It would be difficult to overstate the cybersecurity challenges faced by healthcare entities—providers in particular—in 2020. Hospitals and health systems were already prime targets for cyberattacks due to the huge amount of personal information contained in patient records. This year, two opportunities presented themselves to cybercriminals: IT staff was stretched thin by pandemic-related activities, while employees working from home created a wave of new vulnerabilities.
No one will be surprised to learn that the breach statistics reported in the 2021 Horizon Report are dismal. More than 500 healthcare organizations reported a breach of 500+ patient records, with 23.5 million individuals impacted. During the first 10 months of 2020, the number of reported breaches rose 18% over the same period in 2019.
Providers were by far the most targeted sector, accounting for 79% of all reported breaches. Just over 400 providers were involved with a breach, compared with 47 health plans and 59 business associates. Hacking continues to be the primary cause of breaches, but network-server attacks are on the rise as well. Ransomware attacks are a major cause for concern, with the FBI, Department of Health and Human Services and Department of Homeland Security warning healthcare executives at the end of October about an imminent threat. However, email remains the most common means of stealing patient data, with phishing campaigns growing steadily more sophisticated.
Rethinking Security Operations
For years, healthcare providers lagged their corporate counterparts when it came to cybersecurity. Recently, they made up significant ground, recognizing the need to allocate sufficient funds, focus on fundamentals, and outsource functions they cannot cost-effectively perform in-house. Unfortunately, 2020 threw a huge wrench in the works.
The need to quickly shift non-clinical staff from working at the facility to working from home exposed new vulnerabilities. Piling onto that exposure were weak links like ineffectual passwords and the tendency to click on suspicious emails, plus employees using personal computers and firewalls rather than company-issued equipment. All this forced hospitals to—once again—rethink data governance policies and procedures.
Specifically, security information and event management (SIEM) is taking a front seat. SIEM software collects data from the entire technology infrastructure and analyzes that information for possible security risks, allowing organizations to take action against threats. For example, SIEM monitoring catches the “impossible traveler” in which a single user is logged in from outside the US or two widely separated locations at the same time. Some providers are choosing to outsource this function to ensure 24/7/365 protection.
Providers are also focused on shoring up internal training and procedures, including tightening down access to narrow the universe of users. For example, billing staff may not need access to the general ledger system to do their jobs. Similarly, employees can be prohibited from downloading files onto removable media and local devices.
Frequent and thorough email-related training is lacking at many provider organizations, especially given that the biggest security risk is employees who don’t practice proper email hygiene. Workers should be aware that phishing emails can look like a message from a boss or the health system, such as a meeting reminder with an attached agenda. IT can augment training by placing warning banners on emails originating outside the health system, requiring strong passwords that must be changed frequently, and using multifactor authentication.
Some hospitals are going a step further, looking at whether or not every worker actually needs email, and even more so defining the need for users to access email externally from public access assets. For instance, non-management nurses may only need it once or twice a year for compliance training. The rest of the year, they can use public-access computers with their ID badge serving as the login credential to access online versions of enterprise software.
Creating a More Complete Incident Response Plan
Given the number of large breaches (not to mention subsequent fines levied by the Office of Civil Rights), many healthcare IT executives are taking harder looks at their incident response plan (IR Plan). The time to decide who will be in charge, who will be contacted first and next, and what to do in what order is before an attack occurs.
A complete IR plan should contain:
- An accurate inventory of all technology in the network. This means not just the EMR and radiology system, but connected HVAC controls and even drink machines that take credit cards.
- A full list of those who need to be contacted, and in what order, when an incident is detected. This is especially important in the event of a ransomware attack; fast response can preserve forensic evidence that can help identify the attacker and be useful during the insurance claim process. If you have an internal computer security incident response team or security incident response team, that should probably be the first call; appropriate executives should be next; followed by the legal team and your cyber insurance carrier.
- Procedures for containing the threat, eradicating it, preserving evidence, rebuilding the affected system, and safely putting it back on the network.
- Plans for conducting a lessons-learned initiative to understand what went right, what went wrong, the root cause, and the performance of the respondents.
It’s important to view the IR plan as a living document that needs frequent review and updates. Rapid and appropriate response may be the difference between being able to provide caregivers with systems that are available, protected, and confidential and not being able to provide care at all.
Right-sizing Cybersecurity Technology
An old idea is being brought back to the forefront in the case of many providers: tools rationalization. It’s common for organizations to have unused cybersecurity tool capacity, tools nearing end of life needing replacement, and coverage gaps due to installation of point solutions rather than newer tools that effectively handle several tasks.
Taking a holistic approach to your technology toolkit helps with these issues, and is especially relevant as the industry moves from a perpetual-license model to a subscription-based one.
Consider the following:
- Are you successfully tracking what cybersecurity technology you have, what it covers, what type of software it is (purchase/subscription), and when renewals occur?
- Do you fully understand the capabilities of the tools you have?
- Are there opportunities for consolidation between tools providing the same or similar functionality?
- Which tools are nearing end of life or are not being supported any longer?
- Could some of your point solutions be replaced by tools that can handle several tasks, possibly on a software-as-a-service (SaaS) basis to ensure the software is always up to date and eliminate subscription renewal hassles?
- Are you monitoring progress toward maturing your cybersecurity posture and meeting regularly with stakeholders to provide updates and discuss issues?
- Are you evaluating compatibility with existing solutions for every purchase under consideration?
The 2021 Horizon Report makes four predictions for the coming year. First, a double-digit increase in breaches fueled by email phishing and ransomware attacks. Second, a larger spend on cybersecurity services and software thanks to C-suite recognition of high-value risks from increased endpoints (remote workforce and telehealth). Third, a focus on tightening access using multi-factor authentication, identity access management, and cloud access security brokers. Lastly, the advent of tools rationalization in an effort to reduce expenses, eliminate security gaps, and ensure best-in-class software is being deployed.
A daunting list, to be sure, but healthcare IT and cybersecurity experts know that focusing on the importance of user training and threat monitoring, while getting strategic about mitigating gaps and access management, will better position them for 2021.