The battle to secure healthcare data is taking place behind the scenes
A CISO at a large Midwestern healthcare system finally said it out loud: "Hospitals are at war, but no one wants to admit it." That war isn't only with disease but rather with online attackers, or more specifically, the ever-present threat of ransomware.
In the midst of a pandemic, 48 percent of U.S. hospital networks shut down at some point due to ransomware attacks in the first half of 2021 alone, and similar stories have been playing out globally. Worldwide, healthcare margins are slim and budgets are tight, and treating a record number of COVID-19 patients is quickly draining resources while blocking other revenue streams. Hospitals are the underdog in this war. If nothing changes, hospitals stand to lose a lot more than the average $169,000 in ransom money paid out for each attack. But coming up with a winning battle plan is tough to do when you're fully engaged in putting out cybersecurity fires.
Healthcare information is some of the most valuable data in the world. A single healthcare record can be sold for as much as $250 on the black market. The next most valuable stolen data type is payment card data, with each record selling for just $5.40 each.
But healthcare data has more value than just the price it commands on the Dark Web. Healthcare data can be used to bilk providers out of millions, if not billions, of dollars through healthcare fraud and identity theft. It can also be used by nation states, terrorists, and other bad actors to thwart biometrics in security, uncover military equipment and vehicle weaknesses through the study of veterans' wounds, and even develop bioterrorism weapons.
Please watch: How do we trust the untrustable?
The prevalent issue stoking the threat is money: too much of it gained by criminals and too little of it spent by hospitals to hold the line.
"While there tends to be available funds following a data breach or cybersecurity incident, appropriate funding to prevent and mitigate cyberattacks is often lacking or insufficient," says Dan L. Dodson, CEO at Fortified Health Security. Healthcare organizations must appropriately budget for these preventative efforts and deploy the necessary security tools to protect the network from bad actors and human error before an event occurs."
The good news is that after losing millions of dollars to ransomware, and knowing that patients' lives may be at stake too, hospitals are finally upping their security game, including increasing cybersecurity budgets. The question now is where to spend those funds to build the best defenses.
A war with no rules
Rules of engagement, or rather prevention, have been in place all along. So why did the fight against cybercriminals suddenly erupt into a war? Given strict privacy and security regulations around the world, how did hospitals end up fighting on so many battlefronts at once? Shouldn't compliance with laws like HIPAA mean health data should be reasonably secure by now?
"HIPAA is a baseline," says Mark Kirstein, vice president of customer success at Cosant Cyber Security. "However, in our experience, many healthcare companies do not fully operationalize HIPAA. Thus, while they may be compliant on paper, their day-to-day operations are often lacking."
Beyond HIPAA, Kirstein recommends companies apply the NIST Cybersecurity Framework and healthcare-specific controls found in HIPAA, NIST SP 800-66, and ISO 27001.
"When the controls from these frameworks are both implemented and maintained, the healthcare company will be substantially ahead of most organizations in realizing real risk reduction," Kirstein adds.
While these are crucial steps in forming a strong defense, it's not a march you can do in double time.
"It's impossible to completely reinvent an organization's cybersecurity culture or meet all regulatory guidance overnight. By creating a 30-, 60-, and 90-day tactical cyber-hygiene plan that integrates these two initiatives into the organization's 36-month security strategy, healthcare leaders can efficiently effect change," says Dodson.
Please listen: Does cybersecurity help you take risks? It should.
In war, it's prudent to build defenses in layers, and reinforcement by the regs is just one layer. Healthcare organizations must address many other layers to strengthen their defensive line at a faster cadence.
"The security around healthcare data is heavily regulated, but hospitals need to go further than the regulations for more than the bare-minimum protection," says Rich Bird, worldwide healthcare and life sciences lead at Hewlett Packard Enterprise.
Stretching funds for a better and faster defense
There's no getting around the fact that plentiful money and resources are necessary to keep any organization safe, and that goes double for healthcare operations.
"It takes money—sometimes lots of it—to adequately secure data in a healthcare environment where lots of people need access to lots of data to do their jobs. One of the key obstacles many healthcare organizations face in securing their data is getting sufficient funding to have a rigorous, continuously updated security risk management program," says Kristen Rosati, an attorney at Coppersmith Brockelman, a leading HIPAA compliance and data sharing law firm.
Fortunately, there are ways to make the money and security stretch further. One important way is to examine the manufacturing processes and supply chains of key IT and hardware vendors.
Look for manufacturing and development processes that bake security into every layer of the vendor's architecture. In other words, look for extra security features in the things your organization buys from vendors that aren't security companies.
"Look for points of built-in security up and down the stack. Ensure the physical servers, the chips, and the supply chain for product components all the way up through the operating system and then throughout the software applications are all secure and have additional security baked in," says Laura Curry, senior healthcare practice manager at HPE.
The value in taking these extra steps can be significant. According to the U.S. Department of Health and Human Services, the five main threats to healthcare organizations are email phishing, ransomware, data and equipment theft, insider threat, and exploited medical IoT. Vendors can improve security on a number of these fronts. Component makers and device manufacturers have also been known to build spyware into products, unbeknownst to buyers, and malware can slip into the supply chain in other ways, too.
In both cases, a vigilant manufacturer will have processes in place to guard against potential threats like these. Further, they'll layer security measures throughout their architectures to detect, alert, and disable these types of intrusions. By requiring such security features, healthcare organizations can add substantially to their defenses without much additional effort and at a cost that was already budgeted in a refresh or upgrade cycle.
The bottom line: Taking a more holistic view of how you think about security in your healthcare organization can reveal some surprising advantages in defense that can easily be leveraged.
Start by operationalizing various healthcare security regulations, but remember that most are out of date and thus unprepared to completely snuff out increasingly sophisticated threats across a growing threatscape. From there, reevaluate every aspect of the business to look for defense opportunities while you're searching for security vulnerabilities.
"It's impossible to completely reinvent an organization's cybersecurity culture or meet all regulatory guidance overnight."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.