The stakes are high in healthcare, and providers find themselves combatting a never-ending influx of complex threats. More than 93% of healthcare organizations reported a breach between 2016 and 2019, and more than half (57%) reported that they experienced five or more breaches during the same period. In 2021, healthcare data breaches reached an all-time high, growing from 663 in 2020 to 679 in 2021, according to Fierce Healthcare. Even more concerning is the increased number of individuals affected; healthcare data breaches impacted 45 million people in 2021, a 32% increase from the 34 million people impacted in 2020. With new threats on the horizon, how can healthcare organizations protect their patients — and their business?
Experts agree that it is not a matter of “if” your organization will be attacked, it is a matter of “when” you will be attacked. Healthcare cybersecurity best practices are a must. In this guide, we’ll review what healthcare cybersecurity entails, common security threats to be aware of, best practices to improve your security, and more:
- What is Healthcare Cybersecurity?
- Common Healthcare Cybersecurity Challenges
- Why Healthcare Cybersecurity Matters
- Annual Healthcare Cybersecurity Spend
- Common Healthcare Cybersecurity Threats
- 8 Tips to Improve Healthcare Cybersecurity
- Streamline Healthcare Cybersecurity with Situational ePHI Awareness
What is Healthcare Cybersecurity?
Healthcare cybersecurity is the practice of securing digital assets and systems for a HIPAA-covered entity. This can be done either with an internal IT team or through an external managed service provider (MSP).
With healthcare cybersecurity, healthcare businesses take a multi-layered approach to prevent unauthorized access to patient data, hospital systems, pharmaceutical research, and more. While healthcare cybersecurity might sound like a luxury reserved for large hospitals, it’s actually a HIPAA requirement. The Security Rule, Privacy Rule, and other HIPAA regulations mandate various cybersecurity safeguards that all healthcare organizations must comply with.
Even so, healthcare organizations can stumble, and compliance isn’t always easy. Hospitals, doctor’s offices, and their business associates often struggle to make sense of HIPAA’s often vague requirements. With HIPAA penalties on the rise, organizations are investing even more in healthcare cybersecurity to reduce their liability. Due, in part, to this increased investment, it’s estimated that the healthcare cybersecurity industry will be worth over $58 billion in the United States by 2030.
Common Healthcare Cybersecurity Challenges
Every industry has its own challenges, and healthcare is no different. In fact, healthcare is the number-one target for cyber attacks because:
- Fierce Healthcare reports that the black-market value of medical records is at least $250 and as much as $1,000 Credit card numbers, on the other hand, sell for around $5 each, and Social Security numbers can be purchased for as little as $1 each.
- Attackers can resell sensitive healthcare data online, which is often used for identity theft and fraud.
- Healthcare organizations tend to rely on outdated or legacy IoT devices, which can pose significant cybersecurity threats.
- Healthcare organizations can be inclined to pay ransomware payments to regain access to their data quickly and remain operational. Lives are at stake.
- Healthcare workers continue to struggle with the impact of the COVID-19 pandemic, resulting in staffing and productivity challenges. Burnout is abundant among healthcare workers who have been on the front lines of the pandemic, tirelessly caring for patients, working long hours, sometimes in unfamiliar or unsafe environments, putting themselves and their families at risk. Absenteeism is more frequent for many, and productivity has suffered, and nurses and other clinical providers are leaving the healthcare workforce in large numbers. For instance, according to McKinsey, 29% of registered nurses in the U.S. indicated that they were likely to leave their jobs providing direct patient care, and many reported that they intend to leave the workforce altogether. As a result, hospitals are often understaffed, placing further stress on the direct care providers who continue to work in the field.
- It’s not just clinical staff who are still grappling with the effects of the COVID-19 pandemic. IT security budgets are extremely tight, and many IT teams were already understaffed before the pandemic, which has exacerbated staffing challenges. These workers were tasked with managing the shift to remote work and remote patient care seemingly overnight at the start of the pandemic, as well as implementing temporary ICUs in football fields and parking lots to provide the necessary infrastructure to care for the influx of critically ill patients. They’ve also worked 24/7 to provide support for the clinicians providing direct patient care and other administrative staff, leading to significant stress and burnout. As with clinical workers, many IT workers are leaving the healthcare industry to pursue other opportunities. Those who do remain have a mountain of tasks to manage, from continuing to support remote patient care and remote working to implementing interoperability — a significant workload for understaffed and underfunded IT departments.
Healthcare provider organizations have a target on their backs. Let’s take a look at some of the common healthcare cybersecurity challenges.
The Use of Legacy Devices
Financially constrained healthcare organizations can’t always afford to update their legacy technology. Because out-of-date machines tend to have more security gaps, this means healthcare organizations have more unsecured endpoints than other businesses — and it’s often too expensive to fix the root cause of the problem.
Increased Use of IoT and Smart Devices
It’s not just legacy devices that pose a cybersecurity risk in healthcare organizations; newer devices also have unique challenges. Healthcare providers rely on smart sensors and other types of connected devices that store and share data in the cloud.
The issue is that outdated firmware is a known vulnerability that attackers love to exploit. Since healthcare moves so fast, it’s easy for organizations to forget to update their IoT devices, opening them up to numerous threats. Since 25% of all healthcare cyber attacks come from IoT, this is a growing issue.
Thousands of Endpoints
The rise in distributed care, remote work, telehealth, and ongoing efforts to achieve interoperability and support the sharing of healthcare information between providers have all contributed to an expanding attack surface. In other words, it’s normal to share PHI outside the firewall in the modern healthcare system, rendering traditional cybersecurity approaches that aim to secure data inside a firewall outdated and ineffective.
Today, healthcare organizations collect patients’ ePHI from a dizzying array of endpoints, and it’s imperative to gain visibility into ePHI and how it’s being created, used, shared, and moved throughout the healthcare ecosystem. If organizations don’t know what data they have or where it’s stored, it’s much easier for attackers to steal that data without raising the alarm.
Tausight’s Situational ePHI Awareness provides a consolidated, real-time view of both unstructured and structured PHI, detecting, tracking, and analyzing PHI activity and risk both in an organization’s data center and at every endpoint.
The Growing Threat of Ransomware
There are a few important things to note regarding ransomware attacks, an attack method increasingly used by cybercriminals targeting healthcare organizations. In fact, according to Sophos’ The State of Ransomware in Healthcare 2022 report, 66% of healthcare organizations surveyed experienced a ransomware attack in 2021, nearly double the 34% that were impacted by ransomware in 2020.
First, paying the ransom does not guarantee that the attackers will restore the organization’s access to its systems and data. While healthcare organizations may be inclined to pay the ransom demand to ensure patient safety and quality of care, doing so enables cybercriminals to profit and advances their malicious activities, and it also emboldens attackers to carry out future attacks.
As a result, the Treasury Departments’ Office of Foreign Assets Control (OFAC) announced in 2020 that organizations that pay ransom to organizations on the OFAC’s sanctions list can result in fines and penalties. We’ll talk more about ransomware later in this guide.
The ability to share data is key for modern healthcare organizations to improve the quality of care and patient outcomes. In fact, the 20th Century Cures Act prohibits healthcare organizations from “information blocking,” also known as data blocking, which means obstructing the access, use, or exchange of electronic healthcare data between healthcare systems, devices, and applications. As of October 6, 2022, the definition of EHI expands beyond the United States Core Data for Interoperability Standard (USCDI) and will apply to all protected health information that is transmitted or maintained electronically, which will include all records maintained by or for the provider, and will only exclude psychotherapy notes and certain records compiled for use in a civil or criminal action. While data sharing enables better care and outcomes, it also expands the attack surface.
As exploitations increase in scope and severity, healthcare providers must find creative ways to overcome these challenges and protect their patients’ sensitive data.
Why Healthcare Cybersecurity Matters
First and foremost, it’s a HIPAA requirement. If you’re a HIPAA-covered entity or a business associate of a covered entity, you have to follow HIPAA’s minimum standards.
Aside from regulatory requirements, healthcare cybersecurity has an impact on patient outcomes. There’s a real potential for harm when attackers bring systems to a halt or steal patient data.
In fact, research suggests there’s an increased death rate among patients who were victims of a healthcare cybersecurity breach, as healthcare data theft can cause delays to critical, life-saving care.
Unauthorized access or data theft has real consequences for patients, and providers take their responsibility for implementing cybersecurity best practices that improve patient outcomes seriously.
Annual Healthcare Cybersecurity Spend
IT teams need an appropriate budget to design an effective healthcare cybersecurity strategy. The issue is that cyber threats are increasing in volume and severity, which means your IT team needs more resources in its corner to protect the organization.
The healthcare industry has the second-highest number of data breaches of any industry. However, most healthcare organizations simply don’t budget enough to provide adequate cybersecurity. In fact, only 22% of healthcare IT managers say they have enough funds to keep their businesses secure.
On average, healthcare organizations spend four to seven percent of their annual IT budget on cybersecurity. That’s low: other high-risk industries, like finance, spend an average of 15% of their annual budget. Without enough funding, healthcare organizations risk under-securing their digital assets, leading to a slew of costly cyber attacks.
Common Healthcare Cybersecurity Threats
Digitization has been a boon to healthcare. It enabled telemedicine, interoperability, digital charts, and other innovations that improved the quality of care. However, digitization comes with concerns that healthcare organizations need to plan for. Healthcare organizations and providers need to be able to share data, but they need to be able to do so securely.
These are the most common healthcare cybersecurity threats that your organization should address:
- Human error
Even with the best security architecture, you can’t control user behavior. Your employees may not be acting maliciously, but their actions can open you up to cyber attacks. The misuse of patient data is also a concern that could open you up to HIPAA violations. Even seasoned professionals make security missteps, so healthcare businesses should account for human error in their cybersecurity plans.
In ransomware attacks, hackers breach your security and encrypt your sensitive data. They hold your data hostage in exchange for a ransom, only releasing a decryption key if you pay. If organizations fail to pay, attackers either delete the data or exfiltrate it and resell it on the black market.
As mentioned, ransomware in healthcare nearly doubled from 2020 to 2021, Ransomware is on the rise largely because healthcare organizations have often agreed to pay the ransom. Organizations don’t want to make the situation worse by allowing the attacker to exfiltrate their data, so companies typically pay the ransom to regain access to their systems and data quickly, maintain business continuity, and reduce potential harm to patients.
Ransomware-as-a-Service (RaaS) is now on the rise, too. Instead of a one-off attack, RaaS is an orchestrated attack by groups of hackers that act like a cyber gang. RaaS makes it easy for just about anyone to become a ransomware hacker, which means healthcare organizations can expect more frequent ransomware attacks.
Phishing emails and sketchy attachments can open up a can of worms. Phishing isn’t a new threat, but it’s the most frequent technique scammers use to infiltrate your defenses.
The biggest issue is that many of these emails are persuasive and realistic — sometimes attackers can spoof email addresses to make it look like a trusted contact is emailing an important file.
Since healthcare providers rely on email for many tasks, such as patient communications and referrals, your healthcare cybersecurity plan also needs to protect against phishing attacks.
8 Tips to Improve Healthcare Cybersecurity
Cyber attacks are so common in healthcare that it’s only a matter of time before your organization comes under fire. Instead of feigning invincibility, it’s better to find your vulnerabilities and address them long before there’s a problem. HIPAA-covered businesses should follow these eight guidelines to improve their healthcare cybersecurity.
1. Monitor Your Network
What’s normal for your network? Get a baseline with regular network monitoring. This will not only tell you what’s normal for your organization, but regular monitoring can help you spot troubling activity throughout the healthcare ecosystem that requires action.
2. Manage Third Parties
If you rely on vendors for IT, accounting, marketing, or any other third-party service, such as a cloud service provider, you should recognize that as a risk vector. You can do everything right on your end, but vendor misconduct can put you at risk.
There’s nothing wrong with outsourcing, but healthcare organizations should follow best practices including:
- Require third parties to sign business associate agreements (BAA) if required under HIPAA.
- Implement proper access control, which includes granting access to your systems strictly on a need-to-know basis.
- Complete regular cybersecurity training and require vendors and other business associates to conduct regular employee cybersecurity awareness training.
- Organizations can’t implement the appropriate security measures to protect ePHI without the ability to monitor it throughout the healthcare ecosystem. It’s crucial to have real-time visibility into where ePHI is stored, where it’s sent, how it’s used, when it’s accessed, who accesses it, and how and with who it’s shared.
3. Enable Multi-factor Authentication
Strong passwords alone won’t keep attackers out of your system, and healthcare cybersecurity should require additional authentication to make it harder for attackers to get in. Accounts that use multi-factor authentication (MFA) are 99.99% less likely to become compromised, making this essential security for any organization.
4. Train Employees
Regardless of your cybersecurity infrastructure, human error can still put you at risk. You can minimize this by regularly training your employees on proper cybersecurity practices and on the latest scams and threats so they know what to look out for. Since employees who receive security training monthly are 34% less likely to click on a suspicious link, training is a great way to reduce risk.
5. Consider Cyber Insurance
It’s a tough pill to swallow, but sooner or later, your organization will likely be the victim of a cyber attack. You have the power to reduce your risk and mitigate the damage, but even so, you’ll likely be on the hook for repairs and potential HIPAA penalties.
Many healthcare organizations are opting for cyber insurance to help them cover the costs of a breach. Insurance isn’t right for everyone, but if you’d have a hard time paying the average $10.1 million price tag to recover from a breach, it could be worthwhile.
6. Segment Your Network
If attackers gain access to your systems, they shouldn’t have free rein. Segmented networks keep sensitive data separate from the rest of your network, which makes it harder for attackers to access patient data. It also ensures you limit which employees have access to ePHI, which is not only a HIPAA best practice but also a smart way to reduce your risk.
7. Invest in Backups, Business Continuity, and Disaster Recovery
A resilient business is a secure and compliant business. That’s why healthcare cybersecurity should have strategies in place for backups, business continuity, and disaster recovery.
If you experience a ransomware attack that deletes thousands of patient records, it could easily ruin your business. Offline backups make it easier to minimize disruptions and get back to business, making backups a must.
Attackers are also opportunists. If you experience a severe storm that compromises your physical security, you could be on the hook for HIPAA fines. Instead of allowing a disaster to disrupt your business, make a plan now. This way, your team can calmly follow the plan in times of distress and return to normal operations more quickly.
Healthcare organizations must prioritize faster cyber recovery. The longer sensitive data is inaccessible, the greater the risk to patients. With Tausight, healthcare IT teams have an immutable, off-site audit trail, enabling forensic-level insights across all endpoints — before, during, and after a cyber incident. This includes the information necessary to reconstitute the system and reconstruct any cyber incident quickly, making rapid recovery from cybersecurity incidents possible.
8. Use Proper Access Controls
Proper access control ensures that employees have access to the information they need to do their jobs (no more and no less), known as the principle of least privilege. According to Security Magazine, 92% of hospitals now use electronic access control in some way, a 13% increase since 2016.
In addition to following the principle of least privilege, healthcare organizations should also require employees to comply with corporate rules related to accessing systems and data, such as:
- No shared passwords
- Requirements for strong passwords
- Using password storage solutions like 1Password so that employees won’t write down passwords on sticky notes
- Requiring new passwords every 60 days
- Prohibiting repeat passwords for different accounts
Streamline Healthcare Cybersecurity with Situational ePHI Awareness
Cybersecurity threats are increasing across the board, but the stakes are highest for healthcare organizations. Follow these eight guidelines to improve your security posture and reduce your attack surface.
Cybersecurity awareness is the first step. But do you know where your ePHI is stored, how it’s created and used, when and where it’s moved, and how it’s shared between providers, third parties, and applications? Increase your visibility with Tausight, a Situational ePHI Awareness solution built for healthcare by healthcare cybersecurity experts to enable reduced risk across the healthcare continuum, continuous validation of cyber preparedness, and faster time to cyber recovery. Contact us today to learn more.