Cybersecurity risks and threats as they relate to the healthcare industry, as well as breaches affecting this sector, have been making headlines in mainstream news. Ransomware, internet of things (IoT) exploits and the latest patient data breaches are scattered across headlines that underline the growing risk that applies to the healthcare sector.
Healthcare organizations collect and store large amounts of patient data and, according to X-Force research, medical records are worth significantly more on the black market compared to financial records and personally identifiable information (PII) because of the wealth of information they contain. Another threat to healthcare data has been ransomware attacks, cyber extortion and even nation-state attacks. During the 2017 WannaCry attacks, a major U.K. healthcare provider suffered extended downtime, forcing the provider to reroute patients to other facilities and inevitably delaying the care they required as doctors and nurses were forced to cancel around 19,000 appointments.
Moreover, the proliferation of connected medical devices such as pacemakers, insulin pumps and implanted sensors is opening up the healthcare sector to even more threats and an expanded attack surface to reckon with.
These factors raise the question of whether providing effective cybersecurity for the healthcare sector is an information technology (IT) problem to solve or a wider-scope issue that touches on secure operations, timely care and overall business continuity.
Short answer: It’s both.
The risks to healthcare systems and the data they manage, as well as risk to interaction with people in need of care that rely on systems running smoothly, should be viewed from both perspectives to encompass the security needs of today’s complex healthcare infrastructure. A myopic view of the matter will not address the full scope of the challenge at hand and can limit positive changes that can help the healthcare sector bolster security in the face of growing threats.
A Lucrative Target
According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” sponsored by IBM, heavily regulated industries such as healthcare and financial services have per capita data breach costs that are substantially higher than the overall mean. This is mostly because of the various monetization options cybercriminals can attempt with these types of records.
For personal health information (PHI), the robust file on each patient can be used by criminals in scenarios of identity theft, financial fraud and even insurance fraud where someone else may undergo surgery with fake identification and have it billed to the compromised record’s owner.
The study also noted that healthcare organizations have the second-highest duration to identify a data breach with a mean time to identify (MTTI) of 255 days and the highest mean time to contain (MTTC) at 103 days.
Given the likely severity of a data breach affecting a healthcare provider, it is of utmost importance for teams tasked with securing the organization, including chief information security officers (CISOs), IT staff, administrative personnel and medical providers, to be in lockstep when it comes to securing critical assets and sensitive data. That way, if ever an incident affects the organization, working together can help speed up identification and containment and possibly cut back on the length of recovery thereafter.
Not Only Data
The 2018 Ponemon Cost of a Data Breach Study also found that data breaches can cost healthcare organizations upward of $408 per record lost. But lost data is not the only issue healthcare providers face when it comes to their cybersecurity needs. Consider the WannaCry attack as an example. That attack did not compromise any data, but ended up extensively affecting operations and costing a U.K. provider more than 92 million pounds ($119.8 million), inciting criticism from government officials.
Ransomware has become a way for cybercriminals to prey on organizations that serve society’s needs for critical services, such as healthcare. Are we ready for the possibility of a debilitating attack? The “2019 Ponemon Institute Study on the Cyber Resilient Organization,” sponsored by IBM, showed that over 50 percent of organizations surveyed about their security posture have either no set time period for reviewing and updating their incident response plan (IRP) or have not reviewed the plan since it was created. It is within this context that IT staff must create and drill incident response and disaster recovery plans ahead of a potential attack to help minimize impact to data and ongoing operations in the event of an incident.
To protect data, periodically validated and checked system backups must be both disconnected from the network and easily accessible in the event of a ransomware attack that could lock staff out of care terminals and patient medical records.
Being unable to access an electronic health record (EHR) or electronic medical record (EMR) for an extended period may have catastrophic consequences on patient treatment. Care to existing patients could be greatly hindered and it can result in new patients being diverted to other hospitals for emergency treatment. Redirecting a high volume of new patients can cause capacity issues for other hospitals, allowing the attack on one hospital to indirectly affect other hospitals.
To protect critical systems and medical devices, healthcare providers should demand security from their equipment providers. For existing devices, organizations can opt to build a penetration testing program and look into finding and addressing potential security gaps in hardware and software attackers could potentially prey on.
Those getting on a path to better secure their organization’s infrastructure can look into some guidance provided by the FDA to help mitigate cybersecurity risks.
A Collaborative Approach
Cybersecurity is in the forefront of the news enough to recognize it is important, but not everyone in the organization always understands how it relates to them specifically, to their day to day responsibilities or to their top business priorities.
Many departments in a hospital, for example, may prioritize treating patients, billing care costs or fixing general IT issues without necessarily focusing on IT security. But as the number of attacks on healthcare organizations rises, it is imperative to create a clear link between cybersecurity data protection and secure operations to effectively get all parties synchronized and aligned to accomplish the overall business objectives: serving patients, protecting their data and maintaining optimal operations.
A collaborative culture of cybersecurity awareness and diligence is an essential component to protecting the organization from cyberattacks and must cascade from the top down. Working together can also be more conducive to funding security projects, building security awareness and addressing compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Looking Ahead to Better Security
Cybersecurity was not historically a core component of hospital IT, a department that was always tasked with enabling operations rather than foreseeing a data breach on the horizon. But the attack surface continues to expand year to year, and hospitals and healthcare providers are prime targets for cyberattackers as medical care expands treatment capabilities made possible by connected devices.
In today’s threat landscape, and considering the top risks that affect the healthcare sector, data security and business continuity are interconnected challenges and must be viewed as such by all stakeholders to move in the direction of enhanced resilience.
The following tips from our team can help craft a path forward:
- Healthcare organizations should make it a priority to have cybersecurity professionals on staff, establish security governance, and ensure both C-suite support and board involvement in understanding risks and security posture.
- Build a security program that relies on official frameworks, such as the NIST framework for health information technology.
- Enable collaboration between security and IT management to implement effective controls and incident response plans that can help reduce the impact of attacks that aim to compromise data or the organization’s business continuity. Smaller budgets could benefit from a managed incident response service.
- Procurement processes should be modified with requirements for new equipment purchases to include specifications for a secured platform to help protect data and reduce risk.
- Examine existing systems and medical devices and plan for vulnerability assessment, penetration testing and other tests such as red team projects according to the organization’s security maturity state.
- Consult the 2016 Food and Drug Administration (FDA) guidance for security recommendations.
- Review the organization’s insurance policies to adapt coverage to the possibility of a cyberattack.
- Consider engaging with regional or national information-sharing organizations, threat intelligence sharing platforms and relevant content to keep up to date about threats.
Want to learn more about protecting against threats, addressing compliance and growing your business? IBM Security can help. Experiencing a cybersecurity breach? Call IBM now: 1-888-241-9812 (U.S. and Canada)
Associate Partner, IBM Cybersecurity and Biometrics Global Business Services
Principal Consultant, X-Force Cyber Crisis Management, IBM