July 3, 2018
|
4 minutes

What Does Federal Fracas Mean for Healthcare Cybersecurity?

It is the responsibility of each healthcare organization to protect itself, and its patients. An effective cybersecurity solution must be leveraged to protect patient lives from security shortcomings, regardless of what is happening at the federal or state level.

In mid-May, the National Security Council announced that the top cybersecurity post at the White House would be eliminated.

While a group of senators is pushing National Security Advisor John Bolton to reconsider, the administration’s move brings up an interesting question: Does this federal fracas matter at the organizational level?

“It does have a detrimental effect in the sense that it telegraphs to other nation states that we’re not paying close attention to cybersecurity,” says Brett Warrick of Sensato cybersecurity. “It may encourage them to put more focus on U.S. targets.”

That said, Warrick notes that every healthcare organization should assume that it is a target of cyberattackers and protect itself accordingly, regardless of what is or is not happening at the federal, state, or local level.

“The government is not going to come out and put up firewalls to protect you,” says Warrick. “Ultimately, it’s on each organization to do all that it can to protect itself. In the healthcare industry, the gravity of that requirement can’t be overstated—patients’ health and lives are at risk.”

A healthcare-specific cybersecurity solution protects you from hackers and your own security shortcomings.  Learn more about MD-COP.

The healthcare and finance sectors pay higher data breach costs than other industries, with healthcare topping out at $380 and financial services at $245 per stolen record in 2017, according to the Ponemon Institute. The total average organizational cost of a data breach for companies in the U.S. is $7.35 million.

A quick look at Healthcare IT News in June yields alarming headlines like these:

Ø “Nearly 280,000 Medicaid patient records breached in Oklahoma hack

Ø “5 breaches cost $3.5 million for national provider in HHS settlement

Ø “Malware attack on UVA Health gave hacker access for 19 months

Ø “OCR investigating Banner Health for breach of 3.7 million records

Ø “Data of 500k patients compromised in LifeBridge Health breach

That’s just a sampling.

With the worst-case scenario in mind—an attack aimed at compromising medical devices or systems to hurt or kill patients—experts at Sensato recommend that every healthcare organization follow the basics of good cybersecurity hygiene.

 “Something I still hear far too often from even IT security staff and the heads of security at healthcare organizations of all types is that they don’t think cyber attackers are interested in organizations like them,” says John Gomez, CEO of Sensato. “This type of rationalization lulls people into a false sense of security and is exactly what the attackers are counting on. It’s time to wake up to the fact that no organization is too small.”

Cybersecurity basics for every healthcare organization:

Develop a dynamic incident response plan

Every healthcare organization should develop an incident response plan that outlines specific and detailed response protocols. Rather than a static plan gathering dust in a three-ring binder, the incident response plan should be a living and dynamic document.  The goal of the incident response plan is to survive an attack, sustain operations, and be able to quickly move forward with as little impact to patient care as possible. That means keeping the plan up-to-the-minute with the administrative, operational, and technical considerations of keeping your organization secure.

Ø  In May, the U.S. Department of Defense Office of Inspector General issued a report citing serious vulnerabilities found in electronic health record and security systems at the Defense Health Agency and some Navy and Air Force hospitals and clinics. In addition to steep fines of up to $1.5 million per year, the DoD asked that the Navy and Air Force develop and implement both an oversight plan and an action plan outlining steps to address vulnerabilities in a timely fashion.

Assess all potential risks

A thorough risk assessment helps you create an inventory of all IT and connected devices, logging their users and traffic flow, ranking their vulnerability, and identifying how they’re protected. Your risk assessment should include certification from all manufacturers and vendors who provide devices, programs, and systems to your organization.

Ø  The Center for Children’s Digestive Health was fined by the U.S. Department of Health and Human Services Office of Civil Rights in April 2017 because it had failed to secure an agreement with a business associate

Read about the known and potential threats to healthcare information and medical device security.

Don’t just train—drill

Testing your incident response plan is just as important as the plan itself, helping staff create a type of “muscle memory” that aids in faster and more efficient response. This type of drill is very similar to the training hospitals conduct for mass casualty or disaster evacuation events, allowing IT staff to experience a live attack to see how the protocols and procedures they’ve developed actually work.

Ø  Because of its incident response planning and training, when Erie County Medical Center realized it had been infected with SamSam ransomware in April 2017, the organization was able to respond quickly and effectively. Shutting down all information systems, email, and even its website, ECMC was able to keep any patient records from being compromised, despite the fact that more than 6,000 of its computers were infected.  

Install a breach detection system

It goes without saying that every “connected” organization should have a solid defense system of firewalls, anti-virus, and other programs to help prevent breaches. But attackers are determined, so it should also go without saying that every organization should be protected with a breach detection system designed to use the attackers’ own tactics and methods against them. 

Ø  According to the Ponemon 2017 Cost of a Data Breach Study, the longer it takes to detect a breach, the more it costs. Early breach detection can dramatically lower the cost – to the tune of nearly $4 million on average. Sensato recommends a honeypot like the Nightingale, designed to detect a breach within a couple days, not a couple hundred days (which is the dismal average).

Make sure you can contain an attack

The use of medical devices is increasing exponentially throughout the healthcare industry, making it more important than ever for healthcare organizations to segment systems to keep an attack from spreading among devices or throughout a network.

Ø  When Hancock Health was hit with ransomware in March, the attack hobbled the healthcare provider by taking advantage of its flat network structure to access its main data center. If the network and data center had been segmented, recovery would have been quicker and less expensive.

To paraphrase President Harry S. Truman:  the buck stops with you. It’s your responsibility, legally and ethically, to do everything you can to protect your healthcare organization from cyberattack. Ultimately, your organization will pay the price of a security breach. That is, if you’re lucky and your patients don’t pay the price in lost patient information, health impacts, or death.

MD-COP will secure your data, devices, and network from targeted and “side effect” attacks.  Act quickly.

SOC Myths & Fallacies: Why Do Most Security Operations Centers Fail?
Over the course of a year long investigation, we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers. Find out what we learned.
Self-Defense & Cyberwar
As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights to defend yourself will become a rather critical aspect of your strategies in the coming years.