It is hard to make it through a workday without hearing of another healthcare data breach or ransomware attack. This shouldn’t be a surprise; since March 2021, the United States has averaged more than two reported healthcare data breaches every day.
Healthcare is disproportionately targeted: 34% of all data breaches in the U.S. involve a healthcare organization. Yes, healthcare is a large industry, but we’re not that large. Here’s why security is such an issue for our critically important but increasingly fragile industry.
- Black market value of healthcare records. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the dark web. In second place? Payment cards at a fraction of the value, a mere $5.40 per record.
- Competing management priorities. CIOs often focus on tech that improves patient care and underprioritize systems integrity. COVID has made matters worse because healthcare organizations understandably have diverted resources to combat the pandemic.
- Underperforming security infrastructure. Broadly speaking, healthcare lags behind other large industries in updating information systems and enabling effective monitoring of the attack surface.
- Complexity of governance and compliance process standardization across enterprises. Over the last decade, there has been significant consolidation in the healthcare industry. Most acquisition targets are assimilated without adherence to best cybersecurity compliance practices. This leaves the overall enterprise vulnerable to data hacks and ransomware attacks.
ESTABLISH A HEALTHCARE SYSTEM WITH CYBERSECURITY RESILIENCY
The four pillars of cybersecurity resilience are system design, system deployment, ongoing vigilance and compliance governance. Success depends on a risk mitigation approach to continuously manage threats, vulnerabilities and compliance gaps.
1. System Design Excellence
Design your IT systems with the end in mind. Intimately know your users, their data needs and all required applications. When designing your IT system, consider:
- Using multi-factor authentication for remote access.
- Establishing a second layer of user authentication for access to sensitive data or applications.
- Enabling strong spam filters on external web-facing applications and sites to prevent phishing exploits.
- Enabling rules and policies for user access rights and privileges to applications, data, and supporting information systems.
- Installing a disciplined process for monitoring the entire system for updating firmware, operating system software and end-user applications.
- Providing authenticated restricted network access to only the right users from within or outside your organization.
- Using system controls to identify security holes, vulnerabilities and processes with required steps to effectively remediate high-risk issues.
No system design is complete without addressing the weakest link, the human factor. All users within the organization must be knowledgeable of the protocols, policies and risk mitigation procedures that affect them. Simply increasing awareness and distributing knowledge content is not good enough; training programs with active exercises are far more effective. Good training systems require people to fix their mistakes before being allowed to move to the next step.
2. Systems Deployment Excellence
Since most modern deployments (implementations) depend on coordination, uniting disparate teams remains a significant challenge. Developers, IT operations professionals, infrastructure engineers and business managers each have roles to ensure success. All need to strive to:
- Remove silos within your organization. Consider creating a single DevOps team made up of representative stakeholders that oversee development, operations and everything in between.
- Develop a culture of continuous improvement. Operationalize:
- Periodic audits and checks.
- Automated monitoring with real-time alerts.
- Quick, active remediation of discovered weaknesses.
- Institute best practices across the software deployment process, including vulnerability and compliance remediation.
- Deploy automated network scanning tools to identify system threats and vulnerabilities.
Most software development and deployment stakeholders know what they should do when performing their jobs, but unfortunately, they don’t always do it. Instilling operational excellence into your systems DevOps team helps mitigate system risks that can make your environment vulnerable to attacks and exploitation.
3. Vigilance Excellence
Post-implementation, run your cybersecurity protocols on schedule.
When vulnerabilities and compliance issues are identified, immediately execute your remediation process, especially the ones identified as high importance or critical. Also:
- Automatically identify, track, and monitor sensitive data flows within your organization and throughout your ecosystem of employees, contractors and vendors.
- Continuously monitor the dark web for breached data.
- Periodically run a user training program that includes simulated “spear-phishing” to discourage users from opening malicious attachments or visiting unsafe websites. Again, the weakest link of any secure environment is humans, so the more situationally aware users are, the more resilient your organization will be. Inform your employees of successful attacks at well-known healthcare organizations, so they understand why they need to comply with the security procedures you require.
- Mandate an annual attestation from all employees of successful training compliance, including a review of security policies and procedures. Do the same for new staff hires.
- Automatically check for sanctioned employees joining your payroll.
- Automate vendor oversight to monitor vendor compliance gaps and implement vendor risk and remediation processes.
Schedule compliance is a lot easier with automation. There are many tools that can help you do this, but if you choose manual processes, develop rigorous compliance protocols to protect your healthcare organization.
4. Compliance Governance Excellence
Be in continuous compliance with all appropriate security frameworks, which in healthcare usually is a combination of HIPAA, NIST, HITRUST, CIS Critical Security Controls, ISO 27000 and COBIT standards. Much of this work can be assessed through scheduled automation scans of the IT network environment. Any discovered weaknesses need immediate remediation and documentation. After identifying the security frameworks appropriate to your healthcare organization:
- Maintain a state of ‘continual readiness and compliance’ for all frameworks.
- Establish a comprehensive set of security protocols, policies and standard operating procedures that are current with the requirements of regulatory standards and controls.
- Ensure your policies and procedures are widely accessible to appropriate staff.
- Enforce all security policies with regular compliance assessments and monitor through automated compliance scans of your information systems and data network.
When an automated scan identifies a compliance issue needing remediation, and you have created the processes for quick remediation, your organization will easily maintain a prescribed state of cyber-hygiene and readiness.
HOW WORRIED SHOULD YOU BE?
If you’re a small provider and think you will fly under the radar of cybercriminals, think again. Many small organizations leave themselves widely exposed, and this puts their stakeholders at risk. Comparable patient health records have the same value regardless of whether they originated from a large or small organization.
If you’re a large provider and think that your market impact will deter a cybercriminal, think again. In the past few months alone, cyberattack targets include well-known marquee healthcare names like Intermountain Healthcare, Florida Blue, Scripps Health, Temple University Hospital and Walmart.
So, if you’re unprepared or even under-prepared, you should be very worried. CEOs and Boards of healthcare organizations increasingly are recognizing cyber risk as a core threat to reputational and financial performance. Take the bull by the horns and develop the right security posture for your organization before the spotlight shines on your vulnerabilities.
It’s a matter of time before hard questions will be asked about how well cyber risk is being managed within your organization. Be prepared by adopting a risk-based approach and maintain a continuous compliance readiness environment. This will significantly aid you in becoming more cyber-resilient.
There are no shortcuts. The work must be done. The alternative to cyber-resiliency is potential disruption of care and unnecessary cost, either of which can be catastrophic.