From small-town hospitals to advanced medical facilities, cyber threats have become an inescapable reality for all healthcare organizations. No entity is immune to these attacks, which are increasing in number, frequency, and financial impact. More concerning is the potential disruption to patient care, which can compromise health outcomes, and cost lives – a horrifying reality increasingly quantified by research.
Complete immunity from cyber threats is impossible, but the journey to strengthen our defenses is essential. As healthcare entities strive to remain fiscally viable and resilient through greater interconnectedness, they must navigate an evolving landscape where cyberattacks, and the solutions created to address them, continually shape their path forward.
You are not alone. Given that healthcare is critical infrastructure, the public sector and private sector are aggressively working to develop and provide solutions—offering strategic guidance and sophisticated tools for healthcare entities to shore up their defenses. As we increasingly see organizations of all kinds and at varying levels of preparedness suffer breaches, one thing is clear: every organization faces unique challenges.
The importance of comprehensive risk assessment and risk mitigation
With this understanding, you, as leaders of your organizations, are keenly aware that cybersecurity must be both comprehensive and adaptable, addressing the complexity of threats and the need for proactive, tailored strategies. You know that simply deploying advanced security solutions or following generic regulatory checklists aren’t sufficient alone.
Each organization must conduct a thorough assessment, facilitated by independent experts, to understand the business impact to the organization of threats, and vulnerabilities, and develop specific defenses accordingly. This ensures a more resilient and effective cybersecurity posture by helping your organizations determine:
- The organization’s greatest vulnerabilities;
- The organization’s mission-critical systems and vendors;
- The business impact to the organization if mission-critical systems or vendors are compromised;
- The current security defenses in place, and what gaps exist, including expertise, policy, procedure, technical defenses, and the design of critical business processes;
- The staff training available to avoid risk; and
- An incident response plan that serves as the basis for disaster recovery and business continuity efforts.
When equipped with the insights from this evaluation, healthcare executives have the opportunity to craft a detailed risk mitigation plan. This strategy should encompass their organization’s existing cybersecurity readiness as well as their envisioned future posture. It needs to be comprehensive, covering internal protocols, procedures, and workflows, along with external vendors that could pose potential threats. Most importantly, it should address several key questions, including:
- Are fundamental best practices followed? In healthcare, many proven standards exist that detail how to be more secure. Importantly, abiding by them does not mean your organization is no longer vulnerable, but they should be considered table stakes in your risk mitigation efforts. All should comply with the requirements set forth in the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) as a matter of course, while the Cybersecurity Framework 2.0 offered by the National Institutes of Standards and Technology lays out additional best practices in clear terms. Compliance with state regulations adds additional safeguards.
- Are mission-critical systems isolated from harm? The interconnected nature of healthcare makes segmentation imperative. Even the smallest private practice utilizes a mix of IT systems, from electronic health records to appointment and billing systems. Segmenting mission-critical systems is the easiest way to ensure that the initial blast radius from a cyberattack does not take your entire facility out of operation. Legacy systems, particularly those no longer supported with patches and updates, that are commonly found in healthcare networks should also be isolated.
- Are the right data governance policies in place? Data is always accompanied by risk. For years, clinical entities have gathered as much patient information as possible, a practice that grew with the cloud’s virtually unlimited capacity and low cost for storage. Unfortunately, many fail to consider if the data they are gathering – for example driver’s license numbers – are needed. Even fewer properly and proactively purge data. Where data is stored, how it is accessed and by whom, should also be vetted, and access privileges should be kept at a minimum while using multi-factor authentication in a zero-trust architecture. Data governance practices should be exercised by all departments in a unified fashion.
- Is a risk-averse culture encouraged and maintained? Ransomware attacks that rely on social engineering are still the leading attack vectors in healthcare. Creating a risk-averse culture begins with repetitive training – for example, testing employees with fake email messages to ensure they are vigilant. Most importantly, the significance of cyber resilience on patient care must be emphasized continuously by top leadership.
- Does cybersecurity have a seat at the executive table? In many healthcare organizations, cybersecurity falls under the purview of IT leadership. In reality, IT and cybersecurity professionals approach technology from two distinct vantage points, with IT gravitating toward new technological advancements that often expand the organization’s attack surface, and cybersecurity professionals tending to favor strategies that first and foremost reduce risks, a point of view that is increasingly important to incorporate into any healthcare leadership structure.
Creating a comprehensive risk mitigation plan can lay the foundation for a defensive stance that acts as a notable deterrent, particularly for healthcare organizations operating with constrained cybersecurity funding and capabilities.
The ever-increasing importance of cybersecurity
Cyberattacks targeting the healthcare sector show no signs of stopping. As long as there is value in crippling businesses or extorting personal data, these threats will persist. No organization can fully shield itself from risk. The interconnected nature of the healthcare sector—spanning interactions among hospitals, numerous departments, private practices, pharmacies, payers, and a wide array of vendors—ensures that today’s networks will always present potential points of entry for attackers.
In this context, it has never been more imperative for healthcare leaders to conduct thorough risk assessments to identify weak points in their business processes, networks, systems, and infrastructure. By doing so, organizations can move forward with the confidence that they have undertaken the necessary due diligence to safeguard their institutions. A proactive and comprehensive approach to cybersecurity is essential for maintaining the integrity and resilience of healthcare operations in an increasingly digital and interconnected world.
Duane J. Fitch
Duane J. Fitch, CPA, MBA, FACHE, is a partner in Plante Moran’s national healthcare practice, where he has more than two decades of experience helping organizations enhance revenues, decrease costs and refine processes that streamline operations and strengthen efforts to achieve core, patient-focused missions. Prior to joining Plante Moran nearly a decade ago, Fitch ran his own healthcare consulting practice and was a senior partner at the Sibery Group. Earlier, Fitch served as CFO of Norwegian American Hospital and held executive roles at Central Dupage Health System following work as a senior auditor at KPMG Peat Marwick.
Joe Oleksak
Joe Oleksak, CISSP, CRISC is a partner in Plante Moran’s cybersecurity practice, where he has more than two decades of experience providing companies across industries, including banking, healthcare, and insurance, with strategic guidance for IT planning and operations. His specialties include information security risk assessments, information technology audits, network security assessments and penetration testing, business continuity planning, incident response, application controls, SOC reviews, privacy audits – including HIPAA and HITECH – and standards and compliance with regulations like Sarbanes-Oxley and standards such as PCI-DSS. Prior to joining Plante Moran in 2003, Oleksak was senior consultant for information risk management at KPMG Advisory.
