By Kate Pierce, CIO & CISO, North Country Hospital
In 2020, every healthcare organization was stretched to its limits by the worldwide pandemic. Throughout this historic year, IT was heavily relied upon as an essential component to solving a complex puzzle that changed daily. Instantly enabling and supporting telehealth platforms, moving employees off-site as part of the new remote workforce, and standing up COVID-19 dashboards were common themes of how IT departments responded to the evolving needs. However, interwoven into this complexity was another theme – the significant uptick in security events that threaten to bring healthcare facilities to their knees. During the early days of the pandemic, hackers vowed to give healthcare a free pass on ransomware attacks. However, this proved to be an empty promise, with attacks skyrocketing for the remainder of the year. In fact, the FBI’s Cyber Division reported that cybersecurity complaints quadrupled to over 4,000 incidents a day, and a recent Bitglass study reported a 55% jump in healthcare data breaches from 2019 to 2020. Why are hackers attacking healthcare? It’s simple – follow the money. Trustwave reported recently that healthcare records could bring more than $250 per record on the dark web, in comparison to $5.40 for the next highest valued record.
Most larger organizations contribute more resources to cybersecurity as the full impact of these attacks has become apparent. But there are still several barriers for small, community-based organizations that prevent them from improving cybersecurity within their environments.
With the frequency of attacks on the rise, the healthcare environment is now universally dependent on electronic records. This has grown exponentially since 2011 (the Meaningful Use era) where healthcare once lagged other industries in moving to electronic systems. By 2017, Healthcare Innovation reported that 99% of hospitals had adopted Electronic Health Records (EHRs). And it’s difficult to secure given the complexity within hospital systems, including a large variety of medical devices, information systems, and computing requirements leading to a tangled web of networked devices that are ripe with opportunity for dark web trollers.
Sadly, healthcare is now facing that many organizations have also lagged in implementing information security programs. But today, a robust information security program is not an option for even the smallest healthcare facility. In fact, according to a 2018 hospital cybersecurity article, the entire national health system is only as strong as its weakest link – no matter the size.
Most larger organizations contribute more resources to cybersecurity as the full impact of these attacks has become apparent. But there are still several barriers for small, community-based organizations that prevent them from improving cybersecurity within their environments. The biggest barrier is simply the lack of financial resources, with many facing extremely thin operating margins with no room in the budget for security. Next, information security’s complex nature makes it difficult to find and retain security talent, especially in rural communities. Additionally, the attacks are a relentless, moving target. To guard against these attacks requires a culture shift that prioritizes security across the organization, not just within the IT department. Every staff member must understand and accept their part in reducing the risk, from the laundry worker who is checking email to the physician who now needs to enter MFA codes, to the senior administrators who must support security spending, and everyone in between.
How do these smaller organizations begin their journey to a strong cybersecurity program given all the challenges that exist? If an organization is unsure where to start, following these steps will help get the ball rolling.
- Select a Security Officer to lead the organization along the journey. Be sure this is someone who can build the relationships needed and understands how to build a security-centric culture.
- Decide on a security framework for the organization. Most smaller organizations select NIST because it is less complex, but you could also use HITRUST. NIST has a healthcare-specific program.
- Perform a Security Risk Assessment. If hiring an outside firm is too costly, use a free self-assessment tool can be found at HealthIT.gov.
- Penetration testing is essential in locating the “holes” in your network that hackers can use to gain access. Make sure not to skip this step.
- Once the assessment and penetration testing are complete, don’t just put the reports on the shelf until next year and continue with the normal day-to-day business! Use these valuable tools to build organizational awareness and buy-in for addressing the identified critical and high-risk areas within your organization.
- Then develop and adopt a plan to address the identified issues, prioritized by the risk level.
If these steps are still too complex, many organizations have chosen to engage a managed security services firm to address their security needs. A growing number of firms offer these services, which can help eliminate the barriers and get the security program off the ground.
Also, note that, the government has committed to helping healthcare organizations in recent years and there are several free resources available. These are a great place to start:
- The Cybersecurity Act of 2015, Section 405(d) provides resources and guidance for the Healthcare and Public Health (HPH) sector.
- Health Information Sharing and Analysis Center (H-ISAIC) has working groups and resources.
- HealthIT.gov has several resources beyond the self-assessment tool.
- The Cybersecurity & Infrastructure Security Agency (CISA) provides tools, training resources, alerts, and more.
- The FBI Cyber Crime Division provides alerting, training, and support. Connect with your local FBI office to coordinate training for your staff.
- The newly announced MITRE Resource Center for Hospitals and Health Systems has an amazing collection of links and references.
As Ben Franklin said, “Failing to plan is planning to fail,” so start now and take the first step. Having a strong program will not necessarily mean always avoiding an attack since it is just a matter of “when” not “if” an attack will occur. However, the ability to have a plan and react quickly will make a huge difference in the outcome for your organization and your patients.