Getting Ready for Q4: Tips to Boost Your Healthcare Data Security Efforts
Although numerous industry sectors have experienced the brunt of cyberattacks, comprising finance, education, and retail, the healthcare sphere remains a prime focus for malevolent hackers, a pattern that is more than a decade strong. Chief among contributing factors, numerous healthcare entities continue to grapple with insufficient investments and adeptness in cybersecurity, with funding predominantly being allocated to medical equipment and operational requisites. Criminal hackers, in their pursuit of facile targets, are drawn to these vulnerabilities. In the context of healthcare data security, where liability risks loom large, the stakes have never been higher.
Why is Healthcare Data Security Important?
The potential breach of Protected Health Information (PHI) encapsulates this risk. It occupies a high echelon of concern, safeguarded by law, and if mishandled, can unravel an organization’s financial stability, ongoing operations, and reputation.
The aspiration to enhance one’s security posture stands paramount. Central to this endeavor is compliance—aligning with both external regulations like HIPAA and internal benchmarks that mirror and specify these regulations. Regulatory adherence is pivotal in sidestepping not only fines but also breaches that could otherwise compromise sensitive information. All breaches of 500+ records appear for 24 months on the OCR Breach Portal, aka “The Wall of Shame,”1 thereby holding negligent parties accountable.
Yet it is counterproductive to bemoan the highly regulated nature of the healthcare industry. Government and administrative bodies manage the handling of PHI so strictly for good reason. First, protecting health-related data is a civil rights issue. Second, HIPAA-covered entities and business associates are cybersecurity powder kegs. Third, the often crisis-ridden environment of hospitals combined with the usual human element exploited by threat actors make for a precarious equation.
Besides, higher regulatory standards for reporting translate to enhanced visibility and more data, which allows us to gain greater insight and to engineer better solutions.
Effective cybersecurity is the antidote to the threat actor virus. As the title of Sen. Mark Warner’s perspicuous Nov ’22 paper maintains, “Cybersecurity is Patient Safety,” which denotes a paradigm shift wherein proactive security measures are considered the “cost of doing business” rather than an add-on afforded only to larger organizations.2
What Are the Latest Trends in Healthcare Cyberattacks?
The surge in cyberattacks over recent years paints a concerning picture of the threat landscape.
In 2020, there were over 600 reported data breaches (of 500+ records) in the US healthcare sector alone, and the pattern continues to remain at elevated levels since the COVID-19 pandemic.3 2021 witnessed 715 such breaches, while 2022 bore testimony to a similarly high number at 707 with 2023 mid-year figures trending upward.4 The year 2022 alone saw the breach of at least 28.5 million medical records, an increase of 35% from the annual total just three years prior (21.1 mil).
Just this year, HCA Healthcare reported a data breach that compromised names, birth dates, contact information, and more of 11 million patients.5 Since data breach tracking began in 2010, this is one of the largest incidents to plague the healthcare industry.
In this context, ransomware attacks have been an increasingly significant concern and one of the most common tactics to gain unwarranted access to patient data.7 According to Sophos’ 2022 report, 66% of healthcare organizations experienced a ransom attack in 2021, a substantial increase from the previous year (34% in 2020).6 As the HIPAA Journal observes, “There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion.”7
Three main tendencies channel the efforts of today’s threat actors: Phishing, malware, and social engineering. With medical facilities being such desirable targets for cyberattacks, the following trends are applicable to an even further degree.
Phishing: Phishing remains a favored method of initiating breaches. Cyber adversaries employ various nuanced tactics to manipulate unsuspecting targets.
- Business Email Compromise (BEC): Exploiting the guise of a known source, threat actors orchestrate seemingly genuine requests for information, aiming to exploit for financial gain.
- Spear Phishing: This crafty maneuver targets a specific individual or group. An email is ingeniously designed to appear as if it originates from a trusted entity. Whaling, a subset of spear phishing, centers on high-value prey—company executives.
- Vishing: Harnessing electronic voice communication, vishing unscrupulously extracts sensitive data by masquerading as a trusted entity.
- Smishing: Through text messages, smishing deceives victims into divulging sensitive information or believing a fabricated source.
Malware: The arsenal of malicious software harbors various tools of destruction.
- Viruses: Inflict damage by infiltrating computer systems and corrupting data. Viruses propagate by embedding themselves within other files.
- Worms: In contrast to viruses, worms independently spread across systems. These self-replicating entities proliferate within networks without user intervention.
- Ransomware: A malevolent strategy where cybercriminals encrypt an organization’s data, demanding payment for restoration. The stakes are high, and the outcome precarious.
- Spyware: Operating stealthily, spyware harvests and peddles information without consent. Intruding into devices, it enables the unauthorized collection of private data.
Social Engineering: Manipulation remains a potent weapon in cyber criminals’ arsenal.
- Social Media Phishing: Threat actors meticulously mine social media platforms for personal data, then wield this trove to engineer their attacks.
- Watering Hole Attack: Strategic exploitation of websites frequented by specific user groups, such as an intranet, provides fertile ground for threat actors to launch their onslaughts.
- USB Baiting: Ingeniously deploying malware-infested USB sticks, cyber adversaries lay their traps to deceive unwitting employees into introducing the malware into their networks.
- Physical Social Engineering: By adopting the guises of employees, customers, or vendors, threat actors exploit human trust to gain unauthorized access to physical locations.
Importantly, the key trends in terms of statistical significance and potential payout exhibit three distinguishing features: First, they are related to variations on the phishing theme; second, they seek to extract ransom payment from targeted facilities; and third, they can strike organizations both large and small. Nevertheless, it is useful to consider the broad spectrum of possible breach methods.
Another emerging kind of cyberattack and an outlier to the three categories is represented in DDoS or Distributed Denial of Services attacks. By flooding IT systems with a surge of artificial requests, a DDoS assault incapacitates a host, depleting its resources and rendering it inoperable. The resulting paralysis halts service delivery and weakens the attacked party’s negotiating power in ransom bids. The overall effectiveness of this method has yet to be determined, as it has not seen wide use, with it being deployed mostly in the EU for geopolitical hacktivist purposes.8
The complex interplay of these patterns highlights the ever-evolving nature of cybersecurity challenges, necessitating steadfast vigilance and proactive measures.
How Can Healthcare Organizations Educate Their Staff?
Educating staff members in healthcare organizations about cybersecurity is crucial to creating a strong defense against cyber threats. Here are effective strategies to educate and train healthcare staff in cybersecurity:
- Security Policies and Guidelines: Once an organization’s security objectives are crystallized, the next step is to craft comprehensive security policies and guidelines. These vital tenets should be meticulously compiled within an Operations Manual, easily accessible to every team member.
- Emphasis on Secure Passwords: A bedrock of cybersecurity training, safe password practices can hardly be overstated. It is imperative for organizations to draw up clear guidelines on the characteristics of secure passwords, expected frequency of change, and sound storage habits.
- Real-World Scenarios: Unveiling the nuances of social engineering through engaging methodologies like Awareness Training, Collaborative Workshops, Interactive e-Learning, and Role-Based Training aids in grounding the lessons in real-world applicability. Simulated Phishing Exercises provide hands-on exposure to these scenarios.
- Timely Insights: Empowerment is fortified by regular circulation of Topical Newsletters or Alerts—a ripple of information that reinforces policies and procedures. Consistent reminders play a pivotal role in maintaining vigilance and ensuring alignment with emerging trends.
- Champions of Cybersecurity: Designating motivated and integrous individuals as Cybersecurity Champions yields a proactive approach. These advocates uphold the mantle of cybersecurity awareness, endorsing adherence to internal protocols and external regulatory frameworks.
- Metrics and Assessment: For an interactive twist, consider gamifying the training journey by involving all stakeholders in the data-tracking process. This transforms education into a collective endeavor, promoting engagement and accountability.
Fostering a culture of cybersecurity consciousness and collective responsibility is key to strengthening one’s security posture. This approach empowers team members, equipping them to make astute, well-informed decisions.
What Steps Can Healthcare Organizations Take in Q4 for Immediate Improvement?
In the closing quarter of 2023, healthcare establishments can bolster their cybersecurity defenses, making significant strides against potential cyber threats with minimal time and resources invested. Presented below are tangible and effective measures that healthcare organizations may consider and promptly execute:
- Build a Competent Team: If your organization lacks a dedicated security team, establish one comprising individuals with high competence, skills, and integrity. Collaborative efforts are essential to devise solutions, meet specific objectives, and execute tasks necessary to enhance your security posture.
- Set Clear and Concise Objectives: Define both immediate and long-term goals for your security team. Harness agile methodologies such as OKRs (Objectives and Key Results) to establish and monitor goals more frequently. Examples goals may include reducing attack surface, minimizing risks, reinforcing IT infrastructure, prioritizing root causes, and amplifying security posture. These objectives form the bedrock for shaping short-term projects and enduring initiatives.
- Leverage Available Resources: Explore the wealth of cybersecurity resources available. Familiarize yourself and your team with the 8 CISSP security domains, providing the foundation of modern cybersecurity. Allocate team members to each or several domains to ensure comprehensive coverage. These domains facilitate a well-rounded approach to strategy and tool utilization. In addition, acquaint yourself with risk management frameworks like those developed by NIST to systematically plan threat responses based on industry standards.
- Conduct Thorough Risk Assessments: Leverage the domains and frameworks elucidated earlier to orchestrate an impartial assessment of your IT environment. Methodically unearth threats, risks, and vulnerabilities impacting both digital and physical assets. Precision is paramount—narrow your assessment’s scope, objectives, solutions, and frequency to yield actionable results. Utilize these insights to craft tangible plans addressing these vulnerabilities, encapsulating risk identification, evaluation, and mitigation.
- Create and Maintain an Operations Manual: Develop a comprehensive Operations Manual as a formal guide for team members. This playbook should outline policies and procedures for various security scenarios, such as incidents, potential threats, and breaches. Consider creating two versions—one for your security team and another for non-security staff to empower them with the right actions during suspected security incidents. Incident response plans together with the next two points serve as direct proactive measures to counteract ransom attacks and are top strategies reported by healthcare facilities affected by data breaches.9
- Enlist the Aid of Cybersecurity Insurance: Cybersecurity insurance stands as a vital shield for healthcare entities. In Sophos’ 2023 report, medical facilities with broad insurance coverage including cyber were less likely to pay ransom compared to others (34% vs. 53%).10 In a digital landscape fraught with risks, this coverage provides a financial buffer against data breaches and cyber incidents. Cyber insurance offers reassurance and financial resilience, reinforcing the imperative for healthcare organizations to fortify their defenses in case of unforeseen cyber threats.
- Employ Backups and Patch Management: Robust backups and diligent patch management are paramount. Backups represent a vital data loss prevention measure, offering a restorative lifeline in the wake of breaches. Patch management plugs vulnerabilities, shielding systems from exploitation. Both practices exemplify proactive defense, bolstering resilience and ensuring operational continuity within the healthcare sector’s intricate digital landscape. Increased measures beget improved outcomes. According to Sophos, the presence of both data backups and cyber insurance appear to correlate negatively to the propensity to pay ransom,11 offering at once a note of encouragement and a concrete path of action to those wishing to strengthen their security posture against would-be ransom attackers.
- Audit User Permissions and Access Controls: Regularly subject user permissions to meticulous scrutiny, ensuring alignment with appropriate access levels within systems. Advocate the principle of least privilege, bestowing users with the bare minimum access essential for task execution. This prudent approach curbs misconfigurations and prevents unnecessary access—a formidable wellspring of security vulnerabilities, which ranks as #5 on OWASP’s Top 10 Web Application Security Risks. Strengthen defenses by incorporating Two-Factor Authentication (2FA) for an additional stratum of security. This straightforward measure introduces an extra layer of protection at a minimal investment. Capitalize on firewalls, intrusion detection systems, and other mechanisms, reinforcing defenses against unauthorized incursions. “Broken Access Controls” claim the top spot on OWASP’s Top 10 list of security concerns.
- Initiate Employee Training: Recognize that team members are both assets and potential liabilities. As mentioned in the points above, empower your employees through regular training sessions on secure passwords, phishing attack identification, best practices for online behavior, and shared responsibility in safeguarding against security breaches.
- Review Third-Party Practices: Apart from internal audits, assess the practices of third-party vendors against regulatory standards like HIPAA compliance, federal directives, and local statutes. The HIPAA Journal presents a striking statistic to the effect that “In 2022, … there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018.”12 As such, navigating third-party risk is a foremost challenge for healthcare organizations in 2023. Ensure alignment between your organization’s and vendors’ standards through meticulous research and transparent communication.
Your Data is Safe with YES
Are you considering partnering with an external consulting firm for your HIM needs?
Our team prioritizes HIPAA compliance and implements robust security measures throughout our operations. With our thorough security protocols and continuous education, you can trust that your healthcare organization’s sensitive information is in the hands of skilled professionals dedicated to confidentiality.