In mid-May, the National Security Council announced that the
top cybersecurity post at the White House would be eliminated.
While a group of senators is pushing National Security
Advisor John Bolton to reconsider, the administration’s move brings up an
interesting question: Does this federal fracas matter at the organizational
does have a detrimental effect in the sense that it telegraphs to other nation
states that we’re not paying close attention to cybersecurity,” says Brett Warrick of Sensato cybersecurity. “It may encourage them to
put more focus on U.S. targets.”
That said, Warrick notes that every healthcare organization
should assume that it is a target of cyberattackers and protect itself
accordingly, regardless of what is or is not happening at the federal, state,
or local level.
“The government is not going to come out and put up firewalls
to protect you,” says Warrick. “Ultimately, it’s on each organization to do all
that it can to protect itself. In the healthcare industry, the gravity of that
requirement can’t be overstated—patients’ health and lives are at risk.”
healthcare-specific cybersecurity solution protects you from hackers and your
own security shortcomings. Learn more about MD-COP.
The healthcare and finance sectors pay higher data breach
costs than other industries, with healthcare topping out at $380 and financial
services at $245 per stolen record in 2017, according to the Ponemon
Institute. The total average organizational cost of a data breach for
companies in the U.S. is $7.35 million.
A quick look at Healthcare
IT News in June yields alarming headlines like these:
280,000 Medicaid patient records breached in Oklahoma hack”
breaches cost $3.5 million for national provider in HHS settlement”
attack on UVA Health gave hacker access for 19 months”
investigating Banner Health for breach of 3.7 million records”
of 500k patients compromised in LifeBridge Health breach”
That’s just a sampling.
With the worst-case scenario in mind—an attack aimed at
compromising medical devices or systems to hurt or kill patients—experts at
Sensato recommend that every healthcare organization follow the basics of good
“Something I still
hear far too often from even IT security staff and the heads of security at
healthcare organizations of all types is that they don’t think cyber attackers
are interested in organizations like them,” says John Gomez, CEO of Sensato. “This
type of rationalization lulls
people into a false sense of security and is exactly what the attackers are
counting on. It’s time to wake up to the fact that no organization is too
basics for every healthcare organization:
dynamic incident response plan
Every healthcare organization should develop an incident
response plan that outlines specific and detailed response protocols. Rather
than a static plan gathering dust in a three-ring binder, the incident response
plan should be a living and dynamic document. The goal of the incident response plan is to
survive an attack, sustain operations, and be able to quickly move forward with
as little impact to patient care as possible. That means keeping the plan
up-to-the-minute with the administrative, operational, and technical
considerations of keeping your organization secure.
Ø In May, the
U.S. Department of Defense Office of Inspector General issued a report citing
serious vulnerabilities found in electronic health record and security
systems at the Defense Health Agency and some Navy and Air Force hospitals and
clinics. In addition to steep fines of up to $1.5 million per year, the DoD
asked that the Navy and Air Force develop and implement both an oversight plan
and an action plan outlining steps to address vulnerabilities in a timely
A thorough risk assessment helps you create an inventory of
all IT and connected devices, logging their users and traffic flow, ranking
their vulnerability, and identifying how they’re protected. Your risk
assessment should include certification from all manufacturers and vendors who
provide devices, programs, and systems to your organization.
Ø The Center
for Children’s Digestive Health was fined by the U.S.
Department of Health and Human Services Office of Civil Rights in April 2017
because it had failed to secure an agreement with a business associate
the known and potential threats to healthcare information and medical device
Testing your incident response plan is just as important as
the plan itself, helping staff create a type of “muscle memory” that aids in
faster and more efficient response. This type of drill is very similar to the training
hospitals conduct for mass casualty or disaster evacuation events, allowing IT
staff to experience a live attack to see how the protocols and procedures
they’ve developed actually work.
Because of its incident response planning and training, when Erie County
Medical Center realized it had been infected with SamSam ransomware in April
2017, the organization was able to respond quickly and effectively. Shutting down
all information systems, email, and even its website, ECMC was able to keep any
patient records from being compromised, despite the fact that more than 6,000
of its computers were infected.
Install a breach
It goes without saying that every “connected” organization
should have a solid defense system of firewalls, anti-virus, and other programs
to help prevent breaches. But attackers are determined, so it should also go
without saying that every organization should be protected with a breach
detection system designed to use the attackers’ own tactics and methods against
Ø According to the Ponemon 2017 Cost of a Data Breach
Study, the longer it
takes to detect a breach, the more it costs. Early breach detection can
dramatically lower the cost – to the tune of nearly $4 million on average. Sensato recommends a
honeypot like the Nightingale, designed to detect a
breach within a couple days, not a couple hundred days (which is the dismal
you can contain an attack
The use of medical devices is increasing exponentially
throughout the healthcare industry, making it more important than ever for
healthcare organizations to segment systems to keep an attack from spreading
among devices or throughout a network.
Ø When Hancock Health was hit with ransomware in March, the
attack hobbled the healthcare provider by taking advantage of its flat network
structure to access its main data center. If the network and data center had
been segmented, recovery would have been quicker and less expensive.
To paraphrase President Harry S. Truman: the buck stops with you. It’s your
responsibility, legally and ethically, to do everything you can to protect your
healthcare organization from cyberattack. Ultimately, your organization will
pay the price of a security breach. That is, if you’re lucky and your patients
don’t pay the price in lost patient information, health impacts, or death.
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.