Every day the news headlines broadcast another cyber attack on a healthcare facility. Ransomware attacks are running wild. It’s now not a matter of if you’ll be attacked, but when and what will the impact be.
In the meantime, hospital leaders and executives are dealing with reduced reimbursement rates, higher labor costs, and increased pressure on their budgets. They are being asked to do more with less money, stretching every dollar to the limit. Often cyber security takes a back seat and can be seen as a place to cut corners to save money.
Cutting cybersecurity projects from the budget can increase the risk to patient safety. If you aren’t doing the fundamentals of good cyber hygiene, then you are increasing your risk of an attack, which could impact your ability to care for patients. Good cyber hygiene doesn’t have to come with a high price tag. If you focus on the process of awareness, assessment, implementation, and education you can see benefits in your cybersecurity program.
Threats
Data released from cybersecurity firm Check Point showed that the healthcare industry had a 74% increase from 2021 in weekly cyberattacks. Healthcare is an attractive target for cybercriminals due to the amount of personal information and the increased notoriety that comes with attacking a hospital. Also, healthcare facilities are more likely to pay the ransomware bounty, making them a financial win for attackers.
Logan Health reported a phishing attack in 2021 that led to a 200,000+ patients having their PHI exposed. The incident exposed Social Security numbers, birth dates, contact information, medical history, and other private data. Logan eventually reached a $4.3 million settlement after the hospital was sued by patients. Patients claimed the data compromise was caused by Logan’s failure to implement adequate security measures. It was the second breach related lawsuit in less than three years for the health system. In December of 2020, they paid a $4.2 million settlement for a previous breach. In less than three years, Logan Health has paid $8.5 million in breach settlements.
Cybersecurity can cost your facility millions of dollars in lost revenue, settlement payouts, and legal fees; the more serious threat is the impact on patient lives. If a cyberattack renders a facility inoperable, patients that require timely care might not be able to get it. Several incidents have forced facilities to divert ambulance traffic or postpone scheduled patient procedures.
A report by the Ponemon Institute stated that 1 in 4 healthcare providers reported an increase in mortality rate due to ransomware. In the same study, more than 70% of healthcare organization reported longer length of stay or delays in procedures that lead to poor outcomes after a ransomware attack.
To help mitigate these risks, you need to focus on a process of four steps: awareness, assessment, implementation, and education.
Awareness
Awareness of security threats and risks is everyone’s responsibility from the board of directors through leadership and down to all users. The entire organization needs to be aware of the five key threats that face healthcare facilities today:
- Email phishing
- Ransomware
- Loss of equipment
- Insider actions
- Attacks against medical devices
The culture of the organization should encourage and reward employees that spot suspicious behavior. Encourage employees to reach out to IT if they spot a potential phishing email. Make it common practice to talk about cyber threats at staff, manager, and board meetings.
There are many ways to promote awareness within your facility. It’s important that you have an annual security awareness training program for all employees. If you can do it more frequently then that is even better. Some facilities are doing it monthly.
The training program doesn’t have to cost a lot. There are lots of free resources on the web that can be used. You should also check with your state hospital association or even your HR vendor. Some payroll companies are offering cybersecurity training modules to their customers.
Another way to keep cybersecurity front of mind is to share stories of other hospital or healthcare facility attacks. Sometimes employees get a mindset that a cyberattack will never happen to them. By making them aware of recent attacks you can show them are a common and could happen to them. Plus, articles usually talk about how the attack happened which adds a heightened awareness to your staff. If they know a recent attack was caused by clicking on a phishing email, they might think twice before clicking on their own email.
Any news website, newsletter, or industry publication has plenty of articles about recent healthcare cyberattacks. Pick a few relevant ones and periodically share them with your staff. These could even be discussed at staff meetings or shared in employee newsletters.
Finally, you can put posters up around the facility highlighting key security concepts. For example, you might have a flier that says “Think before you Click” to promote phishing awareness. Have fun making these, enlist your marketing department to add pictures, and put them in places where employees will see them.
Having a strong security program starts with building awareness from the top down within your organization. The next step is doing an assessment to completely understand your current risks.
Assessment
It’s important that you have an annual security risk assessment done for your facility. In fact, it’s a HIPAA requirement to make sure you are complaint with the administrative, physical, and technical safeguards. The risk assessment also helps reveal where your facilities PHI could be at risk.
When planning your risk assessment, it is best if it’s done by an external vendor or consultant that is familiar with the appropriate frameworks. Yes, this will cost money, but it’s important to get this right. To often hospitals see an assessment as checking boxes to say they did it. You need to take it seriously and dedicate the proper time, money, and people to completing an in-depth assessment. You want to look at it as an opportunity to understand your weaknesses so they can be fixed. It’s better to know now what your risk are so you can fix them than it is to find out after you’ve been attacked.
Once you’ve done the assessment you will have a list of tasks or a roadmap of work that needs to be done to improve your cybersecurity. You should resolve high risk and high impact vulnerabilities as quickly as possible. Any remaining items can be schedule as part of the remediation process.
As part of your risk assessment, you should also perform an external network scan and penetration test. This will help you identify technical details of where you might be vulnerable. Maybe you have misconfigured remote access and it’s open to a potential attack. Having a penetration test will help find these issues and bring them to light before an attack can take advantage of the error.
Finally, you should do an assessment of your data. Specifically, you want to identify where you have PHI or other sensitive data stored. Oftentimes facilities don’t realize how many different places and how widespread PHI is within the organization. You want to know what servers, workstations, machines, and files have your most sensitive data. If you identify where it is, then it’s easier to figure out how to protect it.
Once you’ve done the assessment and understand where your risk lies then you can start to implement processes and procedures to mitigate the risks. You also need to figure out how you are going to respond should there be an incident.
Implementation & Remediation
Your assessment should produce a roadmap of projects and work that needs to be completed. The roadmap should be prioritized based on risk, likelihood, impact, and time to resolve. It also needs to be balanced with other projects going on at the facility. It doesn’t make sense to overload your staff or IT department. Make sure you work with all staff to schedule what makes sense. Most importantly, it should be a living document and not something you look at once and set aside. It should be regularly reviewed and discussed by leadership and even the board of directors.
It’s important that you review your software update process, antivirus management, and data backups. One of the common security risks is out of date software. Make sure your IT team has a process, and is following it, for updating all the software within your facility. Any out-of-date systems should be updated or removed from the network.
It’s also important that you have antivirus protection and that it be centrally managed. Your IT team should be able to see what systems are out of date and need immediate attention.
Your data backups are critical during an attack and now is the time to make sure they are setup and working properly. You should follow the 3-2-1 backup strategy. This strategy says you have:
- 3 – Copies of your data
- 2 – On-site copies, but on different media or devices
- 1 – Copy offsite
More and more attackers are getting access to their victim’s backup data and compromising it. Then they encrypt your data, and your backup is rendered useless because it’s also compromised. An offsite copy of the data is critical.
Finally, as part of this process you should review and update your incident response plan. If you don’t have an incident response plan, then you should create one.
More than just having an incident response plan, you should practice running through it, at least annually. You can do a tabletop exercise where you walk through example scenarios to make sure everyone knows their responsibilities. It doesn’t have to be complex, but it does require time and commitment from leadership. The key is getting started and progressing forward. You want to exercise your incident response muscles before you need them in a real-life incident.
At this point you’ve built awareness within your organization, done an assessment of your risks, and put measures in place to implement and remediate issues. Now we come full circle and continue to educate the team.
Education
Cybersecurity threats are continually evolving and it’s important that staff, leadership, and your board stay up to date. Implementing a formal cybersecurity training process is critical to keeping everyone updated. It goes hand in hand with your annual security awareness training and starts the cycle over again. With the education program you want to get more specific in your training and test your users to make sure they understand the concepts.
For example, maybe you have a series of training materials demonstrating how to identify phishing emails. Then you should have a way to test employees to make sure they can properly identify a phishing email. Maybe you send them a phishing test and report on how many click the link. However, you test, you want to be able to track results. Staff that struggles should be re-trained until they show an understanding of the concepts.
It’s also important to education staff on any changes to policies or procedures. As your organization’s security matures, you’ll be updating your security policies and creating new ones. As those roll out make sure you’re making staff aware of any changes so they can make sure and comply.
Conclusion
By focusing on the cycle of awareness, assessment, implementation, and education you can continue to improve your facilities cybersecurity program. Cybersecurity is an ongoing process of continual improvement and by focusing on these four key areas you can improve your security from the top down. It takes a commitment from everyone within the organization, but it doesn’t have to break your budget. Following a few key principals can help keep your name out of the headlines.
References:
Davis, J. (2023, January 25). Logan Health agrees to $4.3m settlement after 2021 Health Data Breach. SC Media. Retrieved from https://www.scmagazine.com/analysis/breach/logan-health-agrees-to-4-3m-settlement-after-2021-health-data-breach
Gliadkovskaya, A. (2021, September 24). Ransomware attacks impact patient care, including increased mortality rates, report finds. Fierce Healthcare. Retrieved from https://www.fiercehealthcare.com/tech/ransomware-attacks-impact-patient-care-including-increased-mortality-rates-report-finds
HIPAA Journal. (2023, January 12). Global Healthcare Cyberattacks increased by 74% in 2022. HIPAA Journal. Retrieved from https://www.hipaajournal.com/global-healthcare-cyberattacks-increased-by-74-in-2022/