Poor healthcare cybersecurity is a threat to public health

When it comes to cybersecurity, U.S. healthcare facilities are in critical condition. 

Patient and enterprise data is a precious commodity — and cybercriminals are increasingly exploiting inadequately prepared facilities to get to it. What’s more, the proliferation of internet of things (IoT) devices is expanding the attack surface and creating new avenues for patient data breaches.

“The most significant threats to patient and enterprise data, like all cybersecurity threats, are constantly shifting,” said Nate Lesser, CISO at Children’s National Hospital, which has partnered with cybersecurity company Trustwave to improve the hospital’s security posture in the growing threat environment. 

And, Lesser pointed out, breaches, hacks and ransomware attacks are not only incredibly costly — they are ultimately a public health threat because they can compromise hospitals and healthcare workers’ abilities to provide care.

“In healthcare, and especially for hospitals, any attack that threatens our ability to provide for our patients and families is of paramount importance,” said Lesser.  

Healthcare cybersecurity attacks on the rise

Healthcare systems are increasingly under attack, and monetary impacts are significant: According to IBM Security’s annual Cost of a Data Breach report, the cost of a healthcare data breach is at an all-time high: $10.1 million on average. That represents an increase of 9.4%  between March 2021 and March 2022. 

Similarly, a report from cybersecurity company Sophos revealed a 94% increase in ransomware attacks on healthcare organizations in 2021. Last year, 66% of healthcare organizations were hit, compared to 34% in 2020. 

Just this year, attackers have hit dozens of healthcare organizations, exposing millions of patients’ sensitive information. This included New York-based medical billing and practice management company Practice Resources, LLC; Zenith American Solutions in Michigan; and Indiana-based neurology practice Goodman Campbell Brain and Spine.

Meanwhile, hospitals are suffering geopolitical consequences: In 2021, the FBI thwarted what it called a “despicable” attack on Boston Children’s Hospital by Iranian-government sponsored hackers.

“The speed of evolution in cyber today is challenging security programs’ ability to keep pace with today’s threats,” said Kory Daniels, CISO at Trustwave. 

Increasingly sophisticated attackers

Notably, ransomware and business email compromise are the greatest concerns. Credential leakage is also growing and can prove a more successful attack, said Daniels, because bad actors can commit fraud against an enterprise or steal consumers’ identities.

Lesser, CISO of Children’s National Hospital — a top-rated healthcare facility in Washington, D.C. — highlighted the broad category of third-party attacks. 

This encompasses all aspects of a facility’s relationships with vendors, partners, cloud platforms, research collaborators and service providers (among others), he said. Outside entities often have access to — or even house — protected health information (PHI), personally identifiable information (PII) and other protected information.

Sophisticated attackers are also attempting to extort hospitals by ransoming patient and employee records — not just their systems, said Daniels. This means that they steal critical records before encrypting the systems that they reside on. So, even if a hospital has good backups to recover an infected system, the attackers can still threaten to release sensitive data. 

In-house challenges

While battling attacks that are ever more sophisticated, healthcare facilities are concurrently struggling to arm themselves with their greatest asset: Their staff. 

An estimated 1.5 million healthcare jobs were lost in the first two months of COVID-19 as many clinics were closed and services restricted to non-emergency services. Many of these jobs have been refilled, yet healthcare employment remains below pre-pandemic levels — with 1.1% fewer healthcare workers, or 176,000 fewer, versus February 2020 staffing levels. 

The Centers for Disease Control and Prevention warns that these staffing shortages will only continue as the COVID-19 pandemic progresses, particularly with the spread of the Omicron variant. 

Indeed, talent shortages can lead to fatigue and burnout, in turn causing frustration and lack of vigilance on the part of employees — ultimately making facilities more susceptible to attack, said Lesser. Even more troubling, frustrated, angry and disgruntled staff can become malicious insiders.

“Our staff are our first line of defense and best ‘sensors’ to know what’s happening in the environment,” said Lesser. “If they are overextended, we lose this valuable reporting.”

Daniels underscored the fact that organizations need to be able to respond to alerts any time of day, proactively ensuring that technology is continuously adjusted and “tuned to today.” They must work to maintain a 24-month strategy, deploy and enhance technologies, utilize vulnerability discovery and product development testing, plus enable continuous monitoring, triage and response.

With a short-staffed team, security leaders might only be able to plug some of the most critical security holes. 

“No one can be an expert in everything — including the CISO — and staff burnout can impact the ability to effectively catch alerts,” said Daniels. 

Road to recovery

While ensuring that they have the “right staffing mix” — and, just as importantly, continually training their staff — hospitals should be integrating, consolidating and tuning security tools, said Lesser. 

Children’s National Hospital performs constant cost-benefit analysis, he said. In doing so, they consider: 

• Outsourcing versus insourcing.
• Building versus buying.
• Implementing tools versus adding staff.
• Comparing and contrasting team structure and functions with those of other healthcare facilities. 

Organizations are also increasingly establishing what Daniels called “shared risk resilience models.” This means CISOs are spending more time meeting with business leaders and peers to communicate the evolution of cyber-risk and build “understanding and alignment” across the organization, he explained. 

Ultimately, technologies, managed security services and internal talent are not sufficient alone, said Daniels. CISOs must prioritize a risk-driven approach that aligns risk tolerance with appropriate financial budgets. This helps ensure that organizations “mitigate those risks as a business — not just as a security organization,” said Daniels. 

Knowing your partners

Speed and scale are the biggest considerations for any cybersecurity program as organizations work to keep up with technological innovation and adapt governance and security controls in response to advanced attacks, said Daniels. 

While IoT and 5G are valuable, they create big data challenges. The industry has “no choice” but to leverage machine learning (ML) and artificial intelligence (AI) to manage that data, said Daniels. Organizations are also working to effectively lean on trusted partners so they can quickly scale up and down as needed.

More organizations are leveraging as-a-service models from the cloud, as well, and are outsourcing some services to vendors to perform jobs that were previously handled in-house. 

However, Daniels pointed out, as the cybersecurity market becomes increasingly crowded, it is critical that technical decision-makers assess partners to determine that they can trust them to “be part of their cyberdefense mission,” said Daniels. 

For instance, IT and business leaders should ask to speak to potential vendors’ security leaders to understand their perspective and role. This helps organizations ensure that their decision is not just tactical, and that they will be able to scale at the speed of their operations. 

Preparing for tomorrow’s threats, today

Lesser also predicted that the future of healthcare cybersecurity will involve: 

• More hybrid security operations centers (SOCs). 
• Increased combination of SOCs and network operations centers (NOCs) activities.
• Increased focus on real-time situational awareness that covers the entire enterprise. 
• Enhanced collaboration with other health delivery organizations (HDOs). 

Ultimately, “attackers will continue to increase their automation and collaboration,” said Lesser. “Defenders need to do the same.”

Daniels agreed, emphasizing: “Remember, the threats of tomorrow could put an organization’s cyber resilience at risk.”