Reflecting on the past two years, it’s impossible to ignore the impact the healthcare industry has had on nearly every community worldwide. The surge of COVID-19 brought on a monumental shift within the industry as a way to comply with COVID protocols. The healthcare sector is experiencing a growing reliance on cloud computing services, telemedicine, and treatment devices.
These changes have mitigated barriers of access and improved quality of treatment, but increased and unmanaged reliance on digital services exposes this critical sector to rampant security attacks. The sector is particularly vulnerable to ransomware, data breaches, distributed denial of service (DDoS) attacks, and business email compromise. Scams through business email, alone, have increased by 1,300% since 2015. Cybercriminals can access protected health information (PHI), funds, and prescription drugs by posing as organization members in an email.
In 2019, when Quest Diagnostics, a medical testing giant, outsourced its billing to Optum360, a healthcare revenue-cycle manager, the security breach that followed demonstrated the multi-fold consequences of a healthcare breach. For eight months, the personal information, medical data, and financial information, including social security numbers, of an estimated 11.5 million people were compromised.
While federal regulations, like HIPAA and HITECH, and state privacy laws have been instituted to protect PHI and data - they simply aren’t enough when companies lack updated cybersecurity policies, integrated risk management solutions, and an enterprise-wide understanding of the companies’ cybersecurity posture.
According to the Verizon Data Breach Investigation Report (DBIR), about 49% of breaches were caused by internal actors. A large part of the breaches was caused by errant clicks on phishing emails or employees emailing content with PHI to their accounts. This all ties back to the absence of a risk-aware culture within the industry. It’s a glaring enterprise risk that cyber threats have repeatedly taken advantage of.
The COVID-19 pandemic did not stop cybercriminals from doing what they do best. The pandemic created a heavy traffic flow of data for threats to camouflage in as sector priorities shifted away from IT/security priorities.
In 2020, both, Magellan Health Inc. and Inova Health System were hacked through their email system and compromised the data of over a million individuals each and could have reached more through the healthcare system’s supply chain. As a critical infrastructure sector, this industry is highly dependent on most of the other critical sectors like emergency services, communications, energy, IT, and food and agriculture. The stakes for a healthcare breach only seem to grow.
Devices are innovating faster than we can discern the risks they impose. IoT devices allow medical professionals to monitor vitals and administer medication, and other prescribed fluids remotely. What happens when the device is compromised? What happens when a remote insulin pump is hacked and can no longer provide the life-saving insulin injections that are needed? The risks are innumerable and healthcare providers cannot wait around to learn from experience. IoT devices connect cybercriminals to patient charts and financial information that can be stolen or augmented to the detriment of the patient. A cybercriminal just needs one access point to take advantage of to compromise a myriad of valuable information.
Infusion pumps, including insulin pumps, account for over half of IoT devices in use. Remote infusion pumps have decreased treatment costs and improved patient care, but its wireless remote control connection to the internet makes it vulnerable to breaches. Smart pens, wireless vital monitors, thermometer sensors, security cameras, and implantable cardiac devices are all IoT devices that can be compromised. A DDoS attack on a cardiac device, like an implanted pacemaker, could kill a patient.
While these medical devices have not been hacked yet, the National Cybersecurity Center of Excellence (NCCoE) is taking steps to pre-emptively protect patient information and remote patient devices. The healthcare sector is largely run by privately-owned enterprises, it’s important to establish coordinated governance, risk, and compliance regulations between public and private agencies.
The NCCoE has released a draft of the NIST Cybersecurity Practice Guide, SP 1800-30, Securing Telehealth Remote Patient Ecosystem. This guide will serve to strengthen the infrastructure that monitors patient data and patient safety when utilizing remote devices, telehealth services, and cloud technologies. When the draft is finalized, IT/security teams will have an applicable and healthcare-focused NIST CS framework guide that will address risk analysis based on remote patient monitoring (RPM) systems, improve medical device protection, and provide practical guidance for implementing a stronger CS program.
When a hospital is brought down by a ransomware or malware attack - the consequences faced are unlike any other critical sector. In 2020, there were 239.4 million attempted attacks on healthcare companies and 560 providers fell victim to these attacks.
During a ransomware attack, medical systems and patient files become inaccessible until the ransom is paid. In the meantime, hospital systems are slowed down and rendered inefficient as they resort back to pen and paper. Financial information, test results, and patient charts are at the disposition of external bad actors. Dosages, allergies, and patient notes risk the chance of being augmented or wiped.
HIPAA and its stronger cousin, the HITECH Act, both protect sensitive patient information and hold healthcare organizations accountable for any misuse of data or security breaches. HITECH pushes companies to adopt health information technology, grants consumers access to their information and insights into how the data is used. But, both acts lack practical security practices or mandate standardized compliance. Even with the Cures Act Final Rule, which grants patients full transparency on how electronic health information is monitored and shared, these regulations do not protect against malware or promote sector-wide incident management practices.
Along with stronger industry standards, healthcare providers and staff need a lesson on basic risk management and healthy cybersecurity practices. Malicious links, phishing emails, and malvertising are the three most common ways ransomware gains access to a healthcare system. Investing in integrated risk management software, like CyberStrong, would provide companies with real-time risk assessments that reduce human error and aid security teams in maintaining continuous compliance with a risk-aware enterprise.
The healthcare sector has a bad reputation for using outdated technology and they tend to use it for a long, long time. Granted, healthcare providers deal with many high-stake situations and rarely have time to reassess their CS posture. New technology disrupts the workflow and learning about new software would be next to impossible to fit into their schedule. Despite the reticence to change, the industry has undergone a huge shift to cloud technology.
COVID-19 allowed no time or space to grasp the change as systems scrambled to find a solution to the ever-changing circumstances of the pandemic. According to Verizon, 88% of healthcare companies have increased their reliance on cloud software for data storage. And, within the next five years, 85% of companies said that mobile will be the primary way of accessing cloud-based services.
With a greater demand for telehealth services, migrating to cloud software makes healthcare a more readily accessible and shareable service. The on-demand availability has kept patients connected to their healthcare providers. This also means that companies will need to implement ways of managing and protecting the massive flow of data. If a cyber threat were to gain access to a healthcare companies cloud interface - the great interconnectivity it provides would become its detriment.
Cloud technology has been a key asset for data storage and service provision but it’s still so new. The software is evolving which becomes challenging for security teams to constantly catch up to. It’s already difficult to monitor for compliance and companies may have to repeatedly restructure their CS programs to maintain compliance. Healthcare providers need to invest in their security teams to adequately manage cybersecurity risks and monitor cloud transition. Leveraging third-party automation software improves the ability to meet compliance requirements.
Patients are tired of being blindsided by the healthcare industry. They demand more accessibility and transparency. The 2021 Consolidated Appropriations Act (CAA), which includes the No Surprise Act (NSA), does even more to protect patients from surprise bills and the mishandling of information.
The NSA provides numerous new guidelines and establishes new rules for billing patients when the provider is out of their payer network. Out-of-network care providers cannot bill enrollees above in-network amounts for emergency and non-emergency services. With two-thirds of filed bankruptcies tied to medical expenses, the CAA has been what consumers have been demanding from the healthcare sector.
Not only will consumers gain visibility into your previous rates, so will competitors, partners, and industry newcomers. Increased transparency invites greater risk and with an approaching deadline, the changes pose security risks that the industry is still confronting. These added measures will build upon NIST cybersecurity management and HIPAA compliance. The CAA will supersede all state and organization transparency and billing policies. The deadline to meet compliance requirements is soon.
Providers only have until January 1, 2022, to overhaul their cybersecurity programs to meet the new compliance regulations.
If you assume that your tools and security solutions are compliant with the new measures, you run the risk of losing time to build or buy your IT services and compliance network. It is most likely that current price estimation tools are non-compliant and the company will need to perform a re-evaluation assessment of all company transparency policies. This will not be a one-time change, price estimation tools and transparency policies will need to constantly keep up with regulation changes.
Cybersecurity is not a priority for most healthcare providers. Given their time and resource constraints, understanding the complexities of CS governance is not their forte. The healthcare industry will not be returning to what it once was prior to the pandemic. Sector priorities need to shift and focus on strengthening virtual care services, like RPM and smart devices, and coordinate clinical communication and information.
There are many steps IT/security teams, executive leaders, and healthcare staff can take together to improve overall CS management. Working together, including collaboration between CISOs and board executives, would provide the best outcome for improving a company’s risk and compliance management program.
To ensure that threats do not grow into attacks, companies need to attain a higher level of maturity. A mature company is better equipped at managing cyber threats and is proactive in mitigating weaknesses. Furthering security maturity starts with a new mindset. Financial risk, operational risk, and digital risk need to be addressed together within a holistic security strategy. Continual re-assessments and an improved view of risk will help companies stay ahead of cyber incidents. Automation will significantly decrease the time and resources spent on reports.
Since technology and the malware that targets it are constantly shifting, a flexible IT strategy allows for experimentation as the playing field continues to transform. Legacy GRC solutions don’t facilitate growth or promote forward-thinking throughout the company. As leadership begins to factor risk into their long-term business strategy, a risk-aware and risk-engaged culture in the enterprise supports the overall health of a cybersecurity program.
An entire culture shift will take time and it might take even longer in the healthcare industry, but the effort will eventually protect organizations from silly mistakes that engage with malware. Hospital systems store so much information that needs to be accessed by many people in different places. Good cyber hygiene practices like utilizing multi-factor authentication, device encryption, and educating staff on malware tactics will help IT teams better manage the security infrastructure and protect the data flow.
The pandemic was an unfortunate but necessary catalyst for digital transformation in a sector that was lagging. The healthcare sector was forced to reckon with many vulnerabilities. Ransomware and malware will continue their attempts on the industry because hospital systems have money and information on hand. But, that does not mean companies must fall victim to them.
With the shift to cloud technology, IoT devices, and the introduction of the NSA - there are many risks to confront. The healthcare sector is one of the most important parts of our critical infrastructure. Such an impactful industry needs to have the means and guidelines to ensure its cyber protection. A holistic security strategy that emphasizes IRM solutions, CISO and CEO collaboration, and automation will help companies stay proactive instead of reactive to risks.
To learn more about the effects Cyber/IT risk committees have on the functioning of an enterprise, check out our webinar. To learn how CyberStrong can help mature your security strategy and automate risk assessments, contact us.