What is Healthcare Cybersecurity in organizations?
What is Healthcare Cybersecurity in organizations?
Healthcare cybersecurity is a strategic imperative for any organization in the medical industry — from healthcare providers to insurers to pharmaceutical, biotechnology and medical device companies. It involves a variety of measures to protect organizations from external and internal cyber attacks and ensure availability of medical services, proper operation of medical systems and equipment, preservation of confidentiality and integrity of patient data, and compliance with industry regulations.
An Industry Under Attack
The healthcare industry has historically been a primary target of cyber attacks. As of January 7, 2022, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) was investigating 860 data breaches reported in the preceding 24 months; each breach exposed protected health information (PHI) of 500 or more individuals. One hundred nineteen (or 13.8%) of these breaches involved “Business Associates”— vendors and other third parties who had access to sensitive patient data — with the largest breach affecting 3.25 million people. According to the 2021 Cost of a Data Breach Report by IBM and Ponemon Institute, the average cost of a healthcare breach was $9.23 million, more than twice the $4.24 million average for all industries.
Threat actors view healthcare organizations as attractive targets for at least three reasons:
- Healthcare organizations have an extensive and often unprotected attack surface. In addition to attack vectors common to all enterprises, healthcare organizations deal with a wide range of connected medical devices (Internet of Medical Things, IoMT), usage of personal endpoints that may lack adequate endpoint security at healthcare facilities (BYOD), and numerous third parties having access to sensitive patient data and critical assets in hospital settings. Further, the proliferation of home working and virtual doctor’s visits (telehealth) prompted by COVID-19 and the rapidly rolled out but not always properly secured supporting IT infrastructure have created even more opportunities for attackers.
- PHI data has high value on the black market. The value of PHI to threat actors is high, due to the richness of personal information that these records contain that can be used for identity theft, healthcare insurance fraud and other malicious activities. Therefore, each medical record can fetch hundreds of dollars on the black market — a lot more than a stolen credit card number, for example.
- Breaches cause material damage (hence, victims’ greater willingness to pay attackers to free themselves from ransomware). Disruption in the work of healthcare facilities and inaccessibility of patient data that may be required to perform critical procedures can, literally, cost lives. Plus, privacy regulations like HIPAA impose massive fines for PHI disclosure. Penalties for HIPAA violations related to “privacy, security, breach notification and electronic health care transactions” can reach $1.81 million per calendar year.
Types of Attacks
According to HHS Office of Information Security’s “2020: A Retrospective Look at Healthcare Cybersecurity,” ransomware attacks accounted for almost 50% of all healthcare data breaches. In 2021, threat actors extorted from healthcare organizations ransomware payments averaging $910,335, per Baker Hostetler’s 2021 Data Security Incident Response Report.
In respect of specific attack types, the 2021 Verizon Data Breach Investigations Report states that 86% of covered healthcare breaches were caused by:
- Errors (including mis-delivery)
- Web application attacks
- System intrusions, including those involving credential theft
Cybersecurity Strategies and Regulations
To help healthcare organizations safeguard critical assets and data, government and industry bodies have published compliance mandates and recommendation frameworks, such as:
- General security and privacy:
- HHS and Healthcare and Public Sector Coordinating Councils’ “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” provides a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to help healthcare organizations reduce cyber risk.
- The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI). The Security Rule mandates compliance with administrative, physical and technical safeguards to ensure ePHI’s confidentiality, integrity and security, including, among others, access control.
- NIST’s “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework” maps HIPAA Security Rule standards and implementation specifications to applicable NIST Cybersecurity Framework sub-categories.
- Protection from ransomware:
- HHS’s “Ransomware Fact Sheet” offers specific guidance for protection against ransomware and recovery — specifically in the context of HIPAA notification rules.
- CISA’s alert (AA21-131A) “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks” provides mitigation recommendations to reduce ransomware risks, including:
- Requiring multi-factor authentication for remote access
- Enabling strong spam filters to prevent phishing emails from reaching end users
- Implementing a user training program and simulated spear phishing attacks
- Filtering network traffic
- Updating software, including operating systems, applications and firmware
- Limiting access to resources over networks, especially by restricting RDP
- Setting antivirus or antimalware programs to conduct regular scans
- Ensuring user and process accounts are limited through account use policies, user account control and privileged account management
- Preventing unauthorized execution by:
- Implementing application allow listing and Software Restriction Policies (SRPs)
- Disabling macros in Microsoft Office attachments
- Monitoring or blocking inbound connections from anonymization services (Tor) and post-exploitation tools (Cobalt Strike).
The importance of Protecting Data with Access, Credential Management and Privilege Controls
All healthcare cybersecurity frameworks and regulations place great importance on safeguarding access. For example, the NIST Cybersecurity Framework includes Access Control (PR.AC) and Protective Technology (PR.PT) in its “Protect” pillar. NIST prescribes that “access to assets and associated facilities” must be “limited to authorized users, processes, or devices, and to authorized activities and transactions.” This includes the following requirements specific to digital access:
- AC-1: Identities and credentials are managed for authorized devices and users.
- AC-3: Remote access is managed.
- AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties.
- PT-3: Incorporate the principle of least functionality by configuring systems to provide only essential capabilities. This is critical to limiting the area of attack and ensuring the least privilege principle.
Protecting access is foundational to implementing a Zero Trust model and the overall defense-in-depth strategy. So, 59% percent of health system CIOs surveyed by Black Book Market Research for their 2020 State of the Healthcare Industry Cybersecurity Report are shifting security strategies to address user authentication and access.
Some examples of specific measures to safeguard access and privilege include the following:
- Implementing adaptive multi-factor authentication and single sign-on to prevent incidents resulting from credential compromise
- Protecting access to privileged accounts to foil takeover attempts and prevent breaches
- Combining the following approaches to block unpermitted application access to sensitive data to prevent ransomware encryption:
- Application allowlisting to only allow programs explicitly permitted by security policy to execute
- Prohibiting applications (other than those specified by policy) from accessing sensitive data, even if they are allowed to run
- Removing local admin rights and enforcing least privilege on endpoints to prevent privilege escalation and restrict lateral or vertical movement
- Cataloging software and putting in place specific execution and operation policies
- Applying SRPs or other controls to prevent programs from executing from common ransomware locations
- Securing remote third-party access to reduce the risk of breaches arising from compromise of vendors, contractors, business partners and other external parties.
The path to securing greater public trust
Cyber attacks and security breaches have steadily increased across Canada and the world—and health organizations are seen as a leading target. In May 2017, the United Kingdom’s National Health Service faced major disruption with a significant ransomware attack. While no information was compromised, the attack postponed some operations and raised concerns about the state of cybersecurity in the health care sector.
Health care organizations are greater targets for theft than organizations in other sectors for a few key reasons. The personal health and research information these facilities hold are high – value commodities to cyber criminals. And decentralized information systems provide for greater access, putting patient care, research and privacy at risk.
In 2017, we collaborated with a sampling of Ontario health care organizations to assess their cybersecurity readiness. They were all aware of the approach we undertook and gave us permission to help them get a broader view of cybersecurity. We simulated the techniques real attackers would use to steal sensitive information, focusing on avoiding detection and monitoring. And we were able to access some sensitive information without being detected in a surprising number of cases. While steps have been taken to remediate these specific issues, the threat of new vulnerabilities is ever-present. Based on our analysis of what we discovered, we’re recommending actions organizations can take to focus their resources, be more proactive and start on the path to greater patient trust in the face of unprecedented security threats.
Five steps toward cybersecurity resilience
Health care organizations are increasingly aware of the importance of managing cybersecurity risks. Based on our study, we recommend five actions that can be taken to translate risk awareness into improved cybersecurity.
1. Develop a risk-informed cyber strategy
A cyber risk management strategy should be informed by an awareness of the threats organizations face. To start, assess the threats against the facility’s digital assets and identify potential security issues. It’s important that health care organizations organize themselves by developing a clear list of cybersecurity priorities and resources required to support meaningful transformation. Use the help of experts throughout the process, if needed.
Best practices for conducting a risk assessment also include having a clear understanding of the assessment’s purpose and scope. With a proper assessment and strategy, organizations have a clear, actionable way to achieve their goals in the face of change while preserving their priorities.
2. Actively monitor systems
If hackers infiltrate an organization’s systems, it’s important to be able to detect their movements–and take quick action in response. But a lack of strong internal monitoring is common in health care organizations across Canada. During our in-depth assessment, we were able to uncover sensitive information from a few facilities without being detected, highlighting the need for continuous monitoring of systems for abnormal activity.
Organizations should develop playbooks and review their internal procedures to determine what alerts are generated and what procedures are used to follow up on them. This will help guide them during a potential security breach. And when working with third parties, make sure to get a full picture of the data shared with the third party–and manage any risk with contractual obligations. Good monitoring can go a long way to preventing damage caused by a breach.
3. Improve security awareness among staff
Health care organizations are at risk of targeted phishing attacks. During our assessment, several staff revealed their credentials through emails, and then we used these credentials to gain access to their internal network. These organizations are also vulnerable to physical intrusions, where hackers enter facilities and connect unauthorized devices to get remote access to internal systems.
Security awareness training is key in preventing employees from falling for sophisticated attacks or letting unauthorized personnel into sensitive areas. Dedicate time and resources to raise awareness, train employees and monitor their activities. Organizations should conduct regular phishing tests to detect problems, and then provide coaching.
4. Discover and act on vulnerabilities
Find vulnerabilities and configuration issues before a hacker exploits them. First off, health care organizations should perform periodic vulnerability assessments on top of making sure systems are as robust as possible. Beyond that, penetration testing will help facilities spot a majority of flaws in their environments that could leave sensitive data open to attacks. A penetration test will help identify if organizations are acting on any vulnerabilities and configuration issues, so it’s important to do a vulnerability assessment before initiating a penetration test.
5. Engage leadership
Senior leaders must take ownership of building cyber resilience and drive the development of a cyber risk management culture at all levels. Across all sectors, only 44% of respondents say boards are actively shaping their organizations’ security strategies.
It’s important to establish a top-down strategy to manage cyber and privacy risks across all health care organizations. There are many stakeholders involved: boards need to set the mandate, management needs to enable its teams and teams need to do an effective job. The most secure organizations are in a position to succeed due to strong leadership and a board-level mandate around cybersecurity.
In the face of unprecedented security threats, it’s time to take a broader view of managing cybersecurity to help protect patients, research and privacy. Acting on these recommendations can help our health care organizations mitigate cybersecurity risks.