Healthcare organizations face a unique set of compliance circumstances from information security to patient privacy and more. Cybercriminals show no signs of shifting their sights off of the healthcare industry, and that's no surprise as the field has proven to be extremely profitable. As the connected device landscape continually evolves, so too does the cybersecurity threat landscape. Implementing some healthcare cybersecurity best practices can shift your entire IT security mindset from one of compliance to one of prevention and effective response.
Major Healthcare System Incidents
It's not uncommon for executives to have a compliance mindset especially in a field that is as highly regulated as healthcare. Unfortunately, looking at regulatory compliance alone leaves many areas for attackers to exploit with devastating results. Research conducted by the Ponemon Institute showed that 89% of covered entities had a reportable data breach in which sensitive data was lost or compromised.
The healthcare industry is fact based, and for that reason, there's no better way to illustrate the importance of cybersecurity programs and enterprise security posture to stakeholders than by profiling some instances where things went terribly wrong. While the above research by Ponemon illustrated that the average data breach in 2014-2015 cost around $2.2 million for a healthcare provider and $1 million for a vendor, the following incidents were significantly more expensive.
WannaCry and NotPetya
WannaCry and NotPetya were both crytpoworm cyber attacks that occurred within one month of each other in 2017. They exploited unpatched vulnerabilities in operating systems, and while NotPetya has been attributed to North Korean state actors, there is still an outstanding reward for information on the perpetrators of WannaCry. Despite WannaCry only being effective for just under 8 hours before a kill switch was deployed, it still infected nearly a quarter of a million computers across 150 countries.
These ransomware attacks completely locked out users from their systems pending payment of a substantial ransom. WannaCry in particular affected numerous healthcare facilities resulting in delayed patient care, diverted ambulance service, and significant impacts on daily operations.
University of Vermont Health Network Attack
In 2020, the University of Vermont Health Network also suffered a ransomware attack that affected patient care with delayed lab results and canceled procedures and appointments. This attack took down their entire network across the hospital system and resulted in damages in excess of $63 million for response and recovery, and that doesn't even begin to account for the reputational damage they suffered as a result of the incident. Nearly 8 months after the incident, the University of Vermont was still suffering from setbacks and incurring financial losses.
Changing Regulatory Climate
Even regulators have seen that compliance standards are not matching up to the real world threats faced by healthcare organizations in the current era. The two major components of the Health Insurance Portability and Accountability Act (HIPAA) are the security and privacy rules. The privacy rule sets limits on what sensitive information can be disclosed and to whom. The security rule sets standards of protection for electronic health records.
The United States Department of Health and Human Services has conducted hundreds of thousands of investigations into violations of HIPPA over the last two decades resulting in fines of over $100 million. They have recently rolled out the Health Industry Cybersecurity Practices which is a new regulatory standard to strengthen healthcare cybersecurity by focusing their efforts on the most common threats facing the industry and some healthcare cybersecurity best practices to combat them.
Taking Healthcare Cybersecurity to the Next Level
With the increasing number of threats facing the industry, making a concerted effort to improve your enterprise's security posture can't wait. From third-party software security risks to vulnerable connected medical devices, the spectrum of potential attack vectors is only getting broader. These healthcare cybersecurity best practices will help harden your posture and give you the best chance to thwart these attacks.
Conduct Meaningful Risk Assessments
We're not talking about compliance audits or running through a checklist annually. You need to objectively assess the risks that you're facing from every aspect of your business. This includes vendors' security procedures, untrained employees, or even weak physical security measures. Risk assessments conducted at regular intervals can end up highlighting the forgotten vulnerability that may have otherwise gone overlooked and resulted in a data breach.
Identifying All Sensitive Data
Ideally, this should be a part of the risk assessment we just mentioned, but it's worthy of its own spot on this list. Discovering all forms of sensitive data that your entity possesses, transmits, stores, or creates is the critical first step in securing that data.
Encrypt All Data
Once you have identified that data, your next step is to ensure that it is encrypted at all times. It must be encrypted at rest, in transit, offline, and in the cloud. This also means that every removable storage device such as a portable hard drive or flash drive is also encrypted, and all computers must use encryption in addition to requiring individual login credentials.
Implement Zero Trust Policies
Zero trust is challenging to fully implement, but making zero trust policies the framework on which you build out your access management procedures will start you ahead of the game. Making sure that no device or user is trusted until it has been verified can make the difference in an attempted data breach.
Deploy Network Segmentation
Network segmentation is one of the pieces of the cybersecurity puzzle that is often overlooked and often results in a cyber attack becoming so much more damaging to an enterprise than it could have been. By building out your systems into independently secured networks and challenging users moving between them, you limit the spread of attackers and can prevent them from disrupting the entirety of your operations.
Focus on Connected Devices
Statistically, the average hospital bed in the United States is connected to 15 different medical devices. How many of them have internet connectivity? Are these devices connected to a poorly secured legacy system? Can you even find all of your devices or track when their operating systems need updating? Each of these devices can be a wide open door to an attacker and securing them must be a high priority.
Integrate and Modernize Your Cybersecurity Tools
Instead of relying on one cybersecurity solution or cobbling together a piecemeal approach with multiple incompatible services or tools, spending time researching solutions that can be layered and interconnected can provide a much better result. Leveraging artificial intelligence and machine learning to rapidly identify security threats, investigate them, and respond is proving to be critical in maintaining business continuity especially in the healthcare setting.
Set and Enforce Data Retention Policies
Knowing when you can purge sensitive data is just as important as securing it. Patient information is the lifeblood of healthcare organizations, but retaining patient data longer than necessary only increases risk with no verifiable benefit.
At Venture Lynk Risk Management, we are enterprise risk management specialists. From vendor management to intellectual property risk management and even system implementation, we pride ourselves on providing risk management options that are geared to drive business value as well. We specialize in high-risk industries and our team is laser-focused on providing a custom approach to the unique risks facing your enterprise. Schedule your consultation online to see what we can offer for your organization.