Securing healthcare data: The critical need for cyber resilience

Healthcare providers are in the midst of a tech-driven evolution. Technologies that were new to healthcare are making the leap from test cases to maturity, including regular telehealth visits and remote patient monitoring/therapeutics. Next-wave equipment is being enabled by 5G connectivity, like the deployment of augmented reality technology in various clinical care settings. As viable and stable tools that can provide decentralized care at scale have become the norm, healthcare has moved to being anytime, anywhere, and from almost any connected device. And therein lies the problem: The proliferation of access points for care means more entry points for bad actors.

These new capabilities are changing the way healthcare is experienced and delivered. The far-reaching potential of these technologies carries with it significant risks, however. The emergence of new capabilities goes hand-in-hand with new vulnerabilities and new points of ingress for bad actors. And the more game-changing the advances, the more risk is created for the enterprise. Once a technology becomes critical to the infrastructure of an industry, security breaches or operational disruption can cause enormous damage.

As reliance on technology increases, so does the scale of such threats. In many cases, simple denial-of-service attacks are sufficient to limit capacity, hold organizations to ransom, and threaten patient lives. And when attackers successfully penetrate a system’s security perimeter to access protected data, the dangers are amplified. This is particularly true in healthcare, where providers hold some of the most sensitive personal information imaginable. Security breaches can undermine patient confidentiality, threaten the integrity of data, and impose high costs on both individuals and organizations. In 2022, the costs of healthcare data breaches hit a record high, with the average damage done by a cyberattack on a healthcare system reaching more than ten million dollars.

As cybersecurity threats continue to grow, appropriate responses are a necessity. Healthcare systems must holistically assess their technical security posture and risk management maturity to proactively fend off bad actors, respond to identified vulnerabilities in minutes, and protect their organization and patients from digital harm.

Why healthcare gets hit so hard and the inherent threats to patient care

So why does healthcare find itself in the crosshairs so frequently? There are several reasons. To begin with, stolen health records can be sold, offering a direct source of value to criminals. Those who purchase this information can leverage it to acquire medical services, devices, and medications, as well as to assist with identity theft more generally. Unlike stolen credit cards or social security numbers, medical records cannot simply be canceled, and this longevity is a key component of their value.

Even more important to the bad actors responsible for cyberattacks is the value individuals and organizations place on maintaining patient confidentiality. The confidentiality of healthcare data is one of the fundamental principles underpinning the delivery of care in the U.S., and the vital importance of maintaining it opens the door to extortion. Ransomware attacks that threaten to leak protected health information (PHI) unless large payments are made to the attackers have become increasingly frequent over the last decade. The COVID-19-driven expansion of online patient services has only accelerated this trend.

Despite the rapid recent growth in the use of digital technologies, the healthcare industry has lagged behind others in the kind of cybersecurity investments needed to keep patient data safe. Only 21% of healthcare organizations spend more than 6% of their IT budget on security, compared to an average spend of nearly 11% in the financial services sector and 12% across the global economy as a whole. The results of this underinvestment have been dramatic, with ransomware attacks on healthcare systems in the U.S. more than doubling between 2016 and 2021. Attempts to breach the security of healthcare providers have continued to tick up at an even faster rate in the last two years, with Q1 2023 showing a 22% year-over-year increase in cyberattacks. In addition to threatening patient confidentiality, these attacks can also undermine operational capacity, limiting service delivery in a way that may threaten health outcomes for thousands of individuals and sometimes even forcing organizations to fall back on paper-based processes until the threat is dealt with.

Steps healthcare systems can take

While increased investment is a vital piece of the puzzle for improving security systems, what really matters is that resources are deployed in the most effective way. There are a number of steps healthcare systems can take to meet evolving cybersecurity threats.

• Implement a zero trust model. A “zero trust” security model is based on the principle “never trust, always verify,” replacing the presumption of trust with robust verification procedures at all possible points. A key feature of this model is limiting avenues of attack by avoiding the unnecessary duplication of access points and processes. For instance, a single sign-on system reduces potential points of failure across a system by replacing separate department-level or vendor-provided sign-on processes with a single strong source for identity management. Similarly, requiring both user and machine authentication for access multiplies the number of steps a bad actor will have to take to breach a system. This kind of multi-factor authentication ensures that the theft of login credentials will not be enough by itself to gain access to protected data or to an accredited machine. Only users who tick all the security boxes will be able to move beyond the system perimeter.
  
  
• Implement 24/7 threat detection. The most efficient way to ensure that systems are fully protected is through a managed detection and response (MDR) service with the staff and resources needed to provide 24/7 protection for networks, endpoints, and cloud assets. Many healthcare organizations find it challenging to provide the necessary resources to maintain continuous capabilities in the face of occasional threats. Third-party turnkey solutions are one way of ensuring that a security team can respond to an attempted breach at any time of day. A critical component of any effective MDR program is that it remains up to date, so the incident response plan needs to be tested quarterly to ensure it meets the latest threats and aligns with the priorities of the healthcare system.
  
  
• Monitor risks and vulnerabilities. The cybersecurity threat environment is in a constant state of evolution. New threats can appear as systems add applications or implement additional capabilities; changing user behavior can provide novel avenues of attack; and criminals are, of course, always seeking new ways to defeat established security provisions. Regular vulnerability scans and penetration tests are essential for staying ahead of the game in this changing world. But to maximize their effectiveness, they need to inform a broader risk management program dedicated to analyzing and assessing vulnerabilities. While a mature program cannot be created overnight, making a long-term commitment to building institutional knowledge is a vital first step. As monitoring processes are repeated, documented, tested, and revised over a period of years, the effectiveness and value of the program will increase, turning it from a useful tool into the centerpiece of an effective security system.
  
  
• Third-party risk management. Healthcare organizations typically work with dozens, and in most cases, hundreds, of individual vendors and other third parties. These can range from app developers and medical technology providers to contractors or insurance and claims service providers. The level of risk these third parties bring with them can vary widely, from the contractor who needs a local email address to the app that is integrated into the electronic health record (EHR) or the claims handler who requires direct access to patient data. Assessing and addressing third-party risk often goes beyond a simple thumbs up or down for a new vendor. In some cases, the third party may offer value that cannot be found elsewhere, so if their current security profile exceeds the organization’s risk appetite, it will be necessary to develop a corrective action plan to facilitate the partnership. Once third parties have been onboarded, ongoing monitoring of public-facing vendor environments is needed to ensure that evolving threats are met, and new vulnerabilities do not develop, with monthly reports on the security postures of key vendors. The skill set and resources required to manage these risks effectively are often beyond the native capacity of individual healthcare organizations, so managed service providers can be a cost-effective way to gain access to these capabilities.

Technological innovation is absolutely necessary to move the needle and provide better, more efficient patient care. A strong cyber strategy needs to be implemented alongside these developments to ensure that organizations can gain the fullest possible value without introducing unnecessary risks. Building resilient walls with rapid response capabilities will garner trust from patients and ecosystem partners and is the true north for healthcare.