5 Strategies to Improve Healthcare Cyber Resiliency

It’s not if, but when

“We need to stop thinking that we are ever going to be completely successful at stopping all the attacks and all the threats,” McMillan asserted.

“You are always going to have weaknesses in systems, you are going to have people that make mistakes, and you are going to have very dedicated threat actors with tremendous resources that can come after you.”

In 2020 alone, 560 healthcare providers suffered ransomware attacks. The COVID-19 pandemic has only exacerbated these challenges.

Bad actors saw the chaos that COVID-19 was inflicting upon the healthcare industry and leveraged it as an opportunity to increase attacks while health systems were preoccupied. One report showed a 51 percent increase in healthcare data breaches and leaks in 2020 compared to 2019.

“You're probably going to get that first blow whether you like it or not, and the difference is whether it's a glancing blow or whether it's a sucker punch that puts you out on the floor,” McMillan remarked.

As emboldened cybercriminals and ransomware groups such as Hive, BlackMatter, and OnePercent continue to orchestrate sophisticated attacks, organizations must operate under the assumption that they may be the next target.

After that realization has been made, healthcare organizations can focus on implementing risk management strategies, creating an incident response plan, and ensuring that patient data is safely encrypted.

Invest in technical safeguards

“We need to understand that we're spending billions of dollars on information systems, and we are almost completely reliant on those systems and that data,” McMillan pointed out.

“So why would we ever think that we're not going to have to spend money to protect that investment? We need to start investing in the protection of that asset in a way that's commensurate with the investment that we're making in the asset itself.”

A recent study found that cybersecurity is not a high investment priority for more than 60 percent of hospitals, despite the fact that a data breach can force midsize hospitals to shut down for an average of 10 hours at a rate of $45,700 per hour.

The study also revealed that many hospitals are severely underprepared for a cyberattack, and 64 percent of survey respondents admitted that their hospitals were unprotected against some of the most common vulnerabilities, such as Bluekeep and WannaCry.

McMillan emphasized the importance of using multi-factor authentication within an organization’s network to significantly decrease the likelihood that a hacker can get past the initial login phase and deploy ransomware.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations maintain offline backups of sensitive data, invest in antivirus software, and employ network segmentation to mitigate the effects of a cyberattack and protect customer and patient data.

There’s nothing convenient about cybersecurity

“We have to realize there's nothing convenient about security,” McMillan continued.

“People like convenience, they don't like their workflow disrupted, and they don't like having to take that extra step.”

As much as organizations and individuals would like to keep their networks and devices secure without too much thought, doing so would only give cybercriminals an easy way in.

Multi-factor authentication may require an individual to take an extra minute to log in, but that minute provides a layer of security that will save time and trouble later.

“Cybersecurity is a constant battle between good and bad. Good has to work harder than bad, because bad only has to find one way to take advantage of you, and good has to find every way to stop them,” McMillan noted.

“But at the end of the day, you end up a lot better off down the road if you make good decisions.”

Do not underestimate third-party risks

An organization’s cybersecurity is only as strong as its weakest link. Any time an organization signs a contract with a third-party entity, it presents potential risks.

“You can do all the diligence in the world in terms of making them fill out questionnaires and asking them for documentation and interviewing their people and getting them to sign documents that say they're following their procedures and then low and behold, they don't follow them. And not only are you impacted but your customers are impacted as well,” McMillan warned.

Under HIPAA, covered entities are required to enter into a business associate agreement (BAA) with any third-party vendor that performs functions on behalf of the covered entity and has access to protected health information (PHI).

HIPAA requires covered entities to obtain certain assurances from business associates to protect patient PHI and hold businesses accountable for any data breach repercussions.

However, research suggests that current third-party risk management strategies may leave organizations extremely vulnerable to security incidents. A survey of IT and security professionals across a variety of sectors revealed that while over 82 percent of respondents recognized that third-party threats exposed their organizations to risk, only half said that their organizations prioritize those risks.

What’s more, hackers are slowly changing their tactics to adapt to the current threat landscape. Now that large hospitals and health systems are more aware of the likelihood of a cyberattack, cybercriminals are increasingly targeting outpatient facilities and business associates.

In the first half of 2021, business associate breaches accounted for 43 percent of all healthcare data breaches, validating a three-year upward trend.

To truly be prepared for a cyberattack, healthcare organizations must be selective when choosing which third parties to do business with. If organizations fail to scrutinize their business associates’ security practices, it could prove catastrophic for providers and patients.

Until there are industry-wide cybersecurity standards, organizations will be vulnerable

It is extremely difficult to evaluate third-party risk without solidified industry security standards. PHI breaches are regulated by the HIPAA Security Rule, but there is no step-by-step guide to ensuring that healthcare organizations across the nation are adhering to the same security standards.

“This hospital could have this standard, this hospital could have that standard, and all the vendors that work with them could have standards anywhere in between,” McMillan explained.

HIPAA leaves room for improvement when it comes to establishing strict security rules that organizations must comply with.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is considered the gold standard in many industries, is constantly being researched to ensure that it lines up with the current threat landscape. Meanwhile, HIPAA provides loose guidelines that healthcare organizations can interpret freely.

Until there is an industry-wide standard, it will be difficult to ensure compliance and adequate cybersecurity for healthcare organizations and business associates, McMillan stressed.

Cyber resilience is easier said than done, but maintaining strong security strategies and preparing for cyberattacks is the only way to safeguard organizations against the innumerable cyber threats that the industry encounters every day.

“It takes diligence, it takes investment, it takes patience, and it takes putting up with a little bit of inconvenience.,” McMillan concluded. “That’s just the nature of the beast.”