Resource-strapped Providers Increasingly Consider Virtual Approaches to Dealing with Rising Cyber Threats.
By Michelle Drolet
Healthcare organizations hoping to put COVID-19 surges behind them after a chaotic 2020 may be in for a nasty surprise – hackers haven’t taken any time off and aren’t relenting on cyberattacks this year.
Healthcare organizations are trying to move back toward normalcy this year, ramping up activities to make up for declines in revenue in 2020 because of cutbacks in elective procedures. Even as cybercrime has risen gradually over the past 18 months, budgets for cybersecurity are under pressure.
These trends are forcing organizations to consider new approaches to ensuring information security, which is more crucial than ever because of the industrywide dependence on electronic records and recent technology trends that are making patient data more easily accessible – both to providers and, unfortunately, to hackers.
Providers are in Hackers’ Crosshairs
Even as the COVID-19 ravaged the country, cybercriminals have increasingly targeted healthcare providers, a point emphasized last fall by an advisory issued by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services. The alert noted the prevalence of ransomware attacks on the healthcare sector.
The agencies noted “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” and said they were warning healthcare providers “to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
That was easier said than done for healthcare organizations already distracted by the healthcare crisis.
Last September, a ransomware attack affected all 250 facilities run by Universal Health Services, one of the nation’s largest hospital operators, forcing doctors and nurses to revert to paper records and delaying lab work.
The healthcare industry suffered 560 ransomware attacks in 2020, with a significant uptick occurring in the last quarter of the year, according to an annual report by Emsisoft, a company that develops anti-malware and anti-virus technology. “The attacks caused significant, and sometimes life-threatening, disruption – ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed, and 911 services were interrupted,” the report noted.
The heightened attacks came at a crucial nexus for providers, which needed to increase opportunities for patients and clinicians to connect outside, virtually rather than in-person, at brick-and-mortar facilities. The wider use of technologies such as Zoom and FaceTime, which are unsecured and not HIPAA-compliant, broadened the attack vector for bad agents seeking to break into information networks.
Early results for this year show no decline in attacks, and an increasing need to ramp up security efforts. In February, there was a nearly 41% increase in reported data breaches of 500 or more healthcare records, as reported to the Department of Health and Human Services’ Office for Civil Rights, according to a monthly update. In December and January, the number of breached records exceeded 4 million.
Provider Security Efforts Stretched Thin
Provider organizations are at a significant technology disadvantage in their efforts to thwart cyberattacks. Insurance and financial service providers have reported that fraudulent actors are using a full suite of scamming tools — phishing emails, fraud identities, robocalls and more — and are watching the headlines closely and adapting their messages to scam targets.
However, in the face of high risk and increased reliance on technology platforms, business recovery and continuity among provider organizations is taking precedence over cybersecurity.
Experts warn of even further budget cuts, and cybersecurity will be no exception even though the environment demands that the controls be more robust. Resources are being spread thin, with 50% of cybersecurity teams saying they are getting reassigned to general IT tasks.
And healthcare organizations find themselves competing for security talent with a wide range of other industries. Gartner reported a 65% increase in demand for cybersecurity professionals worldwide, while another study estimates that 3.5 million cybersecurity jobs will remain unfilled this year. Some healthcare organizations are at a financial disadvantage in competing for talent, hampered by an inability to match pay offers from industries or being located in areas where few security professionals reside.
In addition, healthcare security is a high-stakes challenge, with many potential points of failure, such as third parties who have access to information systems, but with limited resources to protect their data or those of their customers. While formal business associate agreements offer some liability protection from breaches caused by third parties, they do little to absolve providers of reputational damage and add yet another entity for security professionals to worry about.
Virtual Approaches Can Offer Support
Healthcare organizations are increasingly turning to virtual services to solve common, yet costly to solve problems. Using this approach when it comes to security offers a cost-effective way for organizations to respond to modern cyber-threats without stretching their financial resources or investing in inadequate security expertise.
Turning to a virtual chief information security officer (vCISO) is one viable approach for provider organizations.
Most vCISOs have decades of experience and a track record of reducing cyber risk and improving cyber resilience for a range of companies. They are usually industry veterans with vast amounts of domain knowledge and hands-on expertise and are well-positioned to train internal security staff with the latest security best practices.
A vCISO in a healthcare position is often well-versed with day-to-day responsibilities and are familiar with current trends, relevant regulations and standards. For cost-conscious healthcare organizations, vCISOs can be recruited on-demand and don’t have the overhead associated with hiring a full-time employee. In addition, vCISOs can be set up on a retainer basis for a set block of hours, hired on a project basis or allocated for tech support hours.
A vCISO can free up valuable time for the C-suite so that management can focus on other important aspects of the business. That can be especially important as providers aim to get back on track after the financial and operational strain of dealing with the COVID-19 pandemic for the past many months.
About the Author