Learning from past healthcare breaches to fortify future cybersecurity strategies
In the face of rising cyber threats, the healthcare sector has become a hotbed for cyberattacks. Given the gravity of this situation, we sat down with Shenny Sheth, Deputy CISO at Centura Health, who sheds light on the contributing factors making healthcare organizations vulnerable, the role of legacy IT systems, common network monitoring mistakes, patterns in data breaches, and the financial implications of these attacks.
This conversation also delves into the complexities of partnerships and third-party relationships in influencing a healthcare system’s cyber risk profile.
Given the increase in cyber attacks on healthcare organizations, could you explain some of the most prominent reasons why this sector seems to be such a prime target for cybercriminals?
After nearly two decades of my career leading a cybersecurity office, people, vendors, stakeholders and budgets in public health administration as well as in the private healthcare sector, I find that the industry is particularly vulnerable to cyberattacks. Healthcare organizations have experienced a spike in attacks often due to inadequate security, the high likelihood to quickly consort to attackers’ payout demand, and sheer value of patient records that they possess.
My observation suggests several contributing elements:
- Decades old technology combined with less than adequate readiness and planning around cyber emergencies
- The crumbling ecosystem and large volume of network ports and devices used in hospitals makes it an art form to stay on top of segmentation, zoning and security
- The workforce isn’t as aware or referent to cyber issues and incidents due to their limited understanding of online and personal cyber risks
- Appetites do not exist to disrupt convenient working solutions with the introduction of new technology that might require staff realignment, or in other words business transformation
- The remote/hybrid work arrangement has stretched the baseline attack surfaces of the organization even wider
- Private identity and patient information is worth a large reward to attackers who are financially motivated.
In your view, how have legacy IT systems contributed to the healthcare sector’s vulnerability to cyber attacks, and why is the modernization of these systems a critical need?
As a flagship healthcare organization, Centura Health thrives on re-imagination, innovation and adoption of cutting-edge medical technology. However, I understand that not every tier and size of the org in the industry has kept pace. Certain integrated health systems, for example, must deal with revenue shortfalls, delay/defer lifecycle upgrades of systems let alone fully modernize.
This hints at a rapid rate at which medical technology is becoming outdated, related weaknesses deepen and the sector overall remains highly vulnerable to cyber attacks. It is critically important to proactively rationalize new investments by phasing out end-of-life (EOL) and end-of-service (EOS) platforms. Architecture patterns that promote extensibility via secure Application Programming Interfaces (API) and robust data connectors with careful configuration management, healthcare organizations can modernize mission-critical systems with high vulnerability / exposure index with available dollars and people.
Can you elaborate on the common mistakes that healthcare organizations make when monitoring their networks for threats?
I shared earlier that certain members of the workforce may not practice the necessary cyber hygiene rules while others lack knowledge to recognize and mitigate online threats impacting their work environment. Note, people aren’t at fault!
In 2022, I spoke and shared at the HITRUST Collaborate that the healthcare organizations must fend off “dark forces” with “wizards” from your cyber talent pipeline. Execute training/awareness budgets and find the path to reduce then remove the high work-factor, undue stress and unneeded human focus on low value tasks related to security operations–instead put teams together to hunt for the Indicators of Compromise and Exposure (IoC/IoE) internally. This is a must.
Looking at the most significant healthcare data breaches, what patterns or commonalities emerge that could help organizations prevent future attacks?
As an active member of the FBI/InfraGard, I stay tuned to our Cross-Sector Council communications and the important messaging that is provided by the federal Cybersecurity and Infrastructure Security Agency (CISA). The agency recently highlighted the patterns of bad practices, noting that such practices are “dangerous and significantly elevate risk to national security, national economic security and national public health and safety.”
CISA also noted that each of these practices “is especially egregious in technologies accessible from the Internet”. In light with that learning, healthcare organizations must: (1) Embrace plans to shift away from unsupported (or end-of-life) software in service of critical infrastructure and national critical functions (NCF), and (2) move to password-less, multi-factor, multi-device vouching services to deter malicious Initial Access or Remote Code Execution (RCE) to prevent entry into the critical infrastructure and NCF space.
Can you discuss the financial repercussions healthcare organizations face due to data breaches, especially considering the potential fines under GDPR and the costs associated with ransomware attacks?
The GDPR states explicitly that some violations are more severe than others. Ranging in fines from 2% (or up to €10M) to 4% (or up to €20M) of an organization’s worldwide revenue from the preceding financial year, whichever amount is higher. These are just the fines pertinent to the breach of protected data of EU subjects, the costs can mount to several tens of millions where a large healthcare entity has to recover from a breach or theft of large swaths of data following a successful ransomware attack.
How does the partnership with other businesses and vendors affect a healthcare system’s risk profile, and how can healthcare organizations ensure their partners can mitigate cyber threats?
With the growing dependence on third-party supply chain relationships, the occurrence of incidents is forever great; and the estimated direct financial exposure to an incident has grown exponentially. To lawmakers, corporations, and customers, the functions performed by key vendors, business associates, partners, affiliates or technology hosting services are often indistinguishable from those performed by the core business.
Consequently, when cyber gaps are exploited at third parties, healthcare systems face the associated financial, reputational, and regulatory risks. This tremendously alters the organization’s risk profile. Lets offer an example, exposures created from a business associate’s use, storage, and/or communication of information in a manner that is not adequately protected from accidental or malicious alteration, destruction, and unauthorized access leads to direct cyber impact to the covered entity. A medical devices supplier or a pharma manufacturer crippled by a successful cyber attack can result in failure to supply critical devices, parts, medicine or services due to the inability to adequately manage a disruptive event, resulting in adverse impact.
As Centura Health does, US-based organizations could stave from non-compliance with laws, regulations or ethical standards, including conflict of interest, resulting in censure from regulators, litigations, and/or adverse impacts by adopting proper compliance framework, such as The HITRUST Common Security Framework (HITRUST CSF) that provides structure for practices, accountabilities and sufficiently resourced cybersecurity program to serves to data confidentiality and privacy obligations.
Myself, the HITRUST, Health3PT Council and our online resources offer excellent recommendations on how healthcare entities and their third parties could carry out proactive risk assessment, remediate and continuously act to eliminate cyber disasters that can lead to severe financial and reputational harm.