Data breaches in the healthcare industry are increasingly common, with the U.S. Department of Health and Human Services reporting 875 breaches of unsecured protected health information since December 2020 – that’s more than one per day. This alarming statistic highlights the urgent need for robust cybersecurity measures within healthcare organizations.
Hackers are drawn to healthcare organizations due to the value of the patient information they store, including personal health data, financial details, and insurance information. This data is in high demand on the black market, making healthcare organizations lucrative targets. However, the risks extend beyond health records. According to a recent report from the FBI, 53% of digital medical devices in the US, as well as internet-connected tools in hospitals, are at risk of cyberattack. Though it may seem impossible, devices including pacemakers, defibrillators, insulin pumps, nurse call buttons, and numerous other crucial medical devices are vulnerable – many of which are lifesaving. Malicious actors who breach these devices can manipulate them to provide inaccurate data, administer excessive doses of medication, or pose other risks to a patient’s health.
Clearly, there is a lot more to protect than just data, and unfortunately, these breaches aren’t going to stop anytime soon. Implementing effective and proactive DevSecOps practices is crucial for healthcare organizations to protect their businesses, their patients’ data, and most importantly, the overall safety of their patients.
A Cost of a Healthcare Breach is More than Monetary
Whenever any company falls victim to a data breach, they face numerous costs both directly and indirectly associated with recovering from the incident. These costs include everything from incident response expenses to lost revenue. However, in the healthcare sector, the consequences are potentially fatal.
Inevitably, a data breach in the healthcare industry is also a HIPAA violation. The severity of the violation determines different levels of penalties, with the 2022 HIPAA penalty structure imposing fines that can reach up to $2 million. Healthcare data breaches can result in fees and fines from multiple additional entities such as the U.S. Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and state Attorneys General.
Any amount of money spent by a healthcare organization to prevent a data breach or safeguard their devices is probably worth it when considering these costs, but it doesn’t have to break the bank.
Mitigation Strategies Offer Too Little Too Late
For healthcare organizations, establishing a strong, proactive cybersecurity foundation and compliance posture is imperative. It is crucial to recognize that the presence of one secure device does not guarantee overall security – if even one unsecured device remains undetected, the organization’s entire ecosystem is at risk.
The need for proactive cybersecurity for healthcare organizations has gotten so serious that effective March 30, 2023, the US Food and Drug Administration (FDA) mandated that medical device manufacturers include cybersecurity information in their premarket device submissions Further, the FDA will refuse submissions lacking adequate cybersecurity measures from October 1, 2023, onwards.
Perhaps most importantly, the FDA has introduced guidance for medical device manufacturers, with six key principles for protecting devices. These principles include incorporating cybersecurity as an integral part of device safety and the Quality System Regulation (QSR), adopting secure by design principles, ensuring transparency, implementing security risk management practices, establishing a robust security architecture, and conducting thorough testing with objective evidence.
Secure By Design
Adopting the right DevSecOps tools automatically yields many of these principles. For example, security by design, security risk management, and appropriate physical and technical safeguards are all byproducts of implementing an ongoing threat modeling program. Such proactive measures are essential for protecting medical devices and preventing data breaches. A threat model itself serves as evidence for device manufacturers to demonstrate to the FDA the security of their devices. By implementing these types of DevSecOps tools, healthcare organizations can proactively safeguard sensitive data and IoT devices while optimizing their operations.
The benefits of implementing DevSecOps practices extend beyond efficiency gains and cost savings. A proactive and ongoing DevSecOps strategy provides peace of mind for organizations, patients, and stakeholders by ensuring proper utilization of healthcare resources. By implementing preventive measures, healthcare organizations can mitigate risks, maintain a secure environment, and safeguard the well-being of both patients and their business.
Archie Agarwal is the Founder and CEO of ThreatModeler. Archie has over 20 years of experience in risk and threat analysis. Previously, at WhiteHat Security, as director of education and thought leader he specialized in threat modeling, security training and strategic development. He has also held positions at PayCycle (acquired by Intuit), Citi, HSBC and Cisco. Archie is a Certified Information Systems Security Professional (CISSP) and is SANS GWEB certified.