Healthcare security breaches are continuing to affect the industry at an alarming rate with new incidents being reported nearly every day. According to the U.S. Department of Health and Human Services (HHS), there has been a twofold increase in large data breaches over the past four years and over 88 million people have been affected by this epidemic in 2023, a 60% increase from the previous year. Among the most significant breaches include the HCA Healthcare breach reported in July 2023, in which the records of over 11 million individuals were compromised and publicly shared on a cybercrime website. The data included Personal Identifiable Information (PII) of patients, such as names, addresses, email addresses, phone numbers, and more. What’s even more concerning is the public uncertainty of how the data was stolen by hackers.
Healthcare organizations are becoming increasingly vulnerable to cyberattacks as the industry is digitally transforming to increase accessibility of services for patients. Especially during this era of AI revolution, technology innovation is accelerating at a pace which we have never seen before. This has a major impact on security – strategies that have successfully secured patients data in the past are no longer valid. So how do IT leaders bring about innovation in their cybersecurity practices? With the rise of digital transformation, ransomware and AI, CISOs and IT security leaders will need to adopt innovative security strategies to get breach ready and prevent patients’ data from being leaked.
The Rise of Ransomware and AI
A concerning pattern in reported healthcare breaches this year has emerged: how quickly ransomware is able to spread laterally and its ability to lock down thousands of servers, computers, and devices. According to Microsoft, almost 97% of all ransomware attacks take less than 4 hours to bad actors to successfully breach the system. The HHS reported a 278% increase in ransomware attacks over the past four years. Ransomware cyberattacks can happen within just hours of bad actors entering the network. Irrespective of how and where the ransomware enters (i.e. users, servers, cloud apps, 3rd party, etc.), unavailable systems could prevent access to necessary information such as consents or medical histories, cause scheduling issues, or prevent medical safety checks. These consequences could interrupt medical procedures or services, including surgeries. As a result, this matter should not be taken lightly.
Hospitals are also rapidly adopting AI to make delivery of healthcare more efficient, especially following the Generative AI boom. Self-control scheduling and check-in, call center automation, voice assistants, ambient listening, smart hospital and operating rooms are just a few examples. Machine learning and AI are already being leveraged by many industries to automate tasks, increase efficiency, and enhance customer satisfaction. However, adoption of new and advanced technologies comes with cybersecurity risks that need to be addressed thoughtfully. AI technology is also being used by cybercriminals to deploy increasingly sophisticated cyberattacks. It will be crucial to closely monitor how hackers will use this technology to advance their own agenda in the coming years.
Zero Trust Architecture: A United Front
Considering the escalating rates of security breaches in the healthcare industry, IT leaders have historically encountered numerous challenges when trying to implement robust cybersecurity measures. For one, the oversaturation of cybersecurity solutions in the market has overwhelmed many IT leaders. Enterprises frequently experience choice paralysis and end up testing, buying, and implementing too many solutions that don’t address their specific problem. As a result, IT professionals are still not feeling confident about their security exposure. Protecting the privacy of patient information is extremely important in the healthcare industry. Hospitals should have a well-defined and cohesive security program which is followed by every employee to safeguard against PII theft.
To solve this issue, healthcare organizations need to adopt a comprehensive security strategy, like the Zero Trust Architecture. President Biden’s Executive Order on Zero Trust has mandated that all federal agencies must adopt and implement Zero Trust to defend against adversaries like Russia, China, and North Korea. Cybercriminals targeting the healthcare industry should be treated the same as national adversaries, and IT and security leaders must ensure they are well-educated on the key pillars of Zero Trust and how to make it work for their specific health systems.
There are seven key pillars which IT security leaders should consider and protect: users, devices, networks, applications and workloads, data, visibility and analytics, and automation/orchestration. Zero Trust takes a data-first approach to security by using microsegmentation technology, which allows security teams to completely control lateral movement with strict policy controls. It ensures server-to-server and user-to-server network connections are on a least privileged basis and every user, activity or event is verified. Unfortunately, it is impossible to eliminate all of these risks entirely. At the end of the day, it is about mitigating as much risk as possible. Assume the hospital is already under attack– from this stage on, what is the best protection IT leaders can create for the infrastructure?
Best Practices for IT Security Leaders
Since the onset of the COVID-19 pandemic, hospitals and health systems have been coping with intense pressure on staff and resources, along with workforce shortages, supply disruptions, and rising expenses. Businesses need to re-evaluate their current practices and how they expect to evolve over the next 3-5 years. For example, what type of infrastructure will they need to support the use of advanced operational technologies like IoT and AI to deliver healthcare more efficiently? Organizations will need commitment from leadership to adopt and maintain these more robust security practices. Budgets should also be created to successfully execute Zero Trust Architecture protocols.
Until recently, attempting to implement Zero Trust strategies such as microsegmentation was an effort beyond the scope of the resources available to the average healthcare security team. However, software products have now been created that greatly enhance the ability of a healthcare security team to successfully implement a microsegmentation strategy, with a reasonable investment of resources.
With the SEC recently adopting new rules on cybersecurity disclosure for public companies, healthcare organizations must prepare for and educate themselves on these changes. First, IT and security leaders must understand how to make ‘materiality’ assessments based on stakeholders’ priorities. Next, they should review disclosure controls and procedures with business leaders to develop business continuity and incident response plans. Zero Trust and microsegmentation implementation will be crucial to stop the lateral spread of ransomware. Hospitals and health systems should ensure material information is collected and continuously tracked. Consider hiring third party experts to help with legal counseling and ensure federal and state compliance. Security leaders can also host tabletop exercises where team members can discuss their specific roles and responsibilities for reporting future breaches. Lastly, ensure that internal and external communications are consistent and factually based to increase transparency.
Get Breach Ready
Organizations should take this new SEC Disclosure Rule seriously— Several publicly-traded companies like Clorox have already reported material cyber incidents to the SEC in the last few months. The agency has already charged companies for not adhering to guidelines. For example, the SEC charged SolarWinds and its CISO for fraud and internal control failures. This marks a significant shift in the way the government treats cybersecurity. For the first time, the SEC has charged an individual for cybersecurity misconduct, and will have significant reputational damages for the CISO involved. The SEC understands the devastating impacts that cyberattacks can have on organizations and its investors and has therefore created these disclosure rules to prevent and minimize damage. There is no option but for healthcare organizations to comply. Ultimately, this will help strengthen their digital resiliency, reduce the ever-growing attack surface, and get breach ready in the event a hacker breaches their network.
Chuck Suitor
Chuck Suitor, Strategic Advisor, Healthcare of ColorTokens, is a healthcare information technology executive with over 35 years of experience. He is the former Chief Technology Officer of MD Anderson Cancer in Houston, Texas, where he spent 26 years of his career. Chuck retired from MD Anderson in 2022 and is currently a Strategic Advisor to ColorTokens, Inc.