Preventive Care – For Your Cyber Environment

By Jeffrey J. Engle

Originally published by: Nashville Medical News | Oct. 01, 2023

Healthcare systems and providers are quick to acknowledge the benefits of preventive care — such as an annual physical, immunizations, cancer screenings and others — and how they improve a patient’s overall health and wellbeing. Yet, despite the rise in healthcare cyberattacks, these same organizations do not treat their cyber environments with that same standard of care — instead deploying a reactive response.

Our healthcare industry is under seemingly constant attack. Numerous hacking attempts have been deployed upon our hospitals and other medical practices. Why? These providers store large amounts of patient information, and this data is incredibly valuable when sold. In addition, the stakes of a ransomware attack on a healthcare organization can be life or death — making organizations far more likely to pay the fee. These ransomware attacks can cause patient care to be delayed as they are rerouted to other hospitals or caregivers are unable to access needed medical records. In some cases, these attacks even disable diagnostics test and treatment equipment.

Any breach affecting more than 500 Americans must be reported to the U.S. Department of Health and Human Services. In the first six months of 2023 alone, more than 300 breaches were reported — impacting a total of 30 million Americans. Not included in this data is the HCA Healthcare breach, which was reported on July 5 and had a documented impact on more than 11 million patients across 20 states. This breached data included names, partial addresses, emails, phone numbers, birth dates, gender, service dates, locations and next scheduled appointment information.

These attacks are becoming more and more common. In fact, U.S. healthcare entities suffered an average of 1,410 weekly cyberattacks per organization in 2022, up 86% in comparison to 2021, according to Check Point Research. Reactive defenses will not allow us to win this ongoing war — leaving patient privacy and safety as well as hospital operations at risk of an enemy strike at any time.

What is hindering a preventive approach for healthcare cyber security? How can providers proactively care for patient data as they do with their health?

Outdated Systems:

According to a 2021 HIMSS survey, 73% of healthcare provider organizations have legacy information systems. These systems are costly to maintain, difficult to transition and challenging to protect. In fact, the same HIMSS study reported that IT leaders cite these legacy systems as their third largest security risk.

While not retiring these systems leaves organizations open to risk of data breaches, transitioning these systems is not a simple alternative. MRI machines, ultrasound machines and other diagnostic equipment often run on these outdated operating systems and software, as these machines have long lifespans and high costs of replacement. With high rates of employee burnout, hospital systems can be hesitant to implement changes that may be a burden to their already-stretched-thin workforce.

Insufficient Staff Training:

Similarly, this mindset can lead to insufficient staff training for existing systems, software and general cybersecurity hygiene. Roughly 9 out of 10 cyber breaches are caused by human error, according to a joint research study from Stanford University Professor Jeff Hancock and security firm Tessian.

This confirms what security experts have been saying for years: educating your staff about cyber best practices and ensuring that they understand the risk of phishing and other types of social engineering is crucial to preventing breaches.

Technology Vendors:

Third-party risk rose to the forefront of cybersecurity concerns with the MOVEit breach, which affected over 1,000 organizations and 60 million individuals worldwide. This breach impacted a number of healthcare industry organizations including student health insurance provider United Healthcare Student Resources, Health Services Ireland, Rochester Hospital and UofL Health, an academic health system based in Kentucky.

These third parties could include any vendors, suppliers, partners, contractors or service providers, all of whom have access to internal company or customer data, systems, processes or other privileged information. While working with a third party is more cost effective than creating in-house capabilities, the more partners you work with, the more risk you create.

A recent Gartner study found that only 28% of organizations continuously monitor third parties throughout engagement cycles; just 16% say they effectively manage third-party risks. This leaves 84% not only open to risk, but unaware of breaches that could occur.

Each of these can be the cause of vulnerabilities in a health care system’s cyber environment. However, there are three key ways you can protect yourself, your employees and your business from falling prey to a cyber attack.

Strong Authentication (MFA): With employees creating the most opportunity for a breach, it is important to implement preventive measures. Multi-factor authentication adds an extra layer of security beyond passwords, making it significantly harder for unauthorized individuals to gain access.

Ongoing Monitoring and Updates: Continually monitoring your environment is crucial to minimizing the impact of a cyber attack. This process allows you to understand its vulnerabilities and detect issues before they escalate. This process will also help you to keep all software and systems up to date with the latest security patches, which is essential for mitigating known vulnerabilities that attackers might exploit.

Incident Response Plan: To prevent long-term outages with critical implications, it is important that healthcare systems develop a well-defined incident response plan that ensures a swift and organized response in case of a cyber security incident, minimizing damage and facilitating recovery. This helps to minimize downtime and patient impact of a breach.

Because private health information is such a valuable asset, attacks on healthcare organizations are unlikely to slow down anytime soon. Therefore, it is mission critical for healthcare organizations to act and implement adequate cybersecurity preventive measures to fulfill their responsibilities for protecting patient data.

Jeffrey Engle is Chairman & President at Conquest Cyber where he combines his experience in Risk Management, National Security and Business Process Optimization. Under his leadership, Conquest Cyber partners with critical infrastructure organizations and government agencies to build cyber resiliency. Conquest achieves this by enabling foundational technology, providing capacity augmentation through SCyOps Solutions, and unifying cyber program management through the ARMED ATK platform.