Tag: healthcare cybersecurity

How to Reduce Cyber Risk in Healthcare Organizations

David Sampson

By David Sampson, VP of Cyber Risk & Strategy, Thrive.

In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.

Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.

Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.

The Importance of Evaluating Third-party Vendor Risk

Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.

Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.

Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.

Continue Reading

Are Hochul’s Cybersecurity Regulations Enough For the Future of New York Healthcare?

Todd Moore

By Todd Moore, vice president of data security products, Thales.

On Nov, 13, 2023, New York Governor Kathy Hochul proposed a new set of cybersecurity rules for state hospitals. This includes a mandate that hospitals must develop their own programs and response plans and appoint chief information security officers (CISOs). The regulations are part of a statewide cyber strategy that Hochul launched in August to improve cyber resilience as attacks continue to rise.

The strategy is built on three central principles: Preparedness, Resilience, and Unification. It is also New York’s first roadmap to mitigate cyberthreats and attacks and has a long road ahead to combat the growing phishing and ransomware attacks across the state.

Are the regulations up to the task? Let’s take a look.

Preparedness

Tackling multiple cybersecurity threats in recent years may have weathered healthcare’s capacity for self-defense. But the industry is still more vulnerable than most. According to the Thales 2023 Healthcare and Life Sciences (HLS) Report, 71% of healthcare organizations have cited an increase in ransomware attacks this year, far higher compared to other industries at 49%. The higher frequency is mainly due to the vast personal data they store (medical records, PII, etc.) that present a goldmine for identity theft.

Under Hochul’s proposal, preparedness will involve providing advice and guidance to ensure New Yorkers are empowered to take charge of their own cybersecurity. Healthcare facilities will have to develop their own cyber programs and incident response plans, with written policies, procedures, and regular risk and response assessment tests in place.

From a glance, these give facilities a good foundation on which to establish their cybersecurity strategies, particularly for the less tech-savvy ones. But while the regulations are a good starting point and may develop expansively, right now we’ve only gotten high-level objectives. There isn’t a clear direction for managing crucial resources in use, such as the cloud, which could undermine Hochul’s efforts to foster resilience and unification.

Resilience

We live in a multi-cloud reality. Nearly 90% of healthcare respondents deploy two or more cloud providers to better manage data. Over the past year, data security in the cloud has become increasingly complex (from 44% to 55%). Unfortunately, this makes cloud resources a leading target for attackers, particularly for healthcare (78%) over other industries (67%).

Continue Reading

Q&A with Mikael Öhman, CEO, Meditology | CORL Technologies

Mikael Öhman

In September, Mikael Öhman took the helm of CORL Technologies, tech-enabled managed services for vendor risk management and compliance, and its sister organization Meditology Services, which provides information risk management, cybersecurity, privacy, and regulatory compliance services for the healthcare industry.

Öhman comes to CORL and Meditology from KMS Healthcare, where he was CEO of the global technology services company. Previously, he was a consultant at McKinsey and Company in Stockholm and Atlanta, managed international operations for Cerner, and led mergers and acquisitions for McKesson’s IT business. In addition to his executive health IT experience, which also includes serving as COO for software, services, and device companies, Öhman co-founded an urgent care business that was sold to Piedmont Urgent Care by Wellstreet.

We recently sat down with Öhman to discuss the current healthcare cybersecurity landscape, what’s on the horizon, and his plans for CORL and Meditology.

EHR:  How would you describe the current state of cybersecurity in healthcare?

Öhman: Big, big, big worry. For everybody. Anytime you look at the news, you hear about another health system getting hit with a ransomware attack or a vendor being hacked. That’s why cybersecurity is absolutely a key priority. The bad guys know that healthcare data has tremendous value; you can get rich by holding somebody’s data hostage or selling it.

Healthcare is complex. It requires a highly networked system with many vendors involved at many different points. Data doesn’t just live in one place anymore. While all the data sharing and integration points to move information between on-premises systems and cloud environments are fabulous, they also raise the security threat level by magnitudes. The criminals are going to find the weakest link. When they do, the damage that can be done because of data aggregation is much, much higher. It’s why security is an obvious priority.

Managing and securing healthcare is a much bigger job now than it was 10 years ago when most of your systems were sitting in a data center behind your own four walls. You could see and touch it and feel that you had control. Now, there is a proliferation of cloud-based and SaaS vendors that, if not properly vetted and controlled, can create new exposure points that you may not know even exist. Every provider and payer – anybody using multiple vendors – must be prepared because it’s going to continue to get riskier every single day as new technologies come out.

Continue Reading

Healthcare Providers, Beware! Why Bad Bots Are A Cybersecurity Threat 

Rob Falbo

By Rob Falbo, vice president of healthcare solutions, Imperva. 

In most industries, an IT service outage can lead to lost revenue. In the healthcare industry, disruption of network or application services impacts critical patient care. In the past year, non-human web traffic spiked dramatically, a trend that should be concerning for any healthcare organization.   

Research conducted by cybersecurity company Imperva found that, in 2022, 35.8% of all US healthcare website traffic came from bad bots. These are malicious, automated software applications capable of high-speed abuse, misuse, and attacks. What’s more concerning is that 27.1% of bad bots were classified as “advanced.” This breed of bot is capable of using the latest evasion techniques, closely mimicking human behavior to avoid detection.  

 With bad bot traffic continuing to rise across the globe, it’s critical for healthcare organizations to understand the potential threat bad bots pose and the steps they can take to mitigate it. 

 How Attackers Are Hitting the Healthcare Industry 

 In February 2023, the US healthcare industry was put on edge as a spade of denial-of-service (DDoS) attacks were carried out against various healthcare organizations by the Pro-Russian hacktivist group Killnet 

 DDoS attacks are designed to overload a network with traffic, making it difficult, even impossible, for patients to access essential services. The attacks are carried out by a collection of bots or hijacked machines, known as a botnet. This enables the attackers to harness the power of many machines and obscure the traffic source. Since traffic is distributed, it is difficult for security tools and teams to detect that a DDoS attack is occurring until it is too late. 

Continue Reading

How To Prepare For Data Disruption In The Healthcare Industry

Anthony Cusimano

By Anthony Cusimano, technical director, Object First.

There’s no sugarcoating it: cybercriminals are attacking the US healthcare industry. The FBI announced recently that healthcare suffered more ransomware attacks than any other industry in 2022.

As healthcare professionals, the ultimate goal is to provide safe and efficient patient care. Consistent and accurate access to electronic health records is a massive part of this objective, which any data disruption can harm. Once a threat actor is inside a system, they can disrupt operations by exfiltrating data, locking or deleting files, and encrypting data until a ransom is paid. Healthcare organizations should be aware of ransomware’s threat, no matter the institution’s size, and plan to protect its data.

A rampant threat

The focus on healthcare as a target for ransomware attacks has been building for some time. From 2016 to 2021, ransomware attacks against US healthcare organizations more than doubled. But now, cybercriminals gangs are becoming more innovative, using new techniques to get into networks, evade detection, and encrypt files.

In February, the Health Sector Cybersecurity Coordination Center warned healthcare systems of a new ransomware variant targeting the industry: MedusaLocker. The group took advantage of the COVID-19 pandemic to infiltrate and encrypt healthcare systems. Ransomware variants like MedusaLocker, including Royal and Clop, make healthcare their primary target because of the wealth of personal information available in these systems. Additionally, healthcare organizations often have less robust IT/cybersecurity departments than other industries, such as the technology or financial sectors, due to staffing shortages, lack of funds, and outdated tech.

But ransomware isn’t the only thing that can take down a healthcare practice. Natural disasters, such as flooding or inclement weather, or human error, such as an employee accidentally deleting an important file, can happen just as unexpectedly. All hospital IT departments and independent practices should have a data backup and recovery plan to protect sensitive electronic medical records and keep patient care running smoothly and safely. However, often these departments only have the resources to implement solutions that run unmonitored in the background. Without a proper plan, this leaves them vulnerable when data disruptions occur.

While all of this may seem disheartening, actions are within our control. Consider these steps to be prepared for when data disruption strikes.

Continue Reading

Cyber Vulnerability In Rural Health

Baha Zeidan

By Baha Zeidan, co-founder and CEO, Azalea Health.

Rural hospitals are facing an exorbitant amount of pressure, and the pressure doesn’t seem likely to subside any time soon.

Whether it’s the ongoing labor shortage, the constantly changing regulatory environment or other market forces, the headwinds, at times, seem insurmountable. Couple those concerns with the constant worries about cyberattacks and security vulnerabilities, and the moment seems even more challenging.

It’s not that rural health organizations can’t tackle any of the issues head-on. It’s more a matter of rural health organizations often don’t have the staff or resources to address this topic.

As a result, security is often an afterthought. How rural hospitals and communities focus on security presents an interesting dilemma because they’re vulnerable from a cybersecurity side and particularly vulnerable if their security posture is left unaddressed.

According to the Center for Healthcare Quality and Payment Reform, 150 rural hospitals nationwide closed between 2005 and 2019, and even more closed in 2020. While funding has helped slow the trend of closures amid the pandemic, rural providers still face challenges, partly because they have higher proportions of vulnerable patients, the elderly or the chronically ill.

However, rural health providers still have an arrow left in their quiver: technology. Increasingly, they’re turning to technology to ensure their staff can focus on delivering quality healthcare to patients without forgoing the most pressing needs and cybersecurity in particular.

Cybersecurity is the centerpiece of the path forward

Last year was among the worst years for ransomware attacks on healthcare. Healthcare is an ideal target; private health data is lucrative to sell on the dark web, and providers are more likely to pay ransoms with lives on the line.

Ransomware-as-a-service has also made it easier than ever to launch an attack, making it critical to invest in health IT platforms with built-in security solutions.

However, many rural providers cannot afford to invest in the same technology as their larger counterparts. They often face lean IT teams and limited budgets, constraining their investments and limiting what percentage of their budget they can spend on security.

Rural providers often find themselves on the unfortunate side of the digital divide, whether it’s clinician shortages or a suboptimal revenue cycle that results in a lack of capital. The result is that they may be unaware of the latest security updates, and even if they are, they often can’t implement them.

It’s not all doom and gloom, however. Rural providers can take steps to stay secure.

Continue Reading

Cyberattacks Threaten Patients’ Lives In Healthcare

In recent years, the global healthcare industry has been under heavy attack by cybercriminals. The sector stands in fourth place among the most targeted industries, and one-fifth of its spending is dedicated to cybersecurity. The global healthcare cybersecurity market was valued at $12.6 billion in 2021 and is expected to expand at an annual growth rate of 18.3% from 2022 to 2030.

93% of healthcare organizations faced a data breach

The healthcare industry has suffered from significant growth in the number of cyberattacks. Forty-five million records of patients were exposed to healthcare attacks in 2021, a number that has tripled in the last three years. One-third of all significant data breaches targeted hospital accounts.

Thirty-four percent of data breaches are related to unauthorized access to healthcare networks. Furthermore, 1.5 billion users’ personally identifiable information (PII) was leaked due to third-party violations in 2021. Ninety-three percent of healthcare organizations experienced a data breach in 2016-2019 and a quarter of physicians couldn’t identify the common signs of malware.

Continue Reading

Clinical Zero Trust: The Time Is Right In Healthcare

By Jamison Utter, director of product evangelism, Medigate.

Jamison Utter

Last year (2020) was a year of chaos, and one that demonstrated why robust cybersecurity is an essential priority for all healthcare organizations. From COVID-19 disruptions to rapidly increasing networks of managed and unmanaged devices, it’s never been more important to secure the critical infrastructure that forms the basis of clinical care.

This is easier said than done- after all, the growing reliance on digital platforms has opened opportunities for increased attacks and raised questions about data collection and privacy. Threats like Ryuk and other high-profile breaches made a notable impact on the industry’s understanding of cybersecurity, not only for their monetary implications, but the significant operational disruptions that these incidents caused. On a national level, we’re seeing care networks expanding alongside access to telehealth services and the implementation of remote patient monitoring tools– with significant amounts of PHI being broadcast and analyzed each day.

When looking at these trends, there are two immediate realizations that all healthcare leaders should understand: 1) the rate of attacks is only going to increase as healthcare operations become smarter and more connected and 2) we need a better solution that works alongside clinical practitioners, biomed departments and organizational leaders even as it protects them from malicious attackers. For many of these concerns, the answer is Zero Trust, or more specifically, Clinical Zero Trust (CZT), that is uniquely attuned to the needs of the healthcare industry.

What Is Clinical Zero Trust?

Zero Trust represents the concept of “trust nothing, verify everything” in terms of cybersecurity. It has since grown to represent a networking approach that centers the design and application of IT networks around the identity and access rights of users and their data. Clinical Zero Trust applies this same idea but to the cyber and physical environment of healthcare organizations.

Think of CZT as a strategy and not a technology; it is an end goal rather than a feature or ability. Cyber protections like firewalls and end-point security solutions make up some of the offerings that help create a CZT environment. A typical healthcare organization has a security system that prioritizes protecting devices and data– CZT shifts the focus to protect physical workflows, which are made up of the people and processes involved in delivering care.

This means the protected surface extends to the physical world, including everything associated with administering a procedure or delivering care. At first glance, it seems like an impossible task to protect physical things with cyber technologies, but in reality, when you look at the clinical setting holistically it makes it easier to identify interdependencies and develop strategies that will effectively protect the physical, business and digital processes to drive optimal patient outcomes.

Continue Reading