Breaking Update October 30, 2020

The FBI, CISA and HHS recently released an advisory regarding an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Watch the webinar, “Protecting Healthcare Organizations from Recent Malware Attacks,” on demand to learn more about how to respond.
Watch on demand


The theme for National Cybersecurity Initiative‘s annual Cybersecurity Awareness Month for 2020 is Do Your Part #BeCyberSmart. For the healthcare sector, this means shedding light on the importance of securing data since the emergence of telemedicine, web-connected medical devices and third-party companies in the supply chain. These new business developments are complicating the task of healthcare organizations securing their patients’ protected health information (PHI).

Knowing the risks and digital defenses are more important than ever in the medical industry, particularly in the case of cybersecurity supply chain risks.

Supply Chain Risks: What’s at Stake?

Medical groups have many reasons to make responding to supply chain risks a key part of their work. If a malicious actor’s supply chain attack succeeded in accessing stored PHI or putting it at risk, an affected group could find itself in breach of The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Penalties for breaking HIPAA aren’t cheap.

According to Compliancy Group, organizations could face a monetary penalty ranging between $100 and $50,000 per violation or breached record, with the maximum amount of damages not to exceed $1.5 million per year, per violation. These penalties are so high because of the inherent risks involved with compromised PHI, as personal health information often sells up to three times the amount of standard personally identifiable information (PII) on the dark web.

This price partly reflects that people can’t change their health issues like they would a password. Their medical records tend to stay with them, thereby providing digital criminals with a well of knowledge for conducting extortion attacks or other malicious actions.

Supply Chain Cybersecurity Attacks

According to Benzinga, the supply chain market will reach more than $2 billion by 2025 — up from $1.8 billion in 2019.

However, the healthcare supply chain still comes with challenges. Malicious actors could tamper with products at a shipping center before they ever reach healthcare customers, for instance. From the other direction, digital attackers could prey upon openings within a supplier’s network, a mobile healthcare app or a product’s outdated firmware to make their way through the supply chain. From there, they can get access to a healthcare entity and steal its stored PHI.

Are Your Vendors on the Same Page?

Healthcare groups need to work more directly with their vendors to cut down on supply chain risks. They should consider requiring that every vendor, partner and supplier implements security controls to help minimize risks confronting their networks and products. Toward that end, organizations can begin by following the advice of the Healthcare & Public Health Sector Coordinating Councils. First, build an inventory of suppliers. Then, order these entities based upon their importance to the business and to what extent a supply chain attack could disrupt normal work.

Next, healthcare groups need assurance that third parties are taking adequate measures to defend themselves against supply chain risks. One of the ways they can do this is by mandating that third parties sign a digital conduct contract. This document would require the parties to maintain a minimum baseline along with the healthcare groups.

A Sample Baseline for Suppliers

This baseline could consist of the following provisions:

  • Participating third parties must maintain written security policies. They must refresh these on an annual basis. Fold them into the HR department’s official training packages for all new employees regardless of their intended department.
  • All vendors, suppliers and partners must maintain an evolving asset inventory. This enables them to track new hardware and software along with their owners, locations and configurations. As part of this process, those organizations should be able to provide evidence of a documented change management program. This enables them to respond to instances that might be signs of supply chain risks. For example, they can watch for when approved devices’ configurations move away from a secure baseline.
  • Entities that need to sign a contract must deploy the correct solutions to harden their assets against supply chain risks. Those systems should include trustworthy anti-malware solutions along with a vulnerability scanning tool for detecting known risks. Those entities should also invest in improving the security awareness of their employees using an ongoing education program.

Based upon the strength of those contracts, it’s then up to healthcare teams to score each vendor, supplier and partner. After this, they can decide whether to move forward with each entity. They can then use issue tracking and reporting to make sure that all third parties are addressing some of the potential supply chain risks. These will also make sure they’re practicing due diligence in complying with the minimum baseline outlined in the contract they’ve signed.

Cut Down on Your Supply Chain’s Digital Risks

Healthcare groups can use Cybersecurity Awareness Month 2020 to address some of the digital risks discussed above. For instance, they can tackle the threats posed by telemedicine by first using multi-factor authentication (MFA) to prevent automated digital attacks and account compromises. Build upon this foundation by investing in a dedicated telemedicine platform that comes with its own secure calling software. This foundation should use encryption to securely store patients’ data, educate patients about the security threats associated with telemedicine and use a vulnerability management program to keep any involved VPNs and other software up to date.

At the same time, healthcare groups should look to secure their medical Internet of things (IoT) devices. A crucial part of this is investing in ongoing security awareness education for IoT across the healthcare organization’s entire workforce. As part of this process, the biomedical engineering team should work together with the IoT security team. Only by breaking down these silos can an organization hope to prioritize IoT vulnerabilities based upon an affected device’s clinical impact, organizational impact, financial impact and regulatory impact. They should also use this teamwork to segment IoT devices on their own network.

Lastly, healthcare entities can put controls in place for every device and product that they use. For instance, if they use a video conferencing solution for telemedicine or other business purposes, healthcare organizations should use security best practices to address some of the attack vectors introduced by those technologies. Those practices can consist of using internal controls such as waiting rooms and meeting passwords. In addition, they should also encompass more general best practices such as encryption and network segmentation.

More from Healthcare

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

Incident Response for Health Care IT: Differences and Drivers

Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…