The challenges healthcare CISOs face in an evolving threat landscape
Organizations in the healthcare sector – and especially those engaged in delivering healthcare services – have always been juicy targets for cyber attackers.
But while in the past they were mostly after patients’ personal, health and financial data these organizations store to be able to provide services, the advent of ransomware has dramatically changed the threat landscape they must face.
The current state of affairs
Since the beginning of the COVID-19 pandemic, hospitals and healthcare providers have been overworked and their capabilities stretched to the maximum. This, unfortunately, didn’t deter unscrupulous cyber criminals from attacking them – quite the opposite, in fact.
In 2020, healthcare breaches increased over 50%. Of the 599 healthcare breaches recorded, 403 (67.3%) were caused by hacking and IT incidents.
Attacks that lead to the deployment of ransomware throughout healthcare organizations’ systems and the encryption of critical data are extremely common.
“For many businesses suffering a ransomware attack, the organization weighs the lost revenue versus the cost of the ransom and the likelihood of subsequent attacks. No business leader wants to be in that situation, but it’s a fairly straightforward business decision to make,” Sean Joyce, CTO of Atlanta-based patient payment technology company Patientco, told Help Net Security.
“For healthcare organizations, on the other hand, the calculation on paying the ransom includes patient safety. Even the smallest amount of downtime can lead to patient harm, so healthcare organizations are under extreme pressure to pay the ransom and restore critical systems. Attackers are targeting hospitals because even short disruptions in their IT systems can be catastrophic to the communities they serve.”
This state of affairs is unlikely to change in the immediate future.
Healthcare CISOs and the challenges they face
Joyce also pointed out that a healthcare organization’s IT and security teams are responsible for managing and securing a vast number of disparate third-party systems: the hospital’s core EMR system, but also patient-facing portals, mobile devices, and now connected MRI machines, patient-wearables and surgical robots.
Some of these systems and devices are more susceptible to cyber threats than traditional systems.
Wes Wright, CTO at Imprivata, says that the adoption of mobile devices, shared workstations, and applications that are delivered from on-premise, the cloud, or both has made identity the new perimeter and the new control plane that needs to be managed.
“Instead of solely controlling a network, CISOs need to manage every digital identity across their healthcare organization’s complex ecosystem,” he noted.
All this must be achieved while dealing with shortages of talent and budget, and while attempting to clear a high bar for compliance with often less resources than more commercial organizations, says Luke Tenery, a partner with global advisory firm StoneTurn.
Advice for healthcare CISOs and defenders
Healthcare professionals using digital systems and devices should not have to compromise between security and efficiency, says Wright.
“In the past, health IT professionals have been guilty of making people jump through hoops in the name of cybersecurity. However, that mindset has changed, and thanks to new advances in technology, CISOs are able to implement well-designed systems that are easy and fast to access, while having a secure workflow.”
He advises CISOs to adopt a zero-trust architecture to ensure shared mobile devices are secure before getting access to resources.
“Checkpoints need to be cleared that authorize and authenticate healthcare professionals at every digital identity event. Multifactor authentication can also be deployed on mobile devices to make them more secure and private, while also allowing for a better workflow. Lastly, password autofill on shared mobile devices is a helpful solution to save time and remove the repetitive task of manually filling out complex passwords.”
Joyce recommends implementing the practice of least privilege access, which limits user access to the minimum data necessary for team members to complete their job function, as well as:
- Conducting regular employee security/phishing training programs
- Establishing a team of security experts alongside a SIEM that monitors real-time system traffic to identify cyber threats early in an attempted attack
- Creating a sound strategy for continuous backups of important data systems
- Replacing legacy self-hosted systems with those built natively in the cloud
Tenery says the following strategies and approaches have been proven effective:
- Modeling threats like ransomware and email compromise in security assessments to ensure weaknesses and controls are hardened
- Proactively monitoring cyber threat and intelligence sources for indicators of possible data exposures or weaknesses
- Building security metrics around the protections and controls that are protecting critical information like PHI
He also echoes previous advice regarding implementing multi-factor authentication across all remotely accessible systems, as well as recommends actively monitoring computing activity and access control records for anomalies and segregating systems that are vulnerable due to third party software/hardware requirements.
“Healthcare CISOs need to understand that cybersecurity is a patient safety issue. Separating the two does a disservice to both,” Wright adds. “While some of the fallout of a ransomware attack can be ‘solved’ by paying a ransom or spending time recovering stolen files, there are some aspects of a ransomware attack, such as reputational damage and patient security, that cannot be fixed. There’s no possible way to compensate someone for personal and sensitive medical records that are stolen.”
CISOs can translate cybersecurity needs into business outcomes and increased patient safety by using statistics, he adds.
“For example, according to IBM’s recent ‘2021 Cost of a Data Breach Report,’ healthcare data breaches are the most expensive out of any industry at $9.23 million on average, which increased by $2 million from last year. IBM’s report also paints a picture for the correlation between cybersecurity and patient safety, finding that compromised credentials were the top cause of most data breaches. Implementing strategies like zero-trust architecture, multi-factor authentication, and password autofill are all way to ensure you’re not only letting the correct people in, but you’re keeping the bad guys out. Ultimately, it’s up to the CISO to show value between the cybersecurity tools they use to relate to privacy, financial risk, and patient security.”
Hospitals collect patient liability in many forms – and the best defense against any liabilities that could occur is having a good defense in place before an attack happens, notes Joyce.
“In the event of a security incident due to a data breach or ransomware, a hospital could face regulatory fines or penalties, as well as other financial ramifications, such as the cost of hiring digital forensics and incident response experts to identify and address the breach, staffing a call center to handle inquiries from patients, regulatory defense expenses associated with breaches that result in HIPAA violations, patient support and notification services, and so on. In addition to the cost, there can be reputational damage that deteriorates patient trust in their healthcare provider,” he pointed out.
“A routine evaluation of the system’s security message will go a long way in protecting from any attacks and the consequences that come with them. It’s also important to have a set of protocols in place in case there is a breach so that patients and other parties impacted are notified to take proper precautions.”