Healthcare organizations (HCOs) are under attack. Any organization that handles protected health information is an irresistible target for cyberattackers, regardless of where it sits in the health ecosystem. One survey found 70% of healthcare organizations had experienced a “significant [cyber]security incident” within the past 12 months.
Cybercriminals target HCOs because of the value of health records on the black market (dark web). A stolen credit card is easily cancelled, but a medical record can contain birthdates, social security numbers, contact information, and other details that give the information a longer “shelf life.” Individual medical records have sold for as much as $1,000 per record due to the richness of the personal data they contain.
Given the value of medical records, it is no surprise the number of healthcare data breaches has continued to soar. The first half of 2021 saw a record high for reported healthcare data breaches, many of which were caused by cyberattacks.
An equally alarming development is the increase in ransomware attacks on healthcare organizations. Cybercriminals are using ransomware to encrypt healthcare data, disrupt operations, and extort large payoffs. A recent HHS study found 34% of healthcare organizations were hit by a ransomware attack in the past year.
Ransomware attacks on healthcare organizations have proven to be an effective strategy for cybercriminals because patient lives are at stake. A ransomware attack on the Irish national health system – Health Service Executive (HSE) – earlier this year forced the organization to shut off all of its IT systems, disrupting patient services across the country. As of late June, the HSE was still dealing with significant disruptions to the system.
Once an HCO’s data is encrypted, the organization has a limited ability to negotiate because patient welfare is at stake. That is why nearly one in three HCOs end up paying the requested ransom, despite experts’ advice not to do so.
Disruptions to patient care aren’t the only consequences HCOs experience as the result of cyberattacks – there can also be significant legal and financial consequences. Cyberattacks that lead to data breaches in violation of the Health Insurance Portability and Accountability Act (HIPAA) can result in millions of dollars in settlements imposed by HHS/OCR. Other consequences can include legal fees, class-action lawsuits, and long-term damage to the organization’s reputation.
The bottom line is cyberattacks on healthcare organizations are continuing to increase in both severity and frequency and HCOs need to be prepared.
Resilience is critical to any healthcare cybersecurity strategy
HCOs need to understand it is no longer a matter of “if” their organization will come under attack, but “when.” That’s why resilience is a critical component of a healthcare organization’s cyber strategy. When it comes to resilience and cybersecurity, the healthcare sector can use best practices from the milit ary playbook.
Presidential Policy Directive-21/PPD21 on Critical Infrastructure Security and Resilience defines resilience as, "The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” It is the ability to “take a hit” and still move forward in executing on the organization’s mission. The concept of resilience is a cornerstone in the defense industry. Every aspect of military strategy — from building warships to developing defensive cyber architecture — is designed with resilience in mind. HCOs need to plan for the inevitability of a cyber incident and be prepared to respond quickly and effectively. All hands man your battle stations, this is not a drill!
Cybersecurity resilience begins with a change of mindset
Building a cyber-resilient healthcare organization begins with a change of mindset. It is critical for HCO board members and C-suite executives to understand two key points:
- Cybersecurity is an enterprise-wide concern. Cybersecurity affects the entire organization and best practices are to elevate it to the enterprise level from both an organizational and budgetary perspective. That may mean restructuring the organization to elevate the role of the chief information security officer out of the IT department to engage the organization at the executive level. Many HCOs still treat cybersecurity as a line-item under the IT budget. When budgeting for cybersecurity, the budget should reflect the enterprise-wide concern it is. Other industry sectors routinely spend 15% or more on cybersecurity, while many HCOs (43%) spend less than 6% of their IT budget on cybersecurity.
- The majority of HCOs will experience a successful cyberattack at some point in time. HCOs need to be prepared for when the inevitable happens. Being prepared means having a well-documented and well-rehearsed plan in place to deal with the clinical, operational, technical, and reputational consequences of a successful cyberattack. The time to test your business continuity plan is not in the middle of a breach.
Building resilience by taking a strategic approach to healthcare cybersecurity
In addition to a change of mindset, building resilience requires organizations to take a comprehensive and strategic approach to confronting the problem of cyberattacks. Being “brilliant at the basics” sets a strong foundation for long-term success. The key components of a strategic approach to cybersecurity include:
- Treating resilience as a business imperative, not a security issue. Building a resilient organization needs to start with a top-down approach and cannot be delegated down. Funding for training and exercises to build resilience should be funded across the organization.
- Understanding the organization’s unique data flow. Many HCOs don’t have a clear picture of where their data is coming from, who is using it, where it is being stored, and where it is being sent. Data flow varies from organization to organization; each HCO needs to have a solid grasp on their unique data flow.
- Ensuring the organization has a good data governance model in place. In addition to understanding data flow, HCOs need to be clear about the policies, processes, people, and systems in place to manage their data.
- Assessing the organization’s unique risks. Because every HCO is different, there is no one-size-fits-all approach to assessing organizational risks. For example, for some HCOs, telehealth may be a consideration; for others, telehealth is not part of their offerings. To be effective, the assessment of risk must be carried out at the enterprise level and take into consideration both the business value as well as the mechanisms available to control, avoid, assume, transfer, or monitor the risks.
- Creating a roadmap. Conduct an assessment to understand what the organization’s cybersecurity maturity level is now, then map out what needs to be done to advance the organization along the cybersecurity maturity model.
- Architecture is key. It’s important to take a deliberate and methodical approach when adding systems and capabilities. A reactive or haphazard approach to building resilience will not yield the hoped-for results. A strong configuration management program goes a long way in additional to a frequently audited asset inventory. You can’t defend what you don’t know you have.
- Investing wisely. It’s not always about spending more money. Often, cybersecurity begins with optimizing the resources the organization already has. Start by examining the tools the organization has in place right now and assessing which tools are being used effectively and which are not.
Healthcare must start prioritizing cybersecurity now
Healthcare organizations are at a critical juncture in the fight against cyber criminals. Cyberattacks on the healthcare sector are expected to increase for the foreseeable future. In addition, the ever-expanding footprint of healthcare delivery (telehealth, remote patient care, Internet of Medical Things, devices, etc.) will continue to create new vulnerabilities and new challenges for healthcare cybersecurity.
The state of cybersecurity in healthcare is serious, but not hopeless. Healthcare organizations can take meaningful steps to decrease their vulnerabilities and increase their resilience. But for these steps to make a difference, healthcare organization board members and C-suite executives must commit to making resilience a priority beginning now.