The following is a guest article by Mike Crouse, Director of Insider Risk at Everfox
Ransomware attacks on the healthcare sector continue to grow, with incidents nearly doubling from 2022 to 2023—a concerning figure considering their potential to leave patients in life-or-death situations. The recent ransomware attack on OneBlood, a blood center that serves hundreds of hospitals in the south, is just the latest example of a cyberattack having a real-world impact. With systems offline, the center was forced to resort to manual methods for its operations, which limited the blood supply and caused the delay of multiple complex surgeries.
The OneBlood attack comes mere months after UnitedHealth was forced to pay $22 million to a ransomware gang for an attack on its claims processing unit, which handles nearly half of all U.S. medical claims. The disruption was so significant that three-quarters of all U.S. hospitals reported a direct impact on patient care and 94% of hospitals reported a financial impact, with the majority reporting revenue losses of at least $1 million per day. In turn, both the American Healthcare Association and American Medical Association penned letters requesting federal support to deal with its implications, while sensitive patient data ended up on the dark web.
Indeed, the highly sensitive nature of healthcare data is a large part of what makes it an attractive target for bad actors—along with the fact that an attack can bring even the most basic services screeching to a halt. The average cost of a data breach for the healthcare sector is $9.77 million, making it the most expensive sector for the fourteenth straight year. Improving the cybersecurity posture of healthcare organizations to prevent attacks, or at least mitigate their impact, is an urgent matter.
The Role of Federal Regulations
In the wake of the UnitedHealth breach, Sen. Mark Warner of Virginia introduced the Healthcare Cyber Improvement Act. In simplest terms, the legislation proposed advanced and accelerated payments to healthcare providers in the event of a cyber incident, if they meet minimum cybersecurity standards determined by the Department of Health and Human Services (HHS).
A few months after, another bill called the Healthcare Cybersecurity Act was introduced and would require the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with HHS, make resources available to non-federal entities, and create a special liaison to coordinate with during cyber incidents. These bills come on the heels of HHS’s late 2023 efforts to strengthen healthcare resilience, including the release of cybersecurity performance goals and best practices.
As these pieces of legislation suggest, the mandatory implementation of technical controls is crucial to improving cybersecurity for the healthcare industry and, in turn, protecting patient data and wellbeing. The best way to enforce implementation at healthcare entities is to remove access to U.S. taxpayer dollars, such as Medicaid and Medicare, if the requisite cybersecurity baseline is not met.
Creating a Culture of Security
While a wide range of technical controls can contribute to a more robust cybersecurity posture—including but not limited to content disarm and reconstruction, user activity monitoring, secure data transfers, and more—it’s important for healthcare organizations to understand that cybersecurity is not just a data or network problem, but a people problem. Human error remains the leading cause of data breaches, while ransomware attacks often rely on credential theft, compromised users, and social engineering. Additionally, the stressful environment of healthcare has the potential to drive increased insider risk factors, leading employees to make decisions that, intentionally or not, may undermine security.
In addition to implementing the right technical controls, organizations must ensure they engage with stakeholders across and outside the organization to improve cybersecurity. Organizations need to be able to gather data across different vectors (medical, finance, HR, etc.) without giving everyone operational access to the tools involved. A combination of least privilege access, data loss prevention solutions, and user activity monitoring and behavioral analytics allows for a holistic view of employee behavior—the foundation for identifying risky anomalies such as moving sensitive data outside the organization’s walls.
At the same time, organizations must also engage with vendors, mission partners, researchers, and centers of excellence to have a complete understanding of the ever-evolving cybersecurity landscape and which controls are most effective. The lessons learned from these engagements should be shared regularly with employees to create a security awareness culture. Proper insider risk protection starts with the people, which is why having formal training programs and awareness campaigns in place is essential. Employees may not be aware of just how harmful a data breach can be to the organization and its patients. In addition to legislation that mandates certain levels of cybersecurity hygiene, healthcare organizations must also work internally to improve security through training.
The Bottom Line
Bad actors will continue to target healthcare organizations, meaning that they must have cybersecurity solutions and trainings in place so that something as simple as an employee clicking on a bad link doesn’t end up undermining organizations financially or disrupting life-saving services. Healthcare organizations cannot wait for regulations to keep up with the scope of the threat landscape. The time is now to implement improved technical controls, internal trainings, and widespread collaboration with cybersecurity in mind. The health of patients depends on it.
No comments:
Post a Comment