November 03, 2023
6 Min Read
There was a time when hospitals did not have to worry about securing electronic medical records and connected devices and protecting patient privacy was much more likely to involve locking filing cabinets than locking down computers. But that time has long since passed.
Today, the realities of cybersecurity and regulatory compliance requirements call for a security leader who can provide a focused, comprehensive approach to protecting sensitive information and systems. However, healthcare CISOs face a world where disruptive cyberattacks do more than threaten the bottom line—they can also impact the ability to deliver services and treatment to the public. This pressure has translated into an increased awareness that today’s Healthcare CISOs need to shift their focus from cybersecurity to cyber resilience.
According to IBM’s Cost of a Data Breach 2023 report, the average price tag for a data breach in the healthcare industry is $10.93 million, more than double the average global cost of $4.45 million for data breaches overall. It is also significantly more than the price tag of healthcare data breaches noted in last year’s report, which put the average cost at $10.1 million. Inside these numbers is money associated with detection and escalation activities, notification, post-breach response, and lost business.
As those costs rise, many healthcare organizations face the challenge of recruiting and retaining cybersecurity experts. In the 2022 HIMSS Healthcare Cybersecurity Survey, about 61 percent of security professionals cited a lack of cybersecurity staff as an impediment to achieving more robust cybersecurity. Unsurprisingly, attackers do not seem to be taking days off. Ransomware and phishing attacks remain common threats, testing email and malware defenses daily at organizations around the world.
Complicating matters further is the extensive environment organizations need to protect. In the average hospital, there can be more than a dozen connected devices per patient bed. These machines can include everything from patient monitors to infusion pumps and perform vital functions, yet many are running on outdated operating system versions vulnerable to attacks.
According to a survey of healthcare experts in The Insecurity of Connected Devices in Healthcare 2022 report from Ponemon Institute and security vendor Cynerio, a lack of visibility into Internet of Things (IoT) networks, zero-day vulnerabilities, and phishing were selected by respondents as the top three threats to medical IoT and other connected devices. The survey also asked respondents to rate the security risk created by IoT and Internet of Medical Things (IoMT) devices on a 1-10 scale, and 71% categorized it as high or very high (7 or higher). However, only 21% described their IoT/IoMT security activities as “mature.”
Traditional endpoints such as tablets and laptops still need to be protected as well, and any data swiped from them is sometimes on the dark web. Each of these devices likely has protected health information on it, making tracking and keeping an accurate inventory a critical security and compliance function as well. Without continuous endpoint visibility and control, organizations cannot validate data protection and prove adherence to compliance standards such as HIPAA.
But not all cyber threats come directly to your doorstep. Cybersecurity strategy has to account for an ecosystem of contractors that may also have access to protected health information. For example, Performance Health Technology (PH TECH), which provides services to many Oregon Health Plan coordinated care organizations (CCOs), was among the organizations impacted this year by attacks targeting a critical vulnerability in the MOVEit file transfer software. An investigation determined the threat actor had used MOVEit and downloaded PH TECH data files. More than 1.7 million Oregon Health Plan members were reported to be affected. In another incident related to the MOVEit attacks, Nuance Communications reported experiencing a breach that involved patient information from several healthcare organizations.
Unlike in most other industries, cyberattacks against the healthcare space can directly impact the safety and welfare of others. Consider this survey of IT and security professionals in healthcare organizations from Ponemon Institute and Proofpoint: research showed that an average of two-thirds of those organizations impacted by ransomware, supply chain attacks, cloud compromise, and business email compromise (BEC) attacks reported disruptions to patient care ranging from an increase in complications from medical procedures to delays in testing.
A real-world example can be found in the cyberattack earlier this year against Prospect Medical Holdings (PMH), which operates hospitals, clinics, and outpatient facilities in multiple states. The fallout from the situation reportedly led to some elective surgeries, blood drives, outpatient appointments, blood drives, and other services being put on hold.
Incidents like this have led to a growing awareness of the importance of cyber resilience. Business continuity is not a separate consideration: for CISOs, it should be part and parcel of security discussions with the board, CIO, and CEO.
A critical aspect of a CISO’s job is balancing the organization’s business and security needs. An effective CISO is not just an advisor to the CIO but someone who communicates with key stakeholders to ensure they understand which systems and processes are the most critical to delivering services and the most at-risk from attackers. Focus on business continuity—what security and incident response practices will minimize downtime in the event of an attack and raise the bar attackers need to hurdle to compromise critical systems. These activities include backup and disaster recovery plans as well as activities such as multi-factor authentication for VPN or email access.
Implementing a security framework such as NIST 800-53 can help your organization prioritize security initiatives. An effective security strategy should encompass physical and digital security. With so much protected information, unauthorized physical access to sensitive systems has to be guarded with the same vigor as the network. This aspect of your strategy should also extend down to physical control of devices, making sure that lost assets can be recovered and compliance levels can be maintained even without it being connected to the network. Endpoint security and management technology is key here, as it improves visibility into device inventory and enables them to be wiped remotely if lost or stolen. If the device’s security controls suffer from software rot or malicious activity, solutions that enable those third-party controls to be repaired can minimize risk and bring devices back into compliance so they can be used safely.
By focusing on cyber resilience, CISOs shift away from focusing just on threat detection and prevention in favor of a broader strategy that includes incident response and recovery and continuous risk assessment. As the new year approaches, thinking holistically about the threat landscape, risk management, and business continuity will allow healthcare CISOs to successfully adapt to any new challenges 2024 will bring.
For more information on how Absolute can help your healthcare organization, click here.
Share this article