By Derek Kernus and Nichole Priddy
Cyber risk and data attacks have long worried the healthcare sector. Their disruptive impact in a healthcare setting can literally mean life or death. In the last two years alone, tens of millions of records have been stolen. However, there has also been tremendous growth—the Centers for Medicare & Medicaid Services (CMS) projecting growth at an average annual rate of 5.4 percent through 2028, reaching $6.2 trillion.
Both cyber risk and growth put additional stress on healthcare operations and workflows that are still trying to find firm footing amidst pandemic adaptation. Plus growth without a scalable cybersecurity program exponentially increases risk and cost when a solution is implemented. The pace of transformation has accelerated with the pandemic, across both the public and private sectors, so that now the industry finds itself at a critical point where maintaining the status quo simply isn’t an option.
We don’t need scary statistics to convince you that the industry has reached a crossroads. Rather, let’s look at what’s standing in the way of the kind of sweeping changes that modern security demands and why there’s not a moment to lose.
Collectively, healthcare organizations are facing some thorny challenges that complicate security efforts, including:
Change is difficult. Significant numbers of legacy systems and round-the-clock operations combine to make the logistics surrounding security changes complex. We recognize that start-ups often have an easier time with security because they can begin with advanced systems and rigorous cyber policies rather than trying to change things that are already established. Healthcare particularly thrives on continuity because the focus is on patient care.
Connections are far-reaching. In our industry, organizations tend to be large and interconnected with many third-party vendors. A single provider may be connected to dozens of subsystems. When we consider enterprise-wide changes, like software updates or implementing multifactor authentication, the scope of impact scales too.
Data portability is just something we talk about. The industry suffers from silos. Patient data and partial or duplicate health records exist in multiple databases or systems that can’t talk to each other. It’s one of the greatest frustrations for both patients and caregivers and we’re no closer to an industry-wide solution than we were 10 years ago.
We’re a big target. Healthcare organizations have a bullseye on their back. Personally Identifiable Information (PII) is an easy money opportunity for bad actors while causing major disruptions in the American healthcare system benefits foreign adversaries.
We don’t have to imagine what a security overhaul would look like. Many large-scale commercial and government organizations in other industries and sectors have already modernized and are following regulatory standards for cybersecurity, so healthcare has plenty of case studies, frameworks, and best practices to follow. The problem is getting started. Scaling up. Keeping pace with growth—and threats. Here, we can offer motivation: What happens to organizations that do nothing? Four things are nearly guaranteed.
Patient care is impacted. Recent data hacks meant hospitals had to divert patients to other facilities, reschedule surgeries, and delay ER care. Alarmingly, nearly a quarter of hospitals reported an increased death rate in the aftermath of a ransomware attack, according to a recent Censinet survey.
Breaches happen. For those organizations who have not yet instituted a robust and comprehensive security initiative – or who continue to have significant vulnerabilities – like seriously outdated software, the breach question isn’t IF, it’s WHEN.
Operations slow. Security and modernization go hand in hand so the “hidden” costs of inefficiency take their toll on productivity.
The brand erodes. When patients lose trust in a healthcare organization or provider, they chose another provider for care, elevating data security from a back-office issue to one that impacts the patient experience – and the bottom line.
The important conclusion we can draw from early 2022 data security spending is that the industry IS responding but when compared to the pace of attacks, it feels like too little too late. Indeed, few organizations are truly ignoring their attack profile; most are simply behind the curve.
How will the industry as a whole catch up? By staunching ransomware attacks in conjunction with larger data security initiatives and investments. To do that we recommend three critical actions:
Understand your attack surface. The physical front door isn’t the only way people are entering hospitals and other facilities. Organizations have convenient web apps, portals, and bill pay systems that link to other databases and systems. Identifying all of your assets is the first step in securing them. Now is the time to conduct a thorough audit of your digital ecosystem to understand your attack surface and plan for ongoing monitoring.
Revisit your Security Response Plan and practice reporting in case of a security incident. Every employee with network access should understand their data chain of command and those on your Security Response Team, from IT to security, and legal and communications, should be regularly practicing their first steps. It may be helpful to have written procedures and diagrams that clearly spell out whom to contact and under what circumstances.
Backup Data. Establish a regular cadence for backing up all data and testing those procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or another cyberattack. The Cybersecurity and Infrastructure Security Agency (CISA) recommends data backups as the first line in mitigating the impact of a data attack.
The healthcare industry has weathered the COVID pandemic, record growth, and a slew of new threats to arrive at 2022 ready for a significant operational change that will address modern security demands. We can drive progress now—when we need it most—by recognizing our inherent challenges and the business risks of delaying security solutions while taking steps to lessen the impact of bad actors on our industry. The timing is critical.
Derek Kernus is the director of cybersecurity operations at DTS and holds CISSP, CCSP and CMMC RP certifications. Nichole Priddy is the director of federal health at DTS and brings over 15 years of experience in contract management, business process improvement, change management, and communications.