In recent years, digital transformation has conspicuously changed numerous industries, reshaping everything from retailing to manufacturing — including healthcare. Like many other industries, the healthcare sector was compelled to rapidly adopt a combination of remote and distributed work, supported behind the scenes by an array of digital healthcare technologies.
While these technologies created new benefits and efficiencies, they also expanded the healthcare sector's attack surfaces, offering threat actors opportunities to breach important digital infrastructure. Cybercriminals have exploited these threats to devastating effect, ransoming hospitals and entire healthcare systems by shutting down critical functions, including medical records and billing.
Historically, many industries largely relied on government regulations to protect against security threats. While compliance does not equate to security, adhering to an official checklist of mandates gave many an acceptable (perhaps perceived) baseline level of protection. Yet the speed and sophistication of today's threat actors have made clear that the public sector too often falls far behind the pace of change. To protect themselves against current and future cybersecurity threats, organizations must become individually responsible for testing and validating their cybersecurity programs, adopting proactive rather than reactive security postures.
Healthcare's changing threats
Today's healthcare sector faces several particularly concerning cybersecurity challenges, including noteworthy increases in the volume, sophistication and variation of attack methods that have made their way into the wild. In addition to ransomware attacks for monetary gain, the industry has seen attacks designed purely for disruption and others focused on compromising user data, with the quantity and complexity of new threats exacerbating already challenging security gaps.
Cybercriminals have recently leveraged indirect supply chain attacks to disrupt companies well beyond their initial targets. Late last year, a ransomware attack on HR and payroll vendor Ultimate Kronos Group (UKG) led to widespread payroll issues at several health systems, adding one more stressor for employees already impacted by the COVID-19 pandemic — and spurring employee lawsuits this year against UKG's customers.
Patient data is still valuable, but it's no longer the holy grail for healthcare sector threat actors. Instead, cybercriminals are increasingly adopting wartime strategies, engaging in multi-pronged attacks that apply indirect pressure on critical infrastructure while causing compounding disruptions across the entire healthcare value chain. Major healthcare systems will be targeted along with similarly essential services ranging from water to energy and other utilities. These threats could easily go beyond crippling our healthcare system and putting patients at risk, more broadly imperiling the surrounding economy and infrastructure.
Uneven regulatory guidelines
In the era when cybersecurity threats weren't frequently hitting infrastructure, they could be addressed on a reactive basis — organizations could comfortably lean on federal legislation and industry-specific regulations to gauge whether they were adequately protected against likely digital threats.
Today, that's not the case. Consider the increasingly important area of individual digital privacy protections, where the regulatory landscape is chaotic — marked by state-by-state legislative variations and narrow regulations. Conformance is at best extremely challenging, if not unpredictable and fluid. So despite user demand and legislative need for clear privacy safeguards, 2022 will bring us no closer than we were before to a unified federal standard.
Absent that, organizations must proactively take responsibility for adopting safeguards and other measures to better protect themselves, and where appropriate, users. One viable option is to implement policies that extend beyond the minimal baselines established by federal and the least aggressive state regulations, matching or exceeding the standards of the most aggressive regulations.
Regain your footing
Standing still is not an option given the current healthcare cybersecurity landscape — in times of change, stagnant security and privacy programs are falling behind. Modern security requires constant vigilance from both organizations and their cybersecurity partners, ensuring readiness for inevitable future cyberattacks. Leaders must shift from reactive to proactive mindsets, test and validate their systems, and be prepared for attacks on a "when," not "if" basis.
The following four foundational steps will help healthcare organizations get on the right path toward a safe and secure future:
- Initial threat intelligence: Organizations must begin by adopting processes and technologies that illuminate both the dynamic threat landscape and the tactics threat actors are employing.
- Baseline modern security: After assessing their risks, organizations should adopt modern security measures, including multi-factor authentication and privileged access management, to create a threshold level of security.
- Training and planning: From the ground floor up to the C-suite, the simple act of training staff will ensure every employee understands the risk and gravity of modern cybersecurity threats. Response plans should be drawn up before potential breaches, and key players must know who needs to be contacted immediately, including law enforcement and local, state or federal agencies.
- Testing: Healthcare systems use unique application programming interfaces (APIs) to exchange records and data. APIs should be thoroughly tested before they are trusted in healthcare systems, enabling communication while preserving internal security measures.
Threat actors never rest in today's world — cybersecurity threats are growing more challenging every day. Dollars spent responding, reacting and recovering are simply not being used wisely or productively.
As times have changed, healthcare systems must change with them — that means doing more than annual risk assessments and occasional tests. Going forward, organizations and their technology partners must take responsibility for deploying robust, thoughtful technologies and procedures, as well as regular testing and validation of systems. These measures are the best ways to meet modern cybersecurity demands, while properly preparing organizations for whatever's to come.