The healthcare industry is one of the biggest targets of cybersecurity attacks, both domestically and internationally. With the amount of private data that these organizations have, including protected health information (PHI), healthcare organizations should learn from previous attacks and/or mistakes and remain diligent to combat threats or quickly respond to identified incidents.
As 2020 gets underway, there are a few key items to keep in mind, including what type of threats we can expect to see and some of the controls that should be considered to help keep your organization off the front page of the newspaper, or off the ‘wall of shame,’ the nickname given to the Department of Health and Human Services (HHS) Breach Portal. There are currently 585 reported breaches listed on the Breach Portal which are under investigation by the Office for Civil Rights for unauthorized access/disclosures, hacking and IT incidents, and loss or theft of equipment or paper documents.
Ransomware continues to be a major threat and many ransomware attacks start through social engineering scams (i.e., phishing). They will continue to become more sophisticated and could target specific systems or medical devices. A study by Health Services Research stated that cyber attacks in healthcare no longer have an impact on just an individual’s privacy, but rather they are also shown to negatively impact patient health after a breach – including the fact that breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.
In a recent article from industry expert Brian Krebs via his KrebsonSecurity website, we learn that a study he references found that “Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts. Health industry experts say the findings should prompt a larger review of how security – or lack thereof – may be impacting patient outcomes”. The post goes on to say that “Researchers at Vanderbilt University’s Owen Graduate School of Management took the HHS list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach. As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.”
Similarly, while medical devices used in patient care are extremely helpful, they are another point for vulnerability and possible threats. For example, recently FoxPointe Solutions’ consultants learned that vulnerabilities were found in certain GE Healthcare devices. In an article from healthcareinfosecurity.com, it was noted that, “The affected products collect and display data, including patients' physiological status - such as temperature, heartbeat, blood pressure - as well as patient demographic or other nonmedical information, the Food and Drug Administration (FDA) notes. The FDA notes that GE Healthcare will be issuing patches to address the vulnerabilities. The company says the vulnerabilities, if exploited, ‘could possibly result in a loss of monitoring and/or loss of alarms during active patient monitoring. The vulnerability and related risk of exploitation is higher if the [affected] networks are improperly configured.’” It should be noted that no incidents from these vulnerabilities have been reported during patient care.
The Internet of Things (IoT) and the Internet of Medical Things (IoMT) must also be better protected and to do so, an organization must first identify all of these endpoints on a given network. Many IoT/IoMT devices are not necessarily secure out of the box and end up creating more attack vectors. To add additional complexity, many times, these devices are running on obsolete systems.
The above are a few examples of why policies and procedures, patching, network segmentation, and training and awareness are key. Other areas requiring focus in 2020 and beyond are third party relationships, multi-factor authentication, encryption, performing risk assessments to identify present and absent controls (physical, administrative and technical controls, etc.) and the likelihood and impact of given events and threats. The fact that healthcare organizations have overwhelmed staff due to small teams, and difficulty in finding and retaining experts will only make these improvements more of a challenge but should top the list of projects if not yet completed for 2020.
That’s why everyone at an organization, especially a healthcare organization, essentially works in the cybersecurity department. The human factor is a huge threat in and of itself and all employees, including the practitioners working with many of these systems and devices, need to be just as alert and prepared as the security and IT teams that support them. Building a layered defense can help provide the tools and data you need to respond more quickly. Even the most mature organizations are not perfect or 100 percent secure because it’s often too expensive to implement and maintain enough people, controls, tools, etc. Your organization needs to be fully prepared with and knowledgeable of an incident response plan because eventually, it is likely that you will be breached, and in healthcare, the cost of a breach can be much more than monetary - it can put an individual’s health in jeopardy.
To learn more about how to best prepare your healthcare organization against cybersecurity threats in 2020 and beyond, contact our experts at FoxPointe Solutions today.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.