monitoring to a reputable third party. With professional monitoring, you’re working with experts who know how to set up networks, where to put sensors and what to look for.
Ransomware is impacting every industry. But healthcare systems are particularly vulnerable because when health professionals need information, they usually need it right away. Availability, timeliness and confidentiality are vital, and ransomware directly affects these core needs. This has been a known problem in the healthcare industry, but it’s a challenge to get users to take it seriously.
Ransomware attacks spread quickly, and if you don’t have the right security and technology, an attack can impact systems and mission-critical devices your operations depend on. Many organizations don’t recognize these dependencies until that connection is compromised.
One of the biggest risks with ransomware attacks is withholding of immediate information. When systems are unavailable, doctors don’t have basic medical information on patients like blood type, allergies and previous conditions. Thus, when a patient comes in needing medical attention and the system is down, precious time is spent trying to determine this information.
Malware can have serious, life-threatening implications for hospitals. It can impact transportation, communications and medical procedures by blocking access to vital, immediate information. There is a human cost to this.
According to research from Vanderbilt University, data breaches lead to 2,160 deaths per year. Consider the recent ransomware attack at UHS we previously mentioned. Though it’s reported that no patients were harmed, surgeries were delayed, and ambulances redirected. Such measures present serious risks for patients.
Keep up with the latest cybersecurity incidents to better understand your risks.
Before this year’s proliferation of remote work, to break into or hack a system, a third party had to get into a corporate network. Organizations could create boundaries that protected everything inside that network, whether on-premise, in the cloud or both.
Now, with more remote employees, the risks to our environments extend to where people are working. Whether they’re connecting their corporate computers to home networks or accessing corporate data from their personal computers, the surface area of the network has increased. Cybercriminals recognize they only need to get into one place, like a home network, as opposed to a protected corporate network.
With this, people are more of a risk. And users must recognize the role they play in cybersecurity. Organizations should educate users to help them understand:
Creating that awareness is invaluable to security. It means users will think critically, consider the security implications, and perhaps reach out to your experts before determining an action is safe.
Healthcare data is sensitive and valuable, and protecting it demands a high level of consideration. Unfortunately, legacy systems do not have the necessary capabilities to meet today’s best security practices. And though there are regulatory requirements that govern the protection of this data, unless an organization has the resources, many legacy systems will increasingly pose a risk.
Leadership at hospitals and medical organizations must be more strategic when it comes to protecting data. They must go beyond simply patching an outdated system and relying on contracts with third parties which may be storing and transmitting data. Unfortunately, many don’t take this issue seriously until they’ve had an incident. Then, it becomes a clean-up operation that costs a lot more than preventative measures would have.
Give the security component proper attention and ask yourself: what is really required to protect this data? It may be that you need to improve your system or find new solutions.
When organizations move to the cloud, they tend to approach it purely from a business or technology standpoint without considering the security implications. Migrating data from on-premise servers to cloud environments has many business benefits, and organizations can gain inherent capabilities, but there are also inherent risks.
A lot of healthcare organizations are moving to the cloud right now, and if you’re considering this step, be strategic and don’t neglect the security transition. You must have a strict transition plan that outlines how you’ll adapt your security to be cloud-focused and account for relevant risks. For many, this transition also involves managing a remote workforce. As mentioned, there are new risks here as well, and your plan should reflect this new environment: cloud-based and remote.
Your next steps will depend on how mature your cybersecurity program is. If you have security staff and plans in place, given how the environment may have changed, you should still assess your systems, identify current risks and determine if you’re being as efficient as possible. To manage more complex security matters, such as improving or moving from a legacy system, bring in a third party to help identify the best solution for your organization.
If you’re less mature in cybersecurity planning, you need a roadmap that identifies your risks, the solutions you need and how you can implement them in a sustainable way.
No matter what level of maturity you’re at, prevention and awareness are key to avoiding cyberattacks and breaches. Here’s how healthcare leaders can improve cybersecurity at their organizations:
Too often, leaders in health systems don’t delve into cybersecurity as a vital component of their operations. Rather, they view it as a compliance exercise. They meet their HIPAA regulations and feel they’ve checked the box. But these and other data standards in healthcare tend to be too broad. Organizations need more specific action plans, and they need to be more proactive in how they’re protecting this data if they want to avoid a breach.
Employee training and awareness have always been important for cybersecurity. But now, with an expanded remote workforce, there’s a greater need for individuals to take it seriously and recognize their own responsibilities. And because culture is driven from the top down, executives and board members are not exempt from cybersecurity awareness training. Instead, they are critical in creating a culture of cybersecurity and should lead by example to convey its importance.
That’s why, when we at Eide Bailly work with our clients and outline their security roadmaps, we emphasize education and training for leaders and help them understand the role they play.
You must identify your sensitive data, where it is, who has access to it and how it’s being accessed. Then, work with your IT team to put the proper mechanisms in place to control and protect that data based on how you’ve classified it. IT alone cannot determine what data is sensitive. The business and IT must work together to come up with solutions that translate data in a secure fashion.
For instance, if sensitive data must be shared with a customer or patient, employees must have a protocol and mechanism for doing so. If you’ve prepared and designed solutions with IT, IT can provide the mechanism whereby employees can securely share that data, such as encrypted email transmission capability.
The worst time to think about what you’re going to do about an incident is during an actual breach. You want to think about your response ahead of time. Many healthcare organizations are getting more serious and intentional about incident response planning.
At Eide Bailly, we do more than design these plans. We perform trainings and scenarios with leadership and IT, walking through how they’ll respond, who they should contact and what their individual roles are in tabletop exercises. These activities help organizations be better prepared to take immediate action in various scenarios, such as backups failing during a cybersecurity incident. Such run-throughs should be part of your cybersecurity planning and training.
Healthcare systems can benefit greatly from third-party cybersecurity consulting. Experts with knowledge of current threats and risks in your industry can help identify the best solutions for your organization. Our professionals have years of experience implementing and improving cybersecurity in the healthcare industry.