The need for healthcare executives to reassess their cybersecurity policies and strategies has never been more critical. But how can security operations professionals within healthcare organizations balance the need to meet regulatory mandates while securing critical network infrastructure and patient data? Even though healthcare organizations, including providers, payers, pharmaceutical companies, medical device manufacturers and medical research organizations, aren’t lucrative money centers like banks or credit unions, they are sitting on a treasure trove of valuable personal information that cyber criminals are increasingly eager to access.
According to the 2017 Verizon Data Breach Investigations Report (DBIR), healthcare organizations have become a top target for hackers delivering malware-based ransomware, which accounts for 72% of the malware incidents in the healthcare industry. It’s apparent that the cyber risk to healthcare organizations, and their patients, is not going away anytime soon. As new threats continue to escalate and extend to IoT-based medical devices, many healthcare organizations will continue to be compromised through known attack vectors and patterns such as phishing attacks, misconfigurations and unpatched systems. According to the Identity Theft Resource Center, between 2014-2016 there were over 950 confirmed data breaches within the healthcare industry, and of those three years, the most recent (2016) had the largest number of breaches.
One very recent and widespread ransomware attack, dubbed WannaCrypt, affected 45 hospitals across the UK which sent systems offline and hospital personnel scrambling. As a result, appointments were cancelled, and doctors and nurses resorted to pen and paper as systems were locked down by the ransomware attack. WannaCrypt should have sent a shock across the healthcare industry at large because of one important factor – many of the targets were running outdated Windows operating systems like Windows XP, Windows 8 and Windows Server 2003. Microsoft issued patches because of WannaCrypt, but organizations should take this widespread threat as a hint – it’s time to regularly update systems to newer versions, apply security patches, and most importantly, take cybersecurity seriously.
One of the most significant challenges facing the healthcare industry is a required focus on regulatory mandates, both in terms of federal laws as well as an increasing patchwork of state laws that have steep sanctions in the event that PHI and PII data is breached or otherwise compromised. When the Health Insurance Portability and Accountability Act (HIPAA) was passed into law in 1996, it ushered in a new era for recognizing the importance of securing the confidentiality and integrity of healthcare patient data.
Years later, healthcare organizations still struggle under the weight of ensuring that all newly-adopted technologies – such as analytics systems that centralized massive amounts of PHI, and healthcare delivery devices that are now connected to facility networks and are IoT-based – are compliant with HIPAA requirements, while maintaining compliance for substantial legacy systems as well. This is especially true since the passage of the HITECH Act, which dramatically increased the potential sanctions for non-compliance. In the last few years, HHS and OCR (HIPAA enforcement authorities) have become lot more active in auditing and enforcing HIPAA controls in healthcare industries. And the fines can be steep, ranging from $100,000 to millions for a failed audit and/or a confirmed breach.
Collectively, these real challenges – current and emerging regulations and the perpetual fight against threats both known as well as new – can often be points of contention (and competition) for budgets, personnel and time within healthcare organizations.
Additionally, for healthcare organizations, the cost of implementing cybersecurity controls is not simply one of financial impact. For personnel tasked with implementing these solutions, the burden of ensuring that these controls not only deliver actual security but also address regulatory requirements is critical.
In light of meeting regulatory mandates while taking an assessment of the current cybersecurity program and technologies, healthcare executives and organizations should take the following into consideration:
- The false “either/or” choice of security or compliance. Often, security technology vendors build their solutions specifically to ensure that healthcare organizations will “check the box” when it comes to regulatory compliance. While it’s important to ensure that any cybersecurity solution passes muster with auditors, it is just as important to remember that these solutions must provide actionable information and in the process, reduce risk – otherwise, they run the risk of simply being an audit tool.
- Beware of choosing solutions that require extensive management. There is certainly no lack of choice when it comes to cybersecurity solutions for healthcare organizations. However, many of the “block-and-tackle” security technologies that are critical to detecting and mitigating threats such as security monitoring, vulnerability management, and patch management demand significant security expertise and time, which in turn results in a need to hire a large team of security professionals that can eat away at healthcare budgets. In a current market where there is a cybersecurity professional shortage, with approximately 1 million jobs unfilled, and the total cost of hiring a full-time security professional is north of $250,000 per year, most healthcare organizations are challenged to find sufficient budgets to handle security in-house. A cost-effective and budget-friendly option could be to partner with a well-qualified and SOC 2 complaint third-party security-as-a-service provider.
- Anticipate technical integration issues. Security platform products such as monitoring and patch management systems are only as effective as the technologies with which they can integrate. Some products lack effective out-of-box integration with common technologies, requiring security personnel to manually create templates and other burdensome components to achieve integration or paying a premium to the vendor or a third-party to do the work, increasing the cost of achieving a properly functioning solution. On-premises solutions, in particular, can present a nightmare scenario that requires extensive network and service reconfiguration coupled with continuous “care and feeding” in the form of security patches and functional updates for software, servers and appliances, as well as physical burdens such as rack space, power redundancy, network connectivity and other concerns.
- Time and expertise required to implement solutions. Rarely do healthcare personnel who implement or manage security technologies wear “one hat.” From supporting internal auditors in advance of examinations, to fielding technical support for healthcare practitioners, to translating the complexities of threats and resulting risks into language that can be understood by administrators and management teams, time is always in short supply. Implementing security technologies takes away a substantial portion of that valuable time, both in terms of implementation and ongoing management, that might be devoted to other high priority IT projects.
- Choosing the right Managed Security Services Provider (MSSP) that delivers security as a service. For many smaller healthcare organizations, it makes sense to trust a MSSP to provide security protection which may include monitoring, and vulnerability and patch management. Some MSSPs substantially lower the cost of cybersecurity protection because they use cloud-based solutions that don’t require on-premises servers, appliances, or other equipment and software. However, all MSSPs are not created equal. Some may not have the cybersecurity experts required to monitor and mitigate threats successfully on a 24x7x365 basis. And, MSSPs unfamiliar with the healthcare industry may not be able to support regulatory mandates, such as HIPAA, the HITECHAct, 21 CDR Part 11, and others that require healthcare organizations meet audit requirements while simultaneously reducing cybersecurity risks. While MSSPs can significantly lower the spend on cybersecurity protection, it may cost more in the long run if the MSSP isn’t knowledgeable about the specific needs of healthcare organizations.
The Urgent Cybersecurity Imperative
Healthcare organizations face a special set of challenges because they may be targeted due to the sensitive data they possess. They must also comply with many regulatory mandates and must strike a balance between meeting regulatory mandates and increasing their security posture. Both are doable, it’s just a matter of designating enough of the IT budget and IT personnel to accomplish these goals. This necessary balance needs to be made between compliance and reducing actual risks. However, by applying efficient solutions to the equation, security operations personnel can fully meet regulatory mandates while effectively mitigating risks to technology assets, data, and patients.