The healthcare industry confronts a complex, double-barreled challenge as it tries to combat the recent deluge of dangerous and damaging cyberattacks.
First, with healthcare organizations’ access to vast amounts of sensitive patient data—including medical records, personally identifiable information and payment information—the implications of a breach include operational disruptions and risks to patient privacy and financial well-being. The scope is massive, with recent data showing a typical healthcare organization holds more than 42 million sensitive data records—50% more than the global average. This treasure trove of digital data is what makes healthcare institutions such attractive targets to hackers.
Second, modern healthcare relies on interconnected systems and networks or business associates, which means a breach in one part of the network could compromise an entire healthcare organization’s infrastructure.
That’s what played out in the attack on London hospitals earlier this year, which began with a breach at a pathology services provider. “Third-party cyberattacks pose one of the biggest challenges on the healthcare cyber-risk landscape,” the American Hospital Association says. “Hospitals and health systems are at increasing risk of cyberattacks on third parties, such as business associates, medical device providers and supply chain vendors.”
Many healthcare leaders face these unique circumstances, asking: How secure is enough? What is the best way to protect ourselves? And how?
As a 20+ year IT veteran with deep experience in healthcare, I believe that organizations should be guided by a single mantra: cyber resilience.
Cyber resilience is the ability to recognize threats, respond to them, recover quickly and at scale. The clear goal: fending off attacks more efficiently, limiting damage and restoring normal operations with minimal impact to patients.
This requires a holistic strategy with multiple parts for security leaders to follow.
- Plan ahead: Have a clear emergency plan that includes specific steps for backup and recovery in the event of an attack. Surprisingly, these plans often are lacking in healthcare organizations. They’re mandated to have such documents for hurricanes or power outages, but may not have adequately thought through cyber response. This needs to be done before an attack, with strong coordination between the IT infrastructure and security teams.
- Build a risk profile: Conduct a full assessment of the organization’s technology, new and old, and then build a risk profile that identifies where the most critical vulnerabilities lie.
- Focus on data security: Enact cybersecurity measures that aren’t limited to hardening the IT infrastructure but, rather, that focus on data security. In other words, try to keep the bad actors out but recognize that won’t always be successful, so a fallback strategy is essential for limiting and recovering from the attack.
- Determine who needs access to the data: Due to HIPAA requirements, only authorized and necessary medical or bill payment professionals have access to data.
- Data officer: Unlike other industries, the healthcare sector has strict requirements when it comes to data ownership. Because of HIPPA requirements, each organization must have a designated security officer who is held personally responsible for breaches.
- Don’t treat all data the same: Confidential data such as patient medical histories, for example, should be protected more than form templates. Prioritizing truly important, sensitive data rather than trying to secure everything means a more targeted and effective defense.
- Know where your data are: Detect suspicious data movements. Attackers often focus on a specific area and collect information there before advancing further. Thus, it is important to always keep an eye on data movements and other irregular activities, especially in hybrid environments between on-premises, SaaS and cloud. If irregularities are spotted quickly, damage to data or systems can be avoided.
- Restore data: Employ backup as a critical component of a defense strategy. Sadly, hospitals must expect to be affected by a successful cyberattack one day. Restoring data using a backup and recovery strategy is crucial to getting back up and running quickly.
- Bring in all experts: Don’t leave clinicians out of the security conversation. From electronic medical records to pathology to labs, hospitals have many systems that are critical for patient care. To understand the risk profile of each as part of the overarching resilience strategy, who better to involve than the people who use those systems every day?
- Legal requirements: Last but not least, security leaders must remember that a comprehensive cyber resilience plan isn’t just smart; it’s a legal obligation: Security and Exchange Commission rules that went into effect last year require security officers to report and properly respond to breaches or be held personally liable.
The recent high-profile attacks on healthcare organizations make the industry more aware of the needs of preparation. However, there is a lack of consistent action as the sector is still struggling with what cyber resiliency looks and feels like.
But by adopting a thorough approach like my 10-part prescription, healthcare organizations can be better prepared to weather these abhorrent attacks. The industry is too important to settle for anything less.
Rick Bryant is the healthcare chief technical officer for data security firm Rubrik. He leads initiatives within Rubrik to serve the healthcare information technology industry through technology excellence and process solutions. Rick has over 30 years of industry experience, with roles spanning from chief information officer to chief information security officer, where he was responsible for architecting and implementing electronic medical record systems.