What Every Healthcare Organization Should be Doing Now
Healthcare has always intrigued me, not just as a career choice but as a patient. The amount of technology to support the patient experience, improve clinical outcomes, and support value-based care is enormous. While COVID-19 has forced healthcare institutions to pause on many planned initiatives to focus on getting us through this immediate global healthcare crisis, unfortunately, the need to focus on cybersecurity has never been greater.
In healthcare, cybersecurity is so much more critical, as an incident is not just about losing or exposing personal information or losing money due to an intermittent shut down, it is a matter of life or death. A non-planned downtime can delay critical treatment or leave clinicians uninformed about a patient’s history that could ultimately determine the outcome of care. An example of this was in September 2020 when a woman in Germany ended up dying after having to be diverted from the nearest hospital because it had been shut down due to a ransomware attack.
This criticality of keeping healthcare operations running optimally is what also makes it a prime target for hackers. The more sophisticated the industry gets with the use of technology, the more opportunities there arise for the hackers to be destructive. In the U.S. for example, the Health and Human Services Office of Civil Rights publicly reports any disclosed breaches affecting over 500 patient records. In 2020, the number of patient records exposed from reportable breaches affected more than 20 million patients. The majority of these breaches were a result of hacking of a network server or email. For more, data breaches due to attacks in the healthcare are expected to triple in 2021.
Unfortunately, the industry is very challenged in keeping the pace with the adaptability of today’s cyber criminals. While there is a heightened focus by healthcare executives to invest in cybersecurity with the healthcare industry expected to spend $18 billion in 2021 on cybersecurity, that is not nearly enough and most security executives in healthcare even admit much is spent to recover after an incident rather than to prevent one.
Healthcare is complicated, but the core best practices for maintaining a secure environment are the same whether you are a small physician practice, a rural community hospital, or a large integrated delivery network.
Make no mistake, even the largest and most wellfunded healthcare organizations have gaps in their security program and opportunities for improvement. The key for any organization is to focus on a few high-level priorities no matter where you are in your security journey. Do not try to tackle too much. For some reading this, this concept may sound basic, yet having managed a team that conducted hundreds of assessments per year from across the U.S. health industry, its most recent annual report of a full year’s worth of assessments representing 278 facilities indicated that, “79% scored less than a “C” in terms of conformance with NIST CSF”.
Note: The National Institute of Standards and Framework’s Cybersecurity Framework (NIST CSF) is a standardized security framework for critical infrastructure in the United States and heavily adopted in the healthcare industry.
In that same report, the category of hospitals and health systems specifically showed a 3-year trend of 50% conformance to NIST CSF. Unfortunately, healthcare organizations are having a hard time keeping up as threats get more sophisticated. So, for this article, I will focus on a few key recommendations that healthcare organizations of any type, size, and complexity can do to evolve their cybersecurity program.
I know you have heard it many times, but when it comes to improving their cybersecurity posture, organizations must focus on the best practice triad of “People, Process, and Technology.”
In healthcare, we rely so heavily on the people who work in the healthcare environment to keep assets and data safe. There are the clinically trained doctors and nurses who deliver direct patient care and have access to patients’ Protected Health Information (PHI) through electronic health records, or the non-clinical staff managing scheduling, registration, and billing who have access to a patient’s financial information, or environmental services staff or porters who may be logging into or have their RFID name tags connected to systems that track room, bed, or equipment availability. We cannot forget the HR department staff who may have access to all of the employees’ personal data that can be very valuable to a hacker. Unfortunately, all of this access makes people the weakest link for any organization.
From a hacker’s perspective, people usually provide the easiest route into an organization. Taking advantage of the high rate of human error through phishing attacks or compromising emails can sometimes create the biggest challenges for a healthcare security team. While it seems basic, security awareness and training are highly impactful and often forgotten or accomplished through a one-time training upon hire or only annually. Security awareness training should be continuous and here are some tips to keep security top of mind:
- Educate your team on what they should be looking for in a phish and extend advice to outside of work. Training your staff on not only how to protect the organization’s assets but also their own security away from the office offers more opportunities to get their attention. Making it personal helps build a culture of security they will carry over to the workplace.
- Encourage your team to speak up and ask questions without fear of repudiation for a mistake. This will make employees feel more comfortable to report their mistakes like falling for a phish. The sooner the security team is made aware of the situation, the better.
- Focus on access management. Larger healthcare systems tend to do fairly well at identity management, even implementing advanced technologies such as retinal or other biometric scanning solutions; however, it can all be for naught if there is not a strong focus on access management. Based on the size of the organization, it can be a heavy task requiring lots of input from end users, but authorizing access only to the systems that are critical to a particular role will reduce the attack surface of a potential hacker or an employee’s human error or malfeasance.
- Continuously assess your security awareness effectiveness through periodical phishing and social engineering exercises. These can be done internally or outsourced, depending on the size and complexity of your organization and how advanced your team is getting at recognizing a phish. Long gone are the days when the phish was misspelled or the request was ridiculous like asking to wire funds to a foreign country. Today, many hackers spend time getting to know who the leaders in an organization are and are making the requests seem fairly realistic. So, performing periodic assessments combined with continuous training and empowering employees to question a request can significantly reduce potential penetration into your network.
Through my experience as an Executive Vice President of a healthcare-focused cybersecurity, compliance, and privacy consulting company, it was interesting to find that healthcare organizations of all sizes still lacked some of the basic policies and procedures to effectively safeguard their organization. Some organizations have invested in good technologies but have focused too heavily on relying on the technology to solve their challenges. Often it is a failure in process and not the technology that causes the issues for an organization.
A good example of this is with medical device security. There are many valuable tools in the market that identify the vulnerabilities of network-connected devices through continuous scanning, but there is so much more needed to run an effective medical device security program. From procurement to destruction of devices, organizations should have effective policies and procedures to address best practices to reduce the risk posed by medical devices. This requires collaboration between many departments (IT, Security, and Clinical Engineering to start) to implement an effective program. While not an all-inclusive list, examining how you are doing in the following areas is a good place to start.
- Asset Management
Inventory management practices
Ensure that all devices are accounted for and that the security team stays aware of any additions and changes. This is an area where larger organizations have more challenges as individual departments or divisions may procure and install devices without involving the security team.
Medical device procurement
Establish third-party security requirements that must be met before a new device can be purchased. Meeting a minimum criterion as established by your Risk Management Committee should be integrated into any procurement decision.
Secure asset disposal
Develop a specific protocol that all departments must follow before disposing or selling of assets to ensure that all data is removed from the device. And if you outsource this task to a third party, ensure that you receive certification and/or thirdparty validation of the sanitation.
- Vulnerability Management
Develop a process to prioritize your vulnerability management based on risk levels. Most medical devices are serviced by the clinical engineering department based on a set service schedule recommended by its manufacturer based on install date or life stage of the device. However, the criticality of the device and identified security vulnerabilities should be taken into consideration. While it is understood that many devices are very old and may not be able to be patched (those should be segmented), devices that can be patched should be moved up in the service schedule when high and medium-risk vulnerabilities are identified.
IT, compliance, and security executives are approached by thousands (yes, thousands) of security product companies out in the market. With the daily barrage of notices of ransomware attacks, breaches, etc., these security companies find it easy to use fear, uncertainty, and doubt (FUD) as a sales approach to persuade and pressure business leaders to purchase security tools giving them a false perception that they will be safe. Do not get me wrong, there are very valuable tools in the market, but before you buy, make sure you take a breath and evaluate the people and processes you have established to maximize the purchase and truly reduce your risk. At my last company, we often found that our clients had purchased security technologies that either were not fully implemented, or they did not have the staff to timely remediate the identified vulnerabilities resulting from those tools. Knowing your risks and not fixing them can create additional liability to your organization. But do not hide your head in the sand, because not trying to determine your risks can be considered negligent.
The majority of breaches occur on end-user systems (laptops and desktops) so at minimum, your security tools should include endpoint security and email protection software with 80% of effort focused on maximizing the effectiveness of these tools. Combined with this is effective and complete vulnerability management based on the important information that comes from these tools such as prioritized vulnerabilities and misconfigurations on your most critical assets. The key word here is “complete” as many organizations struggle here as they either do not have the trained staff or the budget to hire a team to tackle these never-ending vulnerabilities. For those parents out there, it is like laundry. As soon as you have finished all of the laundry, your kids have already filled their hampers with more to clean. It is never ending. Unfortunately, these activities are where organizations will find the most value from their security program so if you cannot do this on your own, investigate firms that can support you here.
As mentioned above, executives are inundated with news and FUD around breaches and attacks which can be very overwhelming and make it difficult for organizations to know where to focus. Regardless of where you are in your security journey, revisit the basics by starting with your assets — all of them (hardware, software, and data) — and ensure you are maintaining an up-to-date asset inventory. It serves as a useful mechanism in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, which will not only help comply with government standards (i.e., U.S. HIPAA Privacy and Security regulations), but also prioritize any necessary security tool improvements, or administration (people and process) tasks such as policy and procedure development and training, that is necessary to strengthen your security environment. This is actually an area where a tool purchase can be very helpful to stay organized. Depending on the organization’s size and complexity, the cost of these tools can be fairly inexpensive. Prioritizing your efforts with the most critical life-sustaining systems and data (PHI and employee data) in mind should get the most attention. Avoid taking a blanket approach to securing your assets equally, because no matter how much money organizations pour into their security program, it is impossible to secure all of your assets equally. Your assets are not equal. You will be better served by taking a tiered approach to cyber health governed by business priorities.
Bottom line, focus on the basics, do not get rattled by all of the FUD you are getting from the industry vendors. Once you have stepped back and taken a fresh perspective at your environment encompassing people, process, and technology, re-prioritize your efforts to truly make an impact in your environment. If you want a way to clear your mind, check out this new and quick comic series e-book from my teammates at Cyvatar “8 Epic Cybersecurity Fails.”