By Navin Balakrishnaraja, practice director for healthcare IT Services, All Covered (IT services division of Konica Minolta).
Technology continues to advance the healthcare industry, providing more precision and improved delivery of care. However, it’s more important and even more challenging than ever for organizations to secure patient information and keep health data safe.
Advancements in cybersecurity measures need to go hand in hand with privacy and still a necessity. The frequency of data breaches in the healthcare industry has been on the rise and healthcare is now the most targeted sector by cybercriminals.
According to the Ponemon Institute, the average cost of a healthcare breach resulted in $7.13 million, a 10% increase from 2019. Healthcare has been a primary target in recent ransomware attacks, as you’ve probably seen the headlines and continue to hear it all over media.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have received “credible information of increased and imminent cybercrime threats” aimed at hospitals and healthcare providers in the United States. They released an advisory of this targeted activity to all healthcare networks and that it appears that targeted attacks are only going to escalate.
Because of the immutable, high-value nature of electronic patient health information (ePHI), health data is a gold mine to cybercriminals. On the dark web, the cost of one record averages around more than $400 per record. A large shift in ransomware deployment operations has taken place. Cybercriminals are like psychologists, staying one step ahead of tools and user sophistication. Many of them depend on malware, but the focus has been on gaining privileged access and exploring target networks to disable security processes.
Also, the malwares do vulnerability scans on their end to see where they can inflict maximum damage to organizations. For example, the cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.
Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on a victim’s machine. This example shows what organizations are running up against, making cyberattacks more intricate in nature.
Paired with a pandemic and more non-clinical staff working remotely, it has opened up greater opportunities for hackers to manipulate users through phishing attacks, sensitive subjects like PPE requirements, and incentive bait programs.
The healthcare landscape is being bombarded with all these complexities, adding a more considerable financial burden to organizations. A healthy security posture and establishing a security culture around any organization is critical, but it’s not a matter of checking a list of boxes. There isn’t one silver bullet that protects your organization.
New vulnerabilities in systems and gaps in workflows are another heightened means for exploitation by cybercriminals. Infrastructure and electronic health records (EHR) systems are being put to a major test right now. You have to be one step ahead of the forward-thinking cybercriminals and be aware of the ever-changing threats. Most of the U.S. healthcare system have one or more systems in their network running on outdated software and/or unsupported operating systems such as Windows 7 or Windows Server 2008, leaving systems and devices vulnerable to hackers.
Organizations should be on top of updates to be vigilant to new attacks. Continuous vulnerability scanning and penetration testing should be done yearly at a minimum but should be for your entire environment, not just your electronic protected health information (ePHI). Combine that and validate it with a gap assessment that looks at the non-technical aspects to figure out what’s doing well versus gaps in strategy and tactics that need to be prioritized. For example, you may be operating in a certain way, but your policies may not follow.
When organizations think about cybersecurity in general, there may be more focus on the security aspect only. Budgets have been spent on securing physical parameters and systems, but there’s a lag on privacy. The security of healthcare information is the focus of HIPAA (Health Insurance Portability and Accountability Act of 1996).
Privacy is a core element to any security strategy and should work hand in hand with security, especially as healthcare systems run on a HIPAA-compliant environment. It should be looked at with the same reverence as security. Privacy is more about the patients’ rights, the control of the patient information and the policies around privacy.
HIPAA breaches can happen in mainly two ways –employee errors/mistakes where PHI knowingly is accessed and improper handling of devices with unsecured communications without encryption. Therefore, operations within any healthcare organization need to consider the role of the users pertaining to the systems’ information and control around it, well-documented procedures, and the handling of any risks because a lack in any of these factors can add to which adds to the HIPAA violations that can go up to millions of dollars.
For example, because the most common form of referrals or exchange of information is through fax – digital or paper, this can be an avenue for HIPAA breaches and violations. Organizations need to remediate this area and have a plan to report any incidents within 60 days to the Office of Civil Rights (OCR), who is responsible for HIPAA breaches.
The workforce should be another key consideration when it comes to security strategies. The interaction with sensitive patient information and the collaboration systems used to access that data are an integral part and can be common security loopholes.
Security awareness training is an essential element that is often overlooked. According to a recent HIMSS Media survey, ninety percent of health organizations experienced a security threat related to email in the past year, with one-in-four stating these attacks were very or extremely disruptive.
Ongoing comprehensive cybersecurity training and best practices should be emphasized so that every user of the organization is responsible for protecting patient data. Encryption and preventative measures around device usage are critical to ensure information remains secure, especially as breaches can happen when physical devices are stolen. There should always be secure data backups in place.
Access to protected information should be granted to only those who need to view or use the data.
Cybersecurity measures are not about resolving a single incident or are a set-it-and-forget-it program but need to encompass a whole lot more. We are currently seeing 30 million patient health records compromised over a year. And just in the last few days, OCR announced the 14th fine for this year; the most fines levied in HIPAA enforcement history.
Additionally, cyberattacks and breaches are not only a threat to patient information but can significantly hinder critical operations and procedures and risk patients’ health and well-being. Having a strong cybersecurity posture involves a never-ending cycle that will ensure organizations are proactively reducing their risks and exposure, providing the uninterrupted delivery of care. It is necessary to have a proactive strategy with a layered security approach that includes Security Information and Event Management (SIEM), Unified Threat Management (UTM), Vulnerability Management and HIPAA and Security Awareness Training.