When we consider the most serious consequences of industry-level cybersecurity breaches, the impact on our healthcare system is at the top of the list. Inadequate planning or poor resource management could result in a hospital outage, a multi-site catastrophe, the loss of high-risk data or a threat to patient health.
Along with mitigating risk at an individual level, there's an obvious requirement to ensure the systems, networks and devices we rely on are protected against attacks from an ever-increasing number of malicious actors. Several attacks have gained ground in recent months to devastating effect, and it is C-level executives that carry the ultimate responsibility for resolving these issues and preventing future catastrophe.
Carrying the can for cybersecurity in healthcare
C-level staff are responsible for creating the right technological framework and the appropriate cultural awareness of cybersecurity among healthcare staff. Typically, we'd consider roles like the chief compliance officer (CCO), chief learning officer (CLO), and chief medical information officer (CMIO) to be gatekeepers responsible for putting these measures in place across a range of possible attack vectors.
Patient data is an obvious honeypot for hackers looking to commit identity theft, social engineering attacks or even blackmail. But we've also seen the potential for hacks on connected healthcare devices, or the potential of ransomware to interrupt patient care at the coalface. Any attack at a network level could bring multiple sites to their knees, with potentially life-threatening effects on the people reliant on those services.
How can the various risks be managed in a practical, affordable and efficient manner?
Encryption is the best defense against unauthorized access to any kind of data and in a healthcare setting it is essential. No patient information should be stored or transmitted in an unencrypted form and strict controls should be in place to guard against unauthorized access to encryption keys.
The National Institute for Standards and Technology (NIST) explained in a storage encryption guide that organizations should implement encryption solutions that use existing system features, such as those of the default operating system.
It can be more difficult when solutions require extensive changes to the infrastructure. End user devices should generally be used only when other solutions are not sufficient. Whichever method you choose, it's important to consider how management practices can support the recovery of encrypted data should a key be accidentally destroyed or made unavailable. Likewise, it's wise to develop feasible solutions for the encryption and decryption of removable media.
Viruses and malware are not just the reserve of the office PC; they can be maliciously installed on any internet-connected device. As online updates make their way into the healthcare space, there is a real risk that patient health could be compromised by malicious software – "ethical hackers" have already proven that certain pacemakers and insulin pumps are vulnerable to attack.
The best way to protect hospital computers from malware is by restricting user access to websites known to contain malware, or those most likely to – typically websites whose content contains pornography, pharmaceutical products or free software. This is most effectively achieved with an internet content filter that relies on blacklists, category filters and keyword filters to control what websites internet users can visit.
Data loss prevention (DLP)
In the age of rapid online sharing and almost ubiquitous reliance on digital communications, accidental data breaches are all too common. There's also the chance that a rogue employee could share confidential data with unauthorized parties on purpose.
DLP solutions are specially-configured plans designed to cover the most vulnerable data that an organization handles. This prevents electronic medical records (EMR), protected health information (PHI), payment card industry (PCI) data or other personally identifiable information (PII) from being accessed and potentially misused, by unauthorized users. When unsanctioned access is identified, the DLP solution employs pre-defined alerts and other protective actions to stop end users from sharing data that could put the organization at risk.
Healthcare security information and event management (SIEM)
No matter how robust a network, social engineering attacks pose a risk. It only takes one person on the network to open a compromised file and potentially infect many others with malicious software, as has been proven in many high-profile cases in recent months.
Along with the compliance benefits of SIEM, real-time monitoring of networks and systems is vital to detect and contain phishing and ransomware attacks as soon as they take hold. Rapid detection is essential to deal with the threat before it becomes an issue for multiple devices or even multiple sites.
HITRUST security framework/SANS CIS controls
Healthcare systems require a specific security response, a high level of compliance and a robust response to new threats. Data security frameworks help to relieve some of the complexity of the threat landscape in healthcare by providing predetermined and highly effective principles for management and ongoing operations.
The HITR UST framework was developed to address the multitude of security, privacy and regulatory challenges facing healthcare institutions. By including federal and state-level regulations, standards and frameworks and incorporating a risk-based approach, it helps address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
Cyber liability/breach insurance and policies
When sensitive patient data is jeopardized, the threat of legal action can follow. As part of the hospital, site, or network's disaster planning there should be a comprehensive insurance policy in place, along with dedicated breach incident team to quickly manage and contain attacks so that the potential for lawsuits is minimized. This is also paramount in isolating and resolving issues before they get out of hand.
Prioritizing IT budgets to security spending
In any organization – but particularly when healthcare budgets are pressurized – it can be tempting to concentrate resources on the "here and now". That being said, it is much less costly to prevent a security breach than it is to deal with one that has already happened. As hackers and malicious actors become more sophisticated in their techniques, allocating the necessary budget in advance is essential to avoiding costly clean-ups, catastrophic data loss, or fines for non-compliance. Maintaining an effective cybersecurity strategy isn't a singular act, it's a chronic process.
Training and security education courses
Having policies is all well and good, but do your employees understand the implications of this legislature in their day-to-day work? Cybersecurity is vital but is all too easy to toss aside when employees are under pressure. All staff must understand why adherence is crucial and how these rules will apply to them daily.
Accredited courses, in-house training, and e-learning initiatives are all good ways to stress the importance of cybersecurity in healthcare and bring about the essential culture change that makes accidental or intentional security breaches less likely. The Department of Health and Human Services offers a range of training courses for foundational security skills.
Frequent external risk assessments
Risk assessments are a core component of government requirements and in the fast-changing security landscape, it's important to ensure that all facets of the organization are adequately protected. From patient data to multi-site networks, external assessment – carried out to objective standards – is key in driving continuous improvement.
Control outside of the hospital
All organizations face the challenge of meeting flexible working requirements, as well as capitalizing on the benefits of allowing employees to work remotely. But when dealing with sensitive data, it's important to have the correct software and policies in place to ensure that data does not escape your control. High-level executives are often the most vulnerable to these attacks given the frequency with which they handle sensitive information.
Any employee that uses devices for their work while away from the hospital or working remotely should have them sanctioned and secured by in-house IT. Through objective policies and compliance standards, all remote work should be secured with secure VPN and antivirus solutions. This includes bring your own device (BYOD) arrangements, where an employee is permitted to use their own hardware for work.
Healthcare organizations face a range of unique cybersecurity risks and the stakes are high on all sides. Every patient touchpoint is a potential breach; every email attachment a potential for malicious intrusion.
As more of our healthcare services go digital and more data is shared between distant sites and services, a robust and holistic approach is the only defense. With the IoT and perpetually-connected patient health devices already in the picture, C-level staff need to be constantly aware of the changing landscape.
By proactively working to manage and control patient data and system security, as well as educating healthcare staff, C-level executives must take responsibility for preventing threats and improving incident response across our healthcare system.