Healthcare weathered a massive increase in data breaches during 2023, with more records disclosed than in both 2021 and 2022 combined. HIPAA Journal reported that over 11 million medical records were disclosed in 2023, with most being data breaches from supply-chain vendor vulnerabilities and ransomware. Security professionals understand this risk landscape but many others don’t, leaving healthcare organizations vulnerable to attack.
Identifying vulnerabilities and managing security are specialized tasks typically not well managed by a generalist. It takes an experienced security team to properly perform risk assessments, apply the right security measures, and continually monitor an environment. CISOs excel at communicating what’s happening to boards of directors so that they can understand and appreciate the purpose behind security budgets. Experienced healthcare staff understand HIPAA regulations, doing their part to keep organizations in compliance and ensure that they stay clear of violations that could cost millions.
Whether you’re researching the right security measures for your healthcare organization or have recently been the victim of a data breach, now is the time to put smart cybersecurity practices in place. Smart security is proactive: Even if you haven’t been the target of an attack, be mindful that you could become one at any time. It’s best to be prepared. Up-front practices will limit damage and enable you to recover more quickly. In the aftermath of a breach, most businesses will need guidance from experienced security providers.
We’ve put together a checklist specifically for healthcare organizations to guide them toward effective risk management and cybersecurity. The checklist is broken down into two sections: one on cybersecurity strategies to stop threats, and another of guidelines for the people who carry out those strategies.
Cybersecurity Strategies and Healthcare-Specific Considerations
General cybersecurity has a place in all strategies. For example, firewalls are necessary to segment a large network and block unwanted traffic. Healthcare-specific considerations, however, take a targeted approach towards cybersecurity, protecting patient records and the devices that store them. The Internet of Things (IoT) is common in healthcare environments, so these assets must be accounted for, including any Wi-Fi data transfers. The following list focuses on the technology and infrastructure to consider when building a secure environment for healthcare workers and patients.
1. Ransomware Preparedness in Healthcare
Look at any cybersecurity risk assessment report, and you’ll see that ransomware is always one of the top methods used to extort money from hospitals. Ransomware is designed to block access to a computer system or files until a sum of money is paid. Payments made to organized cyber-criminals can be in the millions, and healthcare providers have no assurance of retrieving their files even after they pay the ransom. Cyber-criminals sometimes return to their victims again, threatening to expose them if they don’t shell out more.
Most ransomware starts with a phishing email that leverages human error. Even the best cyber protection can be undone by a person making a mistake. All healthcare organizations should conduct a healthcare-specific assessment of their ransomware defense measures. Healthcare staff should receive ransomware awareness training, focusing on common healthcare phishing messages. Phishing simulations are especially useful in training staff to identify threats.
2. Data Backup and EMR Protection
Backups are one of your best incident response measures. Should ransomware encrypt your data, you can recover it from backups. Ensure Electronic Medical Records (EMRs) are always backed up, as these are common targets that can cripple your organization if they aren’t attainable. Not only does ransomware stop productivity, but it can threaten lives. Backups give your staff access to critical patient information.
Although real-time backups look beneficial, you should avoid them. If your environment is compromised, real-time backups store the malware along with your data. Restoring data from these backups also transfers the malware back to your network, allowing attackers to regain access and deliver malware payloads again.
3. Patch Management for Healthcare Systems
Finding vulnerabilities in common security software is a popular method of bypassing protections. Vulnerabilities are published in the Common Vulnerabilities and Exposures (CVE) database, and sometimes notices come with a proof of concept (PoC). The PoC makes it easier for attackers to exploit software vulnerabilities without requiring their own code. Some of the biggest data breaches (e.g., Equifax) were caused by unpatched software.
Your patch management system should update software across your environment, prioritizing healthcare-specific applications and outdated systems. Legacy systems are the most challenging because they are often no longer supported by their developers. It’s important to segregate legacy systems from critical sections of your network so that the risk of them compromising the entire environment are mitigated.
4. Microsegmentation in Healthcare Networks
A common strategy used by attackers is to have their malware traverse the network and allocate backdoors in case of remediation. A backdoor is a hidden entry point into a computer system or network that allows unauthorized access. By creating backdoors, attackers can maintain control over the compromised system or network, even if certain security measures are taken to remove the initial malware. This allows them to persistently carry out malicious activities, such as stealing data, launching further attacks, or maintaining unauthorized access for an extended period. The more limited access, the fewer opportunities for malware to install on company-wide systems. Microsegmentation that isolates critical healthcare systems and patient data limits damage after a compromise. Segmenting data and systems requires additional infrastructure, so it must be included in the IT budget. Don’t forget monitoring and resources to maintain it. No strategy is 100% risk-free, so you must take measures to limit the amount of damage in case of a compromise.
5. HIPAA Compliance and Data Encryption
HIPAA requires the use of encryption for electronic Protected Health Information (ePHI). This encryption pertains to both data-at-rest (stored) and data-in-transit (transferred). Entities can choose any commercially reasonable encryption method that renders the data secure such as AES, RSA, Blowfish, or RC4, but it’s important to match the encryption type to the level of risk identified to ensure appropriate protection. Be sure to include endpoints, laptops and other devices storing patient data when you audit for encryption.
Any deprecated protocols leave your data open to brute-force attacks. A brute-force attack is a cybersecurity term referring to a method of trying every possible combination of passwords or encryption keys until the correct one is found. It's essentially a trial-and-error approach where the attacker systematically checks all possible combinations, often using automated tools, to gain unauthorized access to a system or data.
Organizational Structure, Leadership, and Incident Response in Healthcare
No strategy is complete without the people to manage and enforce it. The people in charge of your cybersecurity must be experienced in risk management, identifying threats, incident response, investigations, and remediation. Some of this can be accomplished with software, but only staff can convert analytics output into an appropriate incident response plan and then put that plan into action.
1. Separation of IT and Security in Healthcare
Every industry has its own methodologies and compliance requirements, and the healthcare business is no exception. A common mistake is to use engineers to perform security, but this often leads to oversights and undetected vulnerabilities. Instead, healthcare businesses should have a distinct security team to handle best practices.
Engineering often calls for a fast and cost effective approach, but security best practices might disagree. Security people should work closely with engineering, but the two departments should be separated. Having a dedicated security team means that they can focus on strategies and implementations that follow security best practices rather than make convenience for engineering a priority.
2. Role of CISO in Healthcare
A CISO is your security advocate, a leader, and the liaison between technical people and your board. Your board wants to know that money is being spent wisely, but they aren’t security people. What might seem insignificant to the board could be a vital part of your security strategy. A CISO can communicate this information.
You need a CISO with healthcare experience to build strategies specific to the industry. Healthcare uses its own software and data. No other business has various IoT life-support medical devices that help patients but threaten disclosure of patient data if they aren’t secured. A healthcare specialized CISO can be your security authority and resource.
3. Aligning Cybersecurity with Healthcare Business Goals
Every process––including manual procedures performed by employees––should be tied to healthcare-specific security. A cybersecurity strategy should align with your healthcare business goals so that it secures patient data without excessively hindering productivity. Although security can be an inconvenience, it protects patients, who must be the priority.
A good cybersecurity strategy supports business continuity. A single ransomware threat can cause weeks of downtime and cost millions in revenue. Any compliance violations add to costs, and legal ramifications are often a years-long consequence. Having a proactive cybersecurity program supports business continuity and can reduce the overall damage from an incident.
4. Budgeting and Staffing for Healthcare Cybersecurity
The request for an increase in the IT budget is never something the board wants to hear, but this is where a CISO can be beneficial. A CISO can explain the need for security budgets and increases. Healthcare needs security infrastructure that targets its unique specifications.
Hire trained staff experienced in healthcare-specific security. Experienced staff have seen common threats, know how attackers think and act, and have been through incident response in real-world scenarios. Not only can they stop threats, but experienced staff can also effectuate a fast incident response.
5. Incident Response Planning in Healthcare
After a compromise, everyone from engineers to executives are under pressure to find a solution. Having an incident response plan reduces stress and provides guidance when dealing with an unknown threat. An incident response plan defines the steps to detect, remediate, and recover after a security event. Regular exercises help all involved staff know what to do at the time of action, and reduces mistakes and delays.
Designers of an incident response plan have their own templates, but every business has its own unique procedures. For healthcare, an incident response plan focuses on Electronic Medical Record (EMR) availability, remediation of patient data breaches, the tools and technology to deal with events, the recovery process, and communications with internal staff and public relations.
6. Engagement with MSSPs for Healthcare
Having a large team of security professionals is expensive, so many businesses opt to instead engage a Managed Security Services Provider (MSSP). An MSSP has the resources and experience to work with engineers and onsite security people to harden your environment, identify risks, and improve processes for better healthcare security.
You’ll want to choose an MSSP with healthcare experience. Experienced MSSPs strengthen your infrastructure specifically for patient data and EMR systems. They also know HIPAA compliance regulations so that security procedures and infrastructure meet requirements.
7. Executive Involvement in Healthcare Cybersecurity
Executives are responsible for budgeting and reports after an incident. Your CISO must have the communication skills necessary to translate the technical side of cybersecurity to executives and the board. When stakeholders understand the necessity of cybersecurity, they are more willing to approve budgeting and technology enhancements to ensure that steps are taken to reduce the risk to the organization.
Reports can help executives see where their budget dollars are going. For example, a report on vulnerabilities in the environment showing the number of resolved and unresolved vulnerabilities trending downward, visually represents the benefits of cybersecurity and can help executives see the tangible results of their funding decisions. It’s not uncommon for businesses to be targeted dozens of times a day. Reports can also be used to help stakeholders visualize the frequency and intensity of attacks.
How Access Point Consulting Can Help
While this checklist is a starting point, you’ll need a professional to translate these recommendations into a cybersecurity program that can be implemented and improved over time. If you don’t have a CISO, you need someone who can communicate technical ideas and strategies with stakeholders. Given that hospitals struggling with IT budgets and constant attacks are the primary target for threats, healthcare security professionals can help.
An MSSP backed by advisory expertise is the first step to building a security team, the infrastructure to stop ransomware and other attacks, and communicating security infrastructure necessary to protect patient data. To find out more about protecting your business and patients, meet with a subject matter expert today.