With malicious attacks and ransomware on the rise, cybersecurity has become one of healthcare’s leading concerns. Health systems, hospitals and physician practices are devoting increasing attention to this issue. Banks and financial institutions are on the cybersecurity front lines and dedicate substantial resources to client data protection.
To help leaders, this article examines the current cybersecurity situation, outlines key complexities and offers a brief compendium of some best practices being recommended today.
Problem Scope: Healthcare a Prime Target
Cybersecurity threats span many activities. Most prominent for healthcare are incidents in which a provider’s network has been compromised by intruders, often leading to breaching the data firewall. These data breaches are increasingly accompanied by ransomware — malware that encrypts files and restricts users’ access until a ransom is paid. This form of extortion offers a decryption key in exchange for payment that is frequently demanded in difficult-to-trace cryptocurrencies.
Ransomware is flourishing because it can be opportunistic and indiscriminate. One Chief Information Security Officer (CISO) described the industry as being under duress. The CISO said healthcare has a trove of data assets and is very easy to breach.1 Protected health information (PHI) and regulated clinical trials information are just two examples of sensitive health data that represent attractive targets.
Magnitude of the Problem
The depth and breadth of the threat can be captured in a few sobering statistics.
- Federal government statistics reveal a steady upward march over the years to a 2020 number of 642 data breaches involving 500 records or more. (Figure 1) Two-thirds originate from hacking/IT attacks rather than insider data theft or other sources. Approximately 30 million individuals were affected.2
- The same source logged 370 breaches in 2021 through mid-July.3
- Healthcare’s average cost of a breach is over $7 million. The life cycle from identification to containment averages 329 days.4
- 92 individual ransomware attacks in 2020 affecting 600 hospitals, clinics and other providers.5
- 18 million patient records impacted — up 470% from 2019.6
- Total cost of $20.8 billion in downtime — double the 2019 level.7
While this article focuses on data breaches/ransomware, it is an appropriate reminder that security threats extend to payment fraud and theft. An annual cross-industry tracking survey (including healthcare) found that email scams are the prevalent attack vector, with Figure 2 highlighting the business functions most frequently targeted.8
Several forces are fueling these upward trends. The pandemic-induced rapid shift of staff to remote work and extensive use of telehealth added endpoints and disrupted workflows, exacerbating the security challenge. Telehealth is only one manifestation of the ongoing connected health trend that relies on a range of devices, remote sensors and mobile tools which multiply vulnerabilities. Finally, continued industry consolidation often leads to organizations with multiple IT systems and security capabilities.
A further complication is that today’s threat actors are more sophisticated and dangerous. They are:
- Able to pursue “expanded attack surfaces and relentless attacks.”9
- Better organized. Individuals have largely been supplanted by organized criminal groups and governments. Many maintain business functions such as customer service links to make needed code changes to ensure successful decryption.
- Highly efficient, leveraging tools such as ransomware as a service and other technologies to harvest significant amounts of data.
- Using “naming and shaming” sites to add public pressure and reputation threat.
Keeping up is a major undertaking with little room for complacency.
Other negative consequences of data breaches can accompany any actual monetary ransom paid, including:
- Exposure to lawsuits.
- Erosion of trust by patients and partners.
- Cost of defense. Providers incur operational expense and opportunity cost of IT projects that cannot be funded as a result.
- Patient safety. “A ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime.”10
Combating the problem requires multiple strategies:
ONGOING DEFENSE AND PREPARATION
Experts counsel a proactive and consistent defense posture. A centerpiece of this effort is an incident response plan that is robust and updated to account for changing threats. Practicing response plans is advised at least quarterly and whenever a new threat vector is uncovered. Preparation builds resilience and ability to respond rapidly.
Security Operation Centers (SOC) are another core pillar of defense, providing “real-time monitoring, detection and response in order to mitigate or prevent cyber-attacks when they occur.”11 The emergence of cloud-based SOC-as-a-service, a market projected to reach $1.6 billion by 2025, brings this option to smaller organizations.12
Several specific best practices have emerged. In a recent webinar, Commerce Bank’s own CISO summarized leading recommendations for security preparedness based on known threat vectors:13
- Place on retainer a forensic investigation and compliance firm with an SLA for incident response time.
- Create an enterprise-wide data map with types and locations.
- Adopt and update strong Remote Desktop Protocols as well as Endpoint Detection and Response tools.
- Prepare for need to use out-of-band communication. In a compromised system, attackers may be eavesdropping on email and collaboration tools.
- Attend to the human factor, often the weakest link. Strengthen employee awareness of how to recognize and respond to email phishing and other attack modes.
What do experts recommend when facing a ransomware demand? First, activate the complete response team, including legal, IT, forensics and communications. Concerning the latter, many advise not rushing out an immediate public statement. Determine what happened and try to close the breach first, since copycat attacks often occur once the incident is broadcast. In most situations, it is a good idea to contact your financial institution when a breach is suspected or identified. The bank can monitor activity, lock down accounts and perform other protective maneuvers.14
Of course, deciding whether to pay the ransom is directly dependent on the level of business impact. Healthcare’s significant risks to patient safety and privacy frequently lead to payment.
Several enterprise-level considerations surround the array of tactics just described. A major health system CISO urges leaders to regard cybersecurity as “a risk-reduction function, not just as a technical problem that I’m going to solve with technology.”15 A team of corporate security experts stresses the need to build a cybersecurity culture by “influencing how employees prioritize, interpret, learn about and practice cybersecurity.”16 Collaborating with providers and even competitors further buttresses defense.
Collaborating with a Bank
A provider’s bank relationship offers another potential cybersecurity force multiplier. For example, Commerce Bank has a dedicated CISO and maintains substantial IT security discipline that includes:
- 24/7/365 system monitoring
- Constant system testing and improvement to mitigate risk
- Extensive security training for internal and client teams
The financial industry is subject to numerous federal, state, and local laws and regulations focused on mitigating cybersecurity threats. The requirements are monitored and enforced by an array of organizations ranging from the Federal Reserve to the Cybersecurity and Infrastructure Security Agency, to the SEC. Moreover, a well-capitalized financial institution can devote the resources needed to scale and sustain these various efforts.
Understanding today’s cybersecurity threats and remaining vigilant and proactive are not guarantees of success, but they are prerequisites to a strong defense. The considerations and strategies offered in this article form the backbone of a vibrant program. CommerceHealthcare® is resolved to help clients stay prepared.
1. R. Leventhal, “One CISO Peels Back the Curtain on the Evolving Cyber Landscape,” Healthcare Innovation, May-June 2021.
2. HIPAA Journal, Healthcare Data Breach Statistics, 2021.
3. HIPAA Journal, Healthcare Data Breach Statistics, 2021.
4. H. Landi, “Average Cost of Healthcare Data Breach Rises to $7.1M, According to IBM Report,” Fierce Healthcare, July 29, 2020.
5. B. Horowitz, “2020 Offered a ‘Perfect Storm’ for Cybercriminals with Ransomware Attacks Costing the Industry $21B,” Fierce Healthcare, March 26, 2021.
8. Association for Financial Professionals, 2021 Payments Fraud and Control Survey Report: Key Highlights, April 2020.
9. M. Miliard, “Providence CISO Offers Tips for a ‘Pandemic-Ready’ Cyber Strategy,” Healthcare IT News, June 11, 2021.
10. AHA Center for Health Innovation, Ransomware Attacks on Hospitals Have Changed, 2020.
11. J. Furch, “10 Cyber Security Trends You Can’t Ignore In 2021,” Purplesec, blog post, April 2021.
12. MarketsandMarkets, SOC as a Service Market, July 2020.
13. “Cybersecurity and Ransomware: Protecting Your Business from Emerging Threats,” Commerce Bank, webinar, July 2021.
14. “Cybersecurity and Ransomware: Protecting Your Business from Emerging Threats,” Commerce Bank, webinar, July 2021.
15. M. Miliard, “Providence CISO Offers Tips for a ‘Pandemic-Ready’ Cyber Strategy,” Healthcare IT News, June 11, 2021.
16. Verizon, 2021 Data Breach Investigations Report, May 2021.