In healthcare, data breaches and cyber threats can disrupt patient care, compromise sensitive information, and even lead to financial losses.
A strong cyber resilience plan isn’t just about preventing attacks; it’s about preparing, responding, and recovering quickly if one occurs.
Here’s a step-by-step guide to building a cyber resilience plan tailored to the healthcare industry, ensuring your organization is well-prepared for cyber threats while maintaining patient trust.
1. Assess Your Current Cybersecurity Position
Begin by evaluating your cybersecurity strengths and weaknesses. Identify all digital assets linked to your network to uncover potential vulnerabilities. These include patient data systems and any third-party software, such as electronic health record (EHR) platforms. It’s also crucial to assess any digital health tools, like mobile apps or wearable tech integrations, that interact with patient data.
Once you’ve mapped out your assets, review defenses like firewalls, encryption, and system access policies to establish a baseline. This helps pinpoint gaps, providing a clearer picture of where to prioritize security improvements.
2. Set Clear Goals for Cyber Resilience
Define what “cyber resilience” means for your healthcare organization, focusing on maintaining essential services, protecting sensitive data, and reducing recovery time during an attack. These goals are critical in healthcare, where patient care depends on system availability.
Setting benchmarks, such as maximum allowable downtime or acceptable data loss, gives your team clear, measurable outcomes. This alignment ensures everyone understands the plan’s priorities and what success looks like.
3. Implement Cloud Security
Cloud technology is essential in healthcare for storing and sharing patient data, but it brings unique risks. Strengthening cloud security involves using multi-factor authentication (MFA) for system access and encrypting all data stored or transferred in the cloud.
Choose cloud providers who comply with healthcare regulations and conduct regular audits to ensure ongoing security. With robust healthcare cloud security measures, you protect patient data and enhance recovery options if a cyber incident occurs.
4. Develop Incident Response and Recovery Protocols
An effective resilience plan includes detailed incident response and recovery protocols. Your response plan should outline immediate steps for a breach, such as identifying the threat, containing it, and notifying affected parties under the Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Disaster recovery protocols focus on restoring systems and retrieving data quickly, minimizing operational disruption. Automated backup tools help reduce downtime, and regular testing ensures readiness for real-world incidents.
5. Train Your Staff in Cybersecurity Awareness
Employee mistakes are a frequent cause of security incidents, often due to actions like clicking unsecured links, sharing passwords, or ignoring security alerts. Regular training equips your team to identify phishing emails, avoid unauthorized software downloads, and report unfamiliar devices connected to hospital equipment.
Additionally, encourage proactive security habits, such as locking screens when away, securing personal devices used for work, and updating passwords regularly. Hands-on activities, like unauthorized access scenarios or fake login prompts, help employees practice responses effectively. A culture of cybersecurity awareness empowers staff to safeguard data, fortifying your defense against potential breaches.
By David Sampson, VP of Cyber Risk & Strategy, Thrive.
In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.
Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.
Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.
The Importance of Evaluating Third-party Vendor Risk
Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.
Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.
Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.
By Todd Moore, vice president of data security products, Thales.
On Nov, 13, 2023, New York Governor Kathy Hochul proposed a new set of cybersecurity rules for state hospitals. This includes a mandate that hospitals must develop their own programs and response plans and appoint chief information security officers (CISOs). The regulations are part of a statewide cyber strategy that Hochul launched in August to improve cyber resilience as attacks continue to rise.
The strategy is built on three central principles: Preparedness, Resilience, and Unification. It is also New York’s first roadmap to mitigate cyberthreats and attacks and has a long road ahead to combat the growing phishing and ransomware attacks across the state.
Are the regulations up to the task? Let’s take a look.
Preparedness
Tackling multiple cybersecurity threats in recent years may have weathered healthcare’s capacity for self-defense. But the industry is still more vulnerable than most. According to the Thales 2023 Healthcare and Life Sciences (HLS) Report, 71% of healthcare organizations have cited an increase in ransomware attacks this year, far higher compared to other industries at 49%. The higher frequency is mainly due to the vast personal data they store (medical records, PII, etc.) that present a goldmine for identity theft.
Under Hochul’s proposal, preparedness will involve providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity. Healthcare facilities will have to develop their own cyber programs and incident response plans, with written policies, procedures, and regular risk and response assessment tests in place.
From a glance, these give facilities a good foundation on which to establish their cybersecurity strategies, particularly for the less tech-savvy ones. But while the regulations are a good starting point and may develop expansively, right now we’ve only gotten high-level objectives. There isn’t a clear direction for managing crucial resources in use, such as the cloud, which could undermine Hochul’s efforts to foster resilience and unification.
Resilience
We live in a multi-cloud reality. Nearly 90% of healthcare respondents deploy two or more cloud providers to better manage data. Over the past year, data security in the cloud has become increasingly complex (from 44% to 55%). Unfortunately, this makes cloud resources a leading target for attackers, particularly for healthcare (78%) over other industries (67%).
In September, Mikael Öhman took the helm of CORL Technologies, tech-enabled managed services for vendor risk management and compliance, and its sister organization Meditology Services, which provides information risk management, cybersecurity, privacy, and regulatory compliance services for the healthcare industry.
Öhman comes to CORL and Meditology from KMS Healthcare, where he was CEO of the global technology services company. Previously, he was a consultant at McKinsey and Company in Stockholm and Atlanta, managed international operations for Cerner, and led mergers and acquisitions for McKesson’s IT business. In addition to his executive health IT experience, which also includes serving as COO for software, services, and device companies, Öhman co-founded an urgent care business that was sold to Piedmont Urgent Care by Wellstreet.
We recently sat down with Öhman to discuss the current healthcare cybersecurity landscape, what’s on the horizon, and his plans for CORL and Meditology.
EHR: How would you describe the current state of cybersecurity in healthcare?
Öhman: Big, big, big worry. For everybody. Anytime you look at the news, you hear about another health system getting hit with a ransomware attack or a vendor being hacked. That’s why cybersecurity is absolutely a key priority. The bad guys know that healthcare data has tremendous value; you can get rich by holding somebody’s data hostage or selling it.
Healthcare is complex. It requires a highly networked system with many vendors involved at many different points. Data doesn’t just live in one place anymore. While all the data sharing and integration points to move information between on-premises systems and cloud environments are fabulous, they also raise the security threat level by magnitudes. The criminals are going to find the weakest link. When they do, the damage that can be done because of data aggregation is much, much higher. It’s why security is an obvious priority.
Managing and securing healthcare is a much bigger job now than it was 10 years ago when most of your systems were sitting in a data center behind your own four walls. You could see and touch it and feel that you had control. Now, there is a proliferation of cloud-based and SaaS vendors that, if not properly vetted and controlled, can create new exposure points that you may not know even exist. Every provider and payer – anybody using multiple vendors – must be prepared because it’s going to continue to get riskier every single day as new technologies come out.
By Rob Falbo, vice president of healthcare solutions, Imperva.
In most industries, an IT service outage can lead to lost revenue. In the healthcare industry, disruption of network or application services impacts critical patient care. In the past year, non-human web traffic spiked dramatically, a trend that should be concerning for any healthcare organization.
Research conducted by cybersecurity company Imperva found that, in 2022, 35.8% of all US healthcare website traffic came from bad bots. These are malicious, automated software applications capable of high-speed abuse, misuse, and attacks. What’s more concerning is that 27.1% of bad bots were classified as “advanced.” This breed of bot is capable of using the latest evasion techniques, closely mimicking human behavior to avoid detection.
With bad bot traffic continuing to rise across the globe, it’s critical for healthcare organizations to understand the potential threat bad bots pose and the steps they can take to mitigate it.
How Attackers Are Hitting the Healthcare Industry
In February 2023, the US healthcare industry was put on edge as a spade of denial-of-service (DDoS) attacks were carried out against various healthcare organizations by the Pro-Russian hacktivist group Killnet.
DDoS attacks are designed to overload a network with traffic, making it difficult, even impossible, for patients to access essential services. The attacks are carried out by a collection of bots or hijacked machines, known as a botnet. This enables the attackers to harness the power of many machines and obscure the traffic source. Since traffic is distributed, it is difficult for security tools and teams to detect that a DDoS attack is occurring until it is too late.
By Anthony Cusimano, technical director, Object First.
There’s no sugarcoating it: cybercriminals are attacking the US healthcare industry. The FBI announced recently that healthcare suffered more ransomware attacks than any other industry in 2022.
As healthcare professionals, the ultimate goal is to provide safe and efficient patient care. Consistent and accurate access to electronic health records is a massive part of this objective, which any data disruption can harm. Once a threat actor is inside a system, they can disrupt operations by exfiltrating data, locking or deleting files, and encrypting data until a ransom is paid. Healthcare organizations should be aware of ransomware’s threat, no matter the institution’s size, and plan to protect its data.
A rampant threat
The focus on healthcare as a target for ransomware attacks has been building for some time. From 2016 to 2021, ransomware attacks against US healthcare organizations more than doubled. But now, cybercriminals gangs are becoming more innovative, using new techniques to get into networks, evade detection, and encrypt files.
In February, the Health Sector Cybersecurity Coordination Center warned healthcare systems of a new ransomware variant targeting the industry: MedusaLocker. The group took advantage of the COVID-19 pandemic to infiltrate and encrypt healthcare systems. Ransomware variants like MedusaLocker, including Royal and Clop, make healthcare their primary target because of the wealth of personal information available in these systems. Additionally, healthcare organizations often have less robust IT/cybersecurity departments than other industries, such as the technology or financial sectors, due to staffing shortages, lack of funds, and outdated tech.
But ransomware isn’t the only thing that can take down a healthcare practice. Natural disasters, such as flooding or inclement weather, or human error, such as an employee accidentally deleting an important file, can happen just as unexpectedly. All hospital IT departments and independent practices should have a data backup and recovery plan to protect sensitive electronic medical records and keep patient care running smoothly and safely. However, often these departments only have the resources to implement solutions that run unmonitored in the background. Without a proper plan, this leaves them vulnerable when data disruptions occur.
While all of this may seem disheartening, actions are within our control. Consider these steps to be prepared for when data disruption strikes.
Rural hospitals are facing an exorbitant amount of pressure, and the pressure doesn’t seem likely to subside any time soon.
Whether it’s the ongoing labor shortage, the constantly changing regulatory environment or other market forces, the headwinds, at times, seem insurmountable. Couple those concerns with the constant worries about cyberattacks and security vulnerabilities, and the moment seems even more challenging.
It’s not that rural health organizations can’t tackle any of the issues head-on. It’s more a matter of rural health organizations often don’t have the staff or resources to address this topic.
As a result, security is often an afterthought. How rural hospitals and communities focus on security presents an interesting dilemma because they’re vulnerable from a cybersecurity side and particularly vulnerable if their security posture is left unaddressed.
According to the Center for Healthcare Quality and Payment Reform, 150 rural hospitals nationwide closed between 2005 and 2019, and even more closed in 2020. While funding has helped slow the trend of closures amid the pandemic, rural providers still face challenges, partly because they have higher proportions of vulnerable patients, the elderly or the chronically ill.
However, rural health providers still have an arrow left in their quiver: technology. Increasingly, they’re turning to technology to ensure their staff can focus on delivering quality healthcare to patients without forgoing the most pressing needs and cybersecurity in particular.
Cybersecurity is the centerpiece of the path forward
Last year was among the worst years for ransomware attacks on healthcare. Healthcare is an ideal target; private health data is lucrative to sell on the dark web, and providers are more likely to pay ransoms with lives on the line.
Ransomware-as-a-service has also made it easier than ever to launch an attack, making it critical to invest in health IT platforms with built-in security solutions.
However, many rural providers cannot afford to invest in the same technology as their larger counterparts. They often face lean IT teams and limited budgets, constraining their investments and limiting what percentage of their budget they can spend on security.
Rural providers often find themselves on the unfortunate side of the digital divide, whether it’s clinician shortages or a suboptimal revenue cycle that results in a lack of capital. The result is that they may be unaware of the latest security updates, and even if they are, they often can’t implement them.
It’s not all doom and gloom, however. Rural providers can take steps to stay secure.
In recent years, the global healthcare industry has been under heavy attack by cybercriminals. The sector stands in fourth place among the most targeted industries, and one-fifth of its spending is dedicated to cybersecurity. The global healthcare cybersecurity market was valued at $12.6 billion in 2021 and is expected to expand at an annual growth rate of 18.3% from 2022 to 2030.
93% of healthcare organizations faced a data breach
The healthcare industry has suffered from significant growth in the number of cyberattacks. Forty-five million records of patients were exposed to healthcare attacks in 2021, a number that has tripled in the last three years. One-third of all significant data breaches targeted hospital accounts.
Thirty-four percent of data breaches are related to unauthorized access to healthcare networks. Furthermore, 1.5 billion users’ personally identifiable information (PII) was leaked due to third-party violations in 2021. Ninety-three percent of healthcare organizations experienced a data breach in 2016-2019 and a quarter of physicians couldn’t identify the common signs of malware.